Cazh.id Ransomware Attack by Icarus (May 2026)

Claim Summary

On May 5, 2026, the ransomware group Icarus allegedly added the Indonesian financial services platform Cazh.id (domain: bkdp.cazh.id) to its leak site. The threat actor claims to have exfiltrated a substantial trove of sensitive data, including a user database of 300,000 records, KYC verification materials, and the full source code of Cazh.id’s services. According to the leak site post, the attack occurred on the same date as the publication. This report is based solely on the group’s unverified claims.

Threat Actor Profile

Icarus is a relatively obscure ransomware group with limited public attribution. No known tools, tactics, or procedures (TTPs) have been documented in open-source intelligence, and the group’s total known victim count remains unknown. This lack of a track record makes credibility assessment difficult. Ransomware groups with no prior confirmed attacks may be newly formed, rebranded from a defunct operation, or operating opportunistically. Without YARA rules or detection guidance available for Icarus, defenders should treat this claim with heightened skepticism until independent verification emerges.

Alleged Data Exposure

The threat actor claims to have stolen the following categories of data:

• User Database: 300,000 records including email addresses, password hashes, phone numbers, physical addresses, and dates of birth for users of the bkdp.cazh.id subdomain.
• KYC Vault: 7,800 government-issued identification documents and 4,200 “hold-to-face” selfies, which are commonly used for liveness verification in financial onboarding.
• School Databases: 34 SQL databases allegedly linked to associated educational institutions, containing data on students, parents, and staff.
• Corporate and Financial Records: A full investor database and partner documents.
• Collateral Documents: Vehicle registration documents and property deeds.
• Billing Proofs: Payment and transaction records.
• Source Code: The complete source code of Cazh.id’s services.

If accurate, this represents a catastrophic data breach, particularly given the inclusion of KYC materials and source code, which could enable identity theft, fraud, and further attacks on the platform.

Potential Impact

Should the claims be verified, the consequences for Cazh.id and its users would be severe:

• Identity Theft and Fraud: The combination of government IDs, selfies, and personal data (address, DOB, phone) is a goldmine for synthetic identity creation and account takeover.
• Regulatory Exposure: As a financial services entity in Indonesia, Cazh.id may face penalties under local data protection laws (e.g., Law No. 27 of 2022 on Personal Data Protection) for failing to secure KYC data.
• Reputational Damage: Trust in the platform would be eroded, potentially leading to user churn and loss of investor confidence.
• Source Code Leak: Full source code exposure could allow competitors or malicious actors to clone services, find vulnerabilities, or launch supply chain attacks against Cazh.id’s partners.

What to Watch For

• Official Confirmation: Monitor Cazh.id’s official channels (website, social media, press releases) for a response. The absence of a statement does not confirm the breach.
• Data Dumps: Watch for partial or full data leaks on dark web forums. The inclusion of source code suggests the group may attempt to sell or auction the data.
• Phishing Campaigns: Users of Cazh.id should be alert to targeted phishing emails or SMS messages that leverage the leaked data to appear legitimate.
• Group Activity: Track Icarus’s leak site for any additional victims or evidence of operational maturity (e.g., negotiation logs, proof-of-compromise files).

Disclaimer

This report is based on unverified claims made by the Icarus ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, the exfiltration of data, or the authenticity of any samples. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into paying ransoms. All information herein should be treated as intelligence leads requiring further investigation. No PII, download links, or access credentials are included in this report. For more information, see our dark web monitoring section at /intel/.