A threat actor appeared on a cybercrime forum this week claiming to have breached Xtium, a U.S.-based managed service provider formerly known as ATSG that delivers AI-powered IT infrastructure, cloud, and security services. The actor alleges two separate intrusions resulting in the alleged theft of 485.8 terabytes of data belonging to Xtium and its clients.
According to the forum post, the bulk of the data, roughly 480TB, consists of virtual machine backups pulled from Xtium’s Veeam backup infrastructure. The actor claims to have maintained access to the Veeam environment for approximately 8 months, during which time file-level restore functionality allegedly allowed them to browse and extract client backup data at will. A further 5.8TB was reportedly obtained from Xtium’s Synology ShareSync environment in a second intrusion carried out 10 days after the actor claims to have first notified the company.
Inside the Backup Server
The claimed data includes virtual machine images, internal corporate files, shared storage data, and infrastructure information belonging to both Xtium and its managed service clients. Screenshots published alongside the claim show what appears to be a Veeam backup dashboard reflecting 659 machines, 165 jobs, and approximately 480TB of full backups, as well as a Synology ShareSync admin panel showing multiple client organizations across 56 tenants with over 3.5 million files and 288,000 deleted files logged.
Alleged Failed Negotiations with Xtium
The actor framed the second intrusion as a direct response to what they described as stalled ransom negotiations. A screenshot included in the post purports to show a chat exchange in which an Xtium representative acknowledged the breach, referenced cleanup efforts following shared information, and expressed concern that reaching a settlement would not prevent further intrusion attempts. BreachNews cannot verify the authenticity of this exchange.
The data is now allegedly being offered for sale, with the actor also inviting Xtium’s clients to negotiate independently for removal of their specific backup data.
Threat Actor Credibility
The group behind the claim registered on the forum in March 2026 and has made only 2 posts to date, both involving U.S. technology companies. That limited history warrants caution. However, the technical specificity of the screenshots, the volume of detail across both the Veeam and Synology environments, and the alleged negotiation timeline add weight to the claim.
