FulcrumSec

FulcrumSec is a financially motivated data-theft and extortion threat actor active since at least September 2025, with reporting also describing its emergence around October or the end of 2025. The group targets cloud-native organizations and specializes in high-speed exfiltration of cloud-hosted data rather than relying primarily on file encryption. Reported tradecraft includes exploiting unrotated API keys, exposed or hardcoded GitHub personal access tokens, unrotated JWT signing secrets, misconfigured cloud permissions and storage, over-permissioned cloud identities, exposed credentials in client-side JavaScript, and unpatched internet-facing applications including CVE-2025-55182 (React2Shell). The content also states that FulcrumSec uses legitimate tooling such as rclone for exfiltration, maintains leak or shame infrastructure on both clearnet and Tor, and has a leak-site section referred to as "Index of /Shame." One source says the group refers to its model as "steal and squeeze" and also uses the nickname "The Threat Thespians." The group is consistently described as a hack-and-leak or pure extortion actor, though some reporting also labels it a ransomware group and attributes double-extortion behavior to it in the Global Schools Foundation incident. Victim sectors mentioned in the content include technology, business services, healthcare, consumer services, financial services, and education. Countries represented in the victim reporting include the United States, United Kingdom, India, Denmark, Singapore, and Australia. Named victims in the content include Novo Nordisk, Global Schools Group / Global Schools Foundation, Arup Group, Avnet, youX, and LexisNexis, as well as additional listed victims including Lena Health, Woundtech, MCO, ReFocus AI, Hatica, Analog Gold / Prospector, Nordstern Technologies, ParkEngage, Saleskido, Interzero, IMEVI, Raptor Supplies, Rotary Club, JOT, BookBlock, Crank Communications, CrediElite, and Fashinza. Reported victim counts in the content are approximately 25 to 26 organizations across 11 countries, with most victims headquartered in the United States. The content links FulcrumSec to several notable incidents. In the Novo Nordisk intrusion, FulcrumSec claimed it maintained access for more than two months, stole about 1.3 TB across more than 700,000 files, and demanded $25 million before leaking data. In reporting on youX, the group allegedly abused long-lived production credentials and unrotated JWT secrets. In reporting on LexisNexis, the group allegedly exploited React2Shell and obtained access through an Amazon ECS task role with broad secrets access. In reporting on Arup Group, FulcrumSec claimed initial access via a hardcoded GitHub token on a forgotten subdomain and subsequent access to large volumes of GitHub, Azure, AWS, and database data. The content also attributes the Global Schools Group / Foundation breach and related extortion activity to FulcrumSec, including publication threats and court actions seeking to restrain leaks. Known aliases and related names directly mentioned in the content are FulcrumSec and "The Threat Thespians."