Anubis ransomware gang claims massive Disneyland Paris data breach

A notorious ransomware group known as Anubis has listed Disneyland Paris as its latest alleged victim, claiming to have exfiltrated 64 gigabytes of sensitive data related to the theme park’s internal operations. The announcement appeared on the gang’s dark web leak site and was confirmed by cybersecurity news outlet Hackread.com.

According to the group, the breach—described as “the largest data leak in the history of Disneyland Park”—involved approximately 39,000 files detailing construction and renovation activities at the resort. Anubis said the data was obtained through a breach of one of Disneyland Paris’s partner companies.

“During the leak of data of the partner company, 39,000 files related to the construction and renovation of the Disneyland Paris location ended up in our hands,” the group wrote on its leak site.

As evidence, the gang has already published a selection of images and videos allegedly showing detailed schematics and engineering plans for park attractions, including those related to Frozen, Crush’s Coaster, Pirates of the Caribbean, Big Thunder Mountain, Autopia, Buzz Lightyear, Orbitron, Casey Jr., Phantom Manor, and Ratatouille.

While the authenticity of the breach remains unverified, the group announced plans to release a portion of the stolen material within hours of its post. Hackread.com has reached out to Disneyland Paris for comment, but no official statement has been issued at the time of publication.

Notably, the hackers did not mention whether the archive includes customer or visitor data, nor did they indicate whether a ransom has been demanded. However, the gang highlighted that Disneyland employees are typically bound by strict non-disclosure agreements (NDAs), suggesting that the release of internal documents could carry legal and reputational consequences for the company.

Anubis, a ransomware-as-a-service (RaaS) operation, emerged in December 2024 as the successor to a testing platform called “Sphinx.” It is unrelated to other malware bearing the same name, including the Android banking trojan and a Python-based backdoor.

The group’s operations rely on affiliate hackers, who receive a percentage of the profits: 80% from ransom payments, 60% from leaked data monetization, and 50% from reselling system access. Trend Micro recently reported that Anubis incorporates a “Built-in Wiper” feature, capable of completely erasing compromised systems, raising the stakes for targeted organizations.

On June 12, 2025, the group publicly boasted about the Disneyland incident via its official account on X (formerly Twitter). As of now, the full extent and impact of the breach remain unclear. Further updates will follow as more information becomes available.