Ransomware Group: SAFEPAY

VICTIM NAME: usmortgage[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to USMortgage.com, a financial services provider based in the United States that specializes in home mortgage lending. The company offers a range of loan options including conventional, FHA, VA, USDA, and jumbo mortgages. The website emphasizes transparency, customer education, and personalized support to facilitate home financing and refinancing. The attack date is recorded as May 29, 2025, indicating when the breach was identified or claimed. The leak appears to include data related to the company’s internal information and potentially sensitive details. The page includes a screenshot depicting internal documents or information related to the company’s operations. No PII or sensitive customer data appears to be explicitly disclosed in the summary. This incident highlights vulnerabilities within the financial sector, particularly concerning data security, and underscores the importance of cybersecurity measures for institutions handling sensitive financial data worldwide.

Additional details include the presence of information-stealer tools, specifically Lumma and RedLine, which have been active on the compromised system, suggesting ongoing malicious activity aimed at extracting sensitive data. The leak is associated with a group called “safepay,” and the disclosure was discovered approximately one minute after the attack was claimed. Although no explicit personal or client information is listed here, breaches of this nature pose significant risks to client confidentiality and can affect company reputation. The leak emphasizes the importance for financial institutions to regularly update security protocols, monitor for unauthorized access, and ensure robust defense mechanisms are in place to prevent such breaches. Overall, this incident serves as a stark warning about the cybersecurity vulnerabilities faced by organizations managing sensitive financial data and the need for continuous vigilance.