Dragonforce gang claims breach of German insurer HanseMerkur, alleging 97 GB data theft

A Russia-aligned ransomware gang known as Dragonforce has claimed responsibility for a cyberattack on HanseMerkur, a major German insurance group that reported €3 billion in revenue in 2025, alleging the theft of nearly 97 gigabytes of internal company data.

The claims were posted on the group’s dark web site, where attackers said they breached HanseMerkur’s systems and exfiltrated internal files. Such postings are a common extortion tactic used to pressure organizations into paying ransoms by threatening public release of stolen data.

Files published alongside the claim indicate the alleged breach may involve data linked to Emirates Insurance, a partner organization that works with HanseMerkur to support insurance portfolios in the United Arab Emirates. The released materials include financial records such as vouchers, tax notes, and invoices.

HanseMerkur has not publicly confirmed the incident. The company, headquartered in Hamburg, is one of Germany’s largest insurance groups, specializing in private health, travel, and property insurance. It also maintains offices in Switzerland and Dubai.

Ransom demands in such incidents are often calculated as a percentage of a victim’s annual revenue, typically ranging from 0.7% to 5%, with an average of about 2.82%, though no specific demand tied to HanseMerkur has been disclosed.

Dragonforce has previously claimed attacks against several high-profile retail organizations, including the UK-based Co-op and Marks & Spencer, as well as the U.S. department store chain Belk. The group has also alleged a major data theft involving Mobilelink US, the largest authorized dealer for Cricket Wireless services, claiming the exfiltration of roughly 5 terabytes of data.

Security researchers have linked Dragonforce to Russian interests. Analysts have said the group’s public messaging suggests close alignment or allegiance with the Russian Federation, and previous research has noted internal rules that prohibit attacks on hospitals, critical infrastructure, and nonprofit organizations in Russia and other countries within the Moscow-led Commonwealth of Independent States.

First identified in 2023, Dragonforce announced in October last year that it had formed a ransomware-as-a-service alliance with other prominent cybercrime groups, including Qilin and Lockbit. Monitoring of dark web activity indicates the gang has claimed attacks against 185 organizations in 2025, with the majority occurring in the past six months.

HanseMerkur has not responded publicly to requests for comment on the alleged breach.