TKGM Ransomware Attack by apt73 (May 2026)

Claim Summary

On May 22, 2026, the ransomware group known as apt73 allegedly added the Turkish government agency TKGM (Tapu ve Kadastro Genel Müdürlüğü) to their dark web leak site. The group claims to have successfully compromised the organization’s systems and exfiltrated an undisclosed volume of data. According to the leak site post, TKGM is described as “a government agency from Turkey, the General Directorate of Land Registry and Cadastre.” The attack date is listed as May 22, 2026. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

apt73 is a relatively obscure ransomware group with limited public documentation. Based on available intelligence, the group has a small number of known victims, but their total victim count remains unknown. Their specific tools, tactics, and procedures (TTPs) are not well-documented in open-source intelligence (OSINT) or commercial threat intelligence feeds. No YARA rules or specific detection guidance are currently available for apt73. The group’s credibility is difficult to assess due to the lack of a proven track record; they may be a new or rebranded actor, or they may be exaggerating their capabilities. Yazoul Security assesses this claim with low confidence pending further verification.

Alleged Data Exposure

The group claims to have stolen data from TKGM, but the exact nature and volume of the data remain undisclosed. Given TKGM’s role as the Turkish General Directorate of Land Registry and Cadastre, potential data types could include:

• Land registry records and property titles
• Cadastral maps and survey data
• Personal identifiable information (PII) of property owners and employees
• Internal government correspondence and administrative documents

The group has not provided any samples or proof of the alleged data theft at this time. Ransomware groups often exaggerate or fabricate claims to pressure victims into paying ransoms.

Potential Impact

If the claim is verified, the impact on TKGM and Turkish citizens could be significant:

• Operational Disruption: Ransomware encryption could disrupt land registry services, property transactions, and cadastral operations.
• Data Breach: Exposure of sensitive land ownership records could lead to identity theft, fraud, or property disputes.
• Reputational Damage: A breach of a government agency handling critical national infrastructure could undermine public trust.
• Regulatory Consequences: Turkey’s data protection laws (KVKK) may impose fines and require notification of affected individuals.

What to Watch For

• Official Confirmation: Monitor TKGM’s official website (tkgm.gov.tr) and Turkish government channels for any statements regarding the incident.
• Data Leak: Watch for any subsequent posts from apt73 that may include data samples or a ransom deadline.
• Group Activity: Track apt73’s future claims to assess their credibility and TTPs.
• Third-Party Reports: Look for analysis from Turkish cybersecurity authorities or international partners.

Disclaimer

This report is based on unverified claims made by the ransomware group apt73 on their dark web leak site. Yazoul Security has not independently confirmed the attack, data theft, or any other details provided. Ransomware groups frequently fabricate or exaggerate claims to pressure victims. This information is provided for intelligence purposes only and should not be acted upon without further verification. No PII, download links, or access credentials are included in this report.