The Akira ransomware group has claimed responsibility for a significant cyberattack against two prominent Swiss manufacturing firms, Keller Laser AG and Vardeco SA. In a classic double-extortion tactic, the threat actor listed both companies on its dark web leak site on September 8, 2025, threatening to release a massive trove of sensitive corporate and personal data.

The coordinated disclosure, disseminated across various cybercrime monitoring channels on Telegram, signals a brazen and targeted campaign against Switzerland’s high-precision industrial base. 🇨🇭

The Breach Details: Data Exfiltration Claims

According to Akira’s posts on their Tor-based leak site, the group claims to have exfiltrated a substantial volume of data from both victims. The specificity of their claims suggests deep network penetration.

• For Vardeco SA, a specialist in high-precision bar turning, the group boasts of exfiltrating 138 GB of corporate data. The threatened leak includes highly sensitive information such as:
• For Keller Laser AG, a leading supplier in industrial sheet metal processing, Akira threatens to release 42 GB of data. The list of compromised assets is equally alarming and includes:

Cyber threat intelligence feeds first picked up the activity around 13:48 UTC on September 8, with automated alerts from sources like ransomfeed.it and Ransomware.live confirming the new listings within hours.

A History of Exposure: The Attack Surface Analysis

While the ransomware event is the immediate crisis, the provided intelligence reveals a long history of prior data exposure for both firms, highlighting a potentially porous attack surface that threat actors could have exploited for initial access.

The primary avenues of exposure appear to be third-party breaches and credential leaks:

1. Employee PII in Third-Party Breaches: Data from numerous past breaches, including a large-scale Facebook Scrape (Feb 2025), a Switzerland Citizen Database Leak (Aug 2024), and a 20M French Personal Information Database Leak (Aug 2025), contained personal details of individuals who listed Keller Laser AG and Vardeco as their employers. This type of publicly available information is a goldmine for threat actors crafting sophisticated spear-phishing campaigns—a common initial access vector for ransomware groups.
2. Credential Stuffing Lists: Multiple entries for “Vardeco” appeared in combolists from August and July 2025. These lists contain username/password pairs harvested from other breaches. This suggests that employees may have been reusing corporate passwords on other sites, providing a direct path for attackers to test these credentials against the company’s network infrastructure.
3. Corporate Data Brokers: Keller Laser AG was explicitly mentioned in breaches at data-centric firms like Dnb.com (July 2025) and Netprospex.com. This type of exposure provides attackers with organizational charts, contact details, and revenue information, allowing for more effective and targeted social engineering attacks.

The Akira Modus Operandi and Implications

The Akira ransomware group, known for its aggressive tactics, operates a sophisticated Ransomware-as-a-Service (RaaS) model. Their TTPs (Tactics, Techniques, and Procedures) typically involve exploiting known vulnerabilities in public-facing services (like VPNs without multi-factor authentication) and leveraging compromised credentials for initial access.

Once inside a network, they move laterally to exfiltrate high-value data before deploying their encryptor. The subsequent listing on a public leak site is designed to maximize pressure on the victim to pay the ransom, fearing regulatory fines, loss of intellectual property, and severe reputational damage.

For Keller Laser and Vardeco, the immediate priorities for their incident response teams will be to:

• Contain the breach and prevent further lateral movement.
• Assess the full scope of the data exfiltration claimed by Akira.
• Activate business continuity plans to restore encrypted systems from backups.
• Prepare for data breach notification obligations under Swiss and European privacy laws.

Joe Shenouda