A ransomware case has grown messier, with one threat group preying on another, to demand another round of ransom from victims.
After experiencing a breach on 12 June 2026 by ransomware group Icarus, a market intelligence platform is now facing a more complicated extortion campaign after a second hacking crew appeared to demand payment from customers affected by the earlier breach.
According to private customer updates described by TechCrunch, the affected firm, Klue, has been communicating with Icarus and believes the latter are taking steps to erase the material taken from affected customers. The Icarus leak site has also been reported to be offline, although the reason for that shutdown has not been independently confirmed.
At the same time, Klue reported that the situation had worsened when Icarus informed them that a second group had entered the picture and was now threatening affected firms itself. That second group had posted a list of allegedly impacted firms on its own website and claimed it had data connected to 195 Klue customers.
In a message aimed at pressuring victims, the criminals wrote: “Pay the ransom or we will leak everything if you no pay us (sic),” according to TechCrunch’s report. Klue later told customers the second set of hackers had sample data for only some customers, not the full set, based on unconfirmed claims from Icarus.
The firm’s advice to customers is: do not pay the second group. Instead, any customer contacted by the second group should ask for a random sample of the data as proof that the gang actually has what it claims. That guidance reflects a common dilemma in double-extortion incidents, where attackers may exaggerate what they possess in order to force hurried payments.
In the first breach dating back to 12 June 2026, attackers had exploited a compromised legacy credential to access Klue and pull OAuth tokens tied to customer integrations. Those tokens had allowed bulk exfiltration of data, mainly business contact and support information, from customers connected to the platform, such as LastPass, Salesforce, Recorded Future, HackerOne, Jamf, and Tanium
SecurityWeek had reported that roughly two dozen firms have been identified as affected so far, while TechCrunch reports stated the event had involved a larger pool of potential victims and an unusually messy chain of criminal activity.
