Ransomware Group: SAFEPAY

VICTIM NAME: notar-roemer-troisdorf[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to the domain notar-roemer-troisdorf.de, which is registered in Germany. The attack was publicly disclosed on May 21, 2025, approximately one minute after discovery. According to the available information, the attackers belong to the group labeled “safepay.” The page includes a screenshot displaying the nature of the compromise, indicating that data from the victim website may have been accessed or extracted. Despite the lack of specific details about the activity or the type of data compromised, the leak suggests the potential exposure of internal information or documents related to the victim entity. No evidence suggests the involvement of third parties or employee data, though the compromise date confirms a recent incident.

Additional details available on the leak page include a claim URL, which directs to an onion site where further claims or data may be hosted by the attackers. The page’s description is marked as “N/A”, indicating minimal public information about the victim or nature of the breach beyond the domain itself. The visual evidence provided by a screenshot hints at the possibility of visual content or internal documentation being part of the leak. The victim’s activity sector remains unspecified, and there are no indications of active or ongoing information theft beyond the initial compromise. Overall, the incident underscores a recent ransomware attack affecting a German-based website, with potential data leakage and public exposure across the dark web.