FBI warns of in-person data theft attacks from extortion gang

FBI Warns of In-Person Data Theft Attacks by Silent Ransom Group

OverviewThe Federal Bureau of Investigation (FBI) has issued a warning about a shift in the operational methods of the Silent Ransom Group (SRG), an extortion-focused cybercrime gang also known as Luna Moth, Chatty Spider, and UNC3753. Beginning in early 2026, SRG expanded its tactics to include in-person data theft attacks targeting United States–based law firms. The group combines social engineering, remote access, and physical access to exfiltrate data and pressure victims into ransom negotiations.

How the scheme unfoldsSRG’s approach hinges on a blend of manipulation and direct access. Key steps in the attack pattern include:

Social engineering and phishing
SRG actors pose as IT department staff and initiate contact via phone calls or phishing emails.
The goal is to persuade victims to call back or to engage with what appears to be legitimate IT support.
Remote access or escalation to on-site access
On the phone, the actor directs the employee to grant access to a remote desktop session.
If remote access fails or is not sufficient, the group escalates to physical presence at the victim’s location.
In-person data theft
An SRG actor travels to the victim’s site to gain access to computers.
The objective is to insert storage devices (USB drives or external hard drives) to exfiltrate data directly from the machine.
Extortion and data commercialization
Stolen data is used to threaten disclosure or sale on the group’s leak sites.
The gang conducts follow-up pressure through calls to employees or clients to push for ransom negotiations.

Indicators of an SRG attackThe FBI highlights several actionable signals that may indicate an SRG operation in progress. Organizations should be vigilant for these signs:

Unauthorized installation of external drives
The presence or attempted installation of USB drives or external hard drives on company computers without a legitimate business purpose.
Unidentified individuals posing as IT staff
People claiming IT or support roles who are not recognized members of the organization’s vetted teams.
Redirections to remote access or on-site access
Communications that push toward granting remote access or instructing staff to engage with outside “IT” personnel.
A mix of digital and physical intrusion steps
Beyond phishing and remote access, traces of in-person visits or attempts to access devices at the workplace.

Context and historical background

Group profile
SRG is tied to the broader Luna Moth family of cybercrime actors, with a history of data theft and extortion operations following targeted phishing campaigns.
Evolution from earlier operations
The gang has roots linked to BazarCall campaigns that provided initial access to networks involved in Conti and Ryuk ransomware activities.
After Conti’s dissolution in early 2022, some actors reorganized into SRG, continuing the pattern of data theft and extortion through social engineering and strategic access.
Cross-linkages and prior warnings
The same group has been associated with campaigns targeting legal and financial organizations in the United States since 2023.
In May 2025, the FBI issued a private industry notification about SRG’s activities in callback phishing and social engineering, signaling a multi-year campaign focused on U.S. law firms and similar entities.
A May 2025 EclecticIQ report detailed how SRG actors impersonated IT helpdesks and portals at major U.S. law firms and financial services firms, including the use of typosquatted domain patterns to appear legitimate.

Contextual significance for the targets

Why law firms and financial organizations?
These entities handle sensitive client information and legal documents, making them attractive targets for data exfiltration and leverage in extortion.
The advantage of in-person access
Physical access allows data extraction from devices that might be guarded in digital perimeters but accessible when an attacker can connect a storage device directly to a workstation.

Related observations and reporting

The FBI has framed SRG’s tactics within a broader pattern of social engineering and “helpdesk impersonation” that leverages both digital channels (phishing, remote access tools) and physical presence to bypass conventional defenses.
Reporting on SRG’s activities has consistently connected the group’s tactics to prior campaigns and to other extortion-focused operations within the cybercrime ecosystem.

Implications for organizations

The convergence of social engineering, remote access, and on-site data theft represents a hybrid threat that targets both digital and physical security controls.
The persistence of SRG-style campaigns over multiple years and across different sectors underscores the importance of layered security measures, validated IT interactions, and strict verification of any on-site IT personnel or external contractors.

Timeline of notable events (highlights)

2022: SRG emerges from the Conti ecosystem and begins focusing on data theft and extortion.
Early 2023: SRG activity directed at U.S. legal and financial organizations becomes more evident.
May 2025: FBI warns privately to industry about SRG’s callback phishing and social engineering operations targeting law firms.
May 2026: FBI flash alert documents SRG’s shift to in-person data theft and extortion tactics against U.S.-based law firms, detailing the staged social engineering, remote access, and on-site data-exfiltration methods.

SummaryThe Silent Ransom Group has demonstrated a willingness to adapt its attack surface by combining traditional phishing and remote access tactics with direct, in-person data theft. By impersonating IT staff, guiding remote sessions, and sending actors to offices to connect storage devices, SRG seeks to exfiltrate data and coerce victims through ransom demands. The cluster of indicators—unauthorized USB activity, unknown individuals claiming IT duties, and a pattern of pressure communications—offers a framework for recognizing and understanding these evolving extortion campaigns. As SRG continues to target legal and financial institutions within the United States, the need for vigilant verification, strict access controls, and comprehensive monitoring remains critical for organizations at risk.

FBI Warns of In-Person Data Theft Attacks by Silent Ransom Group

How the scheme unfoldsSRG’s approach hinges on a blend of manipulation and direct access. Key steps in the attack pattern include:

Social engineering and phishing
SRG actors pose as IT department staff and initiate contact via phone calls or phishing emails.
The goal is to persuade victims to call back or to engage with what appears to be legitimate IT support.
Remote access or escalation to on-site access
On the phone, the actor directs the employee to grant access to a remote desktop session.
If remote access fails or is not sufficient, the group escalates to physical presence at the victim’s location.
In-person data theft
An SRG actor travels to the victim’s site to gain access to computers.
The objective is to insert storage devices (USB drives or external hard drives) to exfiltrate data directly from the machine.
Extortion and data commercialization
Stolen data is used to threaten disclosure or sale on the group’s leak sites.
The gang conducts follow-up pressure through calls to employees or clients to push for ransom negotiations.

Indicators of an SRG attackThe FBI highlights several actionable signals that may indicate an SRG operation in progress. Organizations should be vigilant for these signs:

Unauthorized installation of external drives
The presence or attempted installation of USB drives or external hard drives on company computers without a legitimate business purpose.
Unidentified individuals posing as IT staff
People claiming IT or support roles who are not recognized members of the organization’s vetted teams.
Redirections to remote access or on-site access
Communications that push toward granting remote access or instructing staff to engage with outside “IT” personnel.
A mix of digital and physical intrusion steps
Beyond phishing and remote access, traces of in-person visits or attempts to access devices at the workplace.

Context and historical background

Group profile
SRG is tied to the broader Luna Moth family of cybercrime actors, with a history of data theft and extortion operations following targeted phishing campaigns.
Evolution from earlier operations
The gang has roots linked to BazarCall campaigns that provided initial access to networks involved in Conti and Ryuk ransomware activities.
After Conti’s dissolution in early 2022, some actors reorganized into SRG, continuing the pattern of data theft and extortion through social engineering and strategic access.
Cross-linkages and prior warnings
The same group has been associated with campaigns targeting legal and financial organizations in the United States since 2023.
In May 2025, the FBI issued a private industry notification about SRG’s activities in callback phishing and social engineering, signaling a multi-year campaign focused on U.S. law firms and similar entities.
A May 2025 EclecticIQ report detailed how SRG actors impersonated IT helpdesks and portals at major U.S. law firms and financial services firms, including the use of typosquatted domain patterns to appear legitimate.

Contextual significance for the targets

Why law firms and financial organizations?
These entities handle sensitive client information and legal documents, making them attractive targets for data exfiltration and leverage in extortion.
The advantage of in-person access
Physical access allows data extraction from devices that might be guarded in digital perimeters but accessible when an attacker can connect a storage device directly to a workstation.

Related observations and reporting

The FBI has framed SRG’s tactics within a broader pattern of social engineering and “helpdesk impersonation” that leverages both digital channels (phishing, remote access tools) and physical presence to bypass conventional defenses.
Reporting on SRG’s activities has consistently connected the group’s tactics to prior campaigns and to other extortion-focused operations within the cybercrime ecosystem.

Implications for organizations

The convergence of social engineering, remote access, and on-site data theft represents a hybrid threat that targets both digital and physical security controls.
The persistence of SRG-style campaigns over multiple years and across different sectors underscores the importance of layered security measures, validated IT interactions, and strict verification of any on-site IT personnel or external contractors.

Timeline of notable events (highlights)

2022: SRG emerges from the Conti ecosystem and begins focusing on data theft and extortion.
Early 2023: SRG activity directed at U.S. legal and financial organizations becomes more evident.
May 2025: FBI warns privately to industry about SRG’s callback phishing and social engineering operations targeting law firms.
May 2026: FBI flash alert documents SRG’s shift to in-person data theft and extortion tactics against U.S.-based law firms, detailing the staged social engineering, remote access, and on-site data-exfiltration methods.

FBI warns of in-person data theft attacks from extortion gang

More from the Blog

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Dutch police arrests suspect linked to Ajax football club hack

Windows 11 KB5089573 update released with performance improvements

Stay Updated

FBI warns of in-person data theft attacks from extortion gang

More from the Blog

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Dutch police arrests suspect linked to Ajax football club hack

Windows 11 KB5089573 update released with performance improvements

Stay Updated