FulcrumSec: Threat Actor Profile

Attribution: Financially motivated cybercriminal group

First Observed: 2025

Primary Operations: Data exfiltration, cloud compromise, source code theft, intellectual property theft, data extortion, public dataset releases

FulcrumSec is a financially motivated cybercrime group known for large-scale data theft, cloud infrastructure compromises, source code exposure, and public dataset releases. Active since at least 2025, the group has built a reputation around publishing extensive technical details about alleged intrusions, often combining data extortion with detailed narratives describing how access was obtained and what information was compromised.

Unlike traditional ransomware operations that focus on encryption and operational disruption, FulcrumSec’s activity centers on data theft, public exposure, and reputational pressure. The group frequently publishes technical evidence, infrastructure details, source code repositories, and internal documentation alongside breach claims.

Overview

FulcrumSec operates a public-facing extortion model in which organizations are listed alongside breach allegations, technical findings, dataset descriptions, and negotiation updates. The group frequently claims access to cloud-hosted environments, SaaS platforms, source code repositories, and enterprise data stores.

Its operations appear heavily focused on maximizing reputational and commercial impact by targeting organizations that maintain large quantities of sensitive business information, customer data, proprietary research, or intellectual property.

2026 Campaign Escalation and Recent Coverage

Throughout 2026, FulcrumSec significantly increased both the scale and visibility of its operations. While earlier activity focused on cloud exposures and enterprise datasets, more recent campaigns have targeted proprietary research, software development environments, and high-value corporate intellectual property.

BreachNews has reported on the following FulcrumSec-linked incidents:

• Novo Nordisk alleged 1.3TB breach involving source code, clinical data, AI assets, and pharmaceutical research
• Global Schools Group student, parent, and employee data breach claim
• MyComplianceOffice dataset release following alleged failed negotiations
• Hatica breach involving enterprise collaboration environments and Slack workspaces
• Arup Group cloud infrastructure breach claim
• Stuf Storage breach involving customer and operational data

In several cases, FulcrumSec has followed breach claims with public dataset releases, source code publication, or detailed technical disclosures designed to increase pressure on affected organizations.

Latest Activity Tracker

This section is continuously updated as new FulcrumSec activity is reported.

• June 2026: FulcrumSec claims theft of approximately 1.3TB of Novo Nordisk data, including source code repositories, proprietary AI models, pharmaceutical research assets, and clinical trial information
• June 2026: Global Schools Group allegedly breached, with student, parent, and employee data reportedly exposed
• June 2026: Full MyComplianceOffice dataset allegedly released following failed negotiations
• June 2026: Arup Group cloud infrastructure breach claim published
• June 2026: Hatica enterprise collaboration platform data allegedly exposed
• June 2026: Stuf Storage dataset allegedly released following extortion efforts

Structured leak campaigns and branding strategy

FulcrumSec organizes many of its disclosures into named campaigns that group victims together under specific themes. These campaigns are often accompanied by extensive commentary regarding security practices, cloud architecture, credential management, and development processes.

Observed campaigns include:

• Index of Shame: Organizations allegedly exposing sensitive information through misconfigured infrastructure and publicly accessible systems
• The Hardcoded Horror Show: Campaigns highlighting exposed credentials, secrets, API keys, and authentication tokens discovered in source code repositories
• Slopocalypse Now: A campaign focused on AI platforms, machine learning systems, and organizations handling large volumes of sensitive user data

These campaigns appear designed to reinforce the group’s public identity while framing breaches as examples of broader security failures.

Tactics and Operational Patterns

FulcrumSec demonstrates a consistent operational model centered on data theft and public disclosure rather than encryption-based ransomware. Key tactics include:

• Cloud environment compromise: Targeting AWS, Azure, SaaS platforms, and cloud-hosted infrastructure
• Credential harvesting: Leveraging exposed secrets, API keys, access tokens, and hardcoded credentials
• Source code theft: Extracting repositories, development assets, CI/CD configurations, and internal tooling
• Data-first extortion: Prioritizing exfiltration and publication over operational disruption
• Technical disclosure campaigns: Publishing extensive details regarding alleged intrusion paths, exposed systems, and security weaknesses

Focus on intellectual property and research assets

Unlike many extortion groups that focus primarily on customer records, FulcrumSec increasingly targets intellectual property, proprietary research, source code repositories, AI assets, and internal development environments.

Recent claims involving pharmaceutical research, enterprise software platforms, and cloud infrastructure suggest the group seeks to maximize leverage by targeting information that may hold strategic or commercial value beyond traditional personally identifiable information.

Victim sectors

Organizations targeted by FulcrumSec span multiple industries, including healthcare, education, technology, professional services, storage providers, AI companies, and enterprise software vendors.

The group’s victimology suggests a preference for organizations with extensive cloud footprints, large data repositories, significant intellectual property holdings, or complex development environments.

Data publication model

FulcrumSec frequently follows breach claims with public releases of datasets, source code archives, internal documentation, and technical evidence intended to support its allegations.

In several cases, the group has offered bulk downloads containing customer information, internal communications, source code, cloud infrastructure data, and business records. Some releases have also included detailed explanations of the alleged intrusion path and affected systems.

This publication-heavy approach reduces reliance on prolonged negotiations and allows the group to build credibility through repeated releases, even when organizations decline to engage.

Messaging and positioning

The group’s public communications frequently frame its activity as exposing negligence rather than purely criminal conduct. Messaging often focuses on alleged security failures, weak credential management, cloud misconfigurations, and poor operational security practices.

This narrative-driven approach, combined with detailed technical disclosures and structured campaigns, has helped FulcrumSec establish a recognizable identity within the broader cybercrime ecosystem.

Threat assessment

FulcrumSec has rapidly evolved from a relatively unknown actor into one of the more active data extortion groups tracked by BreachNews. Its focus on cloud environments, source code repositories, intellectual property, and public dataset releases differentiates it from many traditional ransomware operations.

The group’s repeated publication of datasets, technical evidence, and internal materials suggests organizations should take its claims seriously, particularly when cloud infrastructure, development environments, or proprietary business assets are involved.

Notes

All breach claims attributed to FulcrumSec should be treated as unverified unless confirmed by affected organizations or independently validated. However, the group’s history of publishing data, source code, and technical evidence following breach claims indicates that many incidents warrant close scrutiny.

Update (June 17, 2026): Added coverage involving Novo Nordisk, Global Schools Group, MyComplianceOffice, Hatica, Arup Group, and Stuf Storage. Updated operational assessment to reflect FulcrumSec’s increasing focus on intellectual property theft, cloud compromise, and public data release campaigns.