AkzoNobel confirms cyberattack at a U.S. site after Anubis leak claim

AkzoNobel has confirmed a cybersecurity incident at one of its U.S. sites after the Anubis ransomware operation posted a leak claim online. In a statement shared with BleepingComputer, the company said the incident was contained and limited to the affected site.

According to that statement, AkzoNobel said it had “identified a security incident at one of our sites in the United States” and that the incident “was already contained.” The company also said the impact is limited and that it is taking steps to notify and support affected parties while working with relevant authorities.

At the time of reporting, Anubis claimed it had stolen roughly 170GB of data and nearly 170,000 files. BleepingComputer said the gang published sample material that allegedly included confidential agreements, private correspondence, contact details, passport scans, testing documents, and internal technical sheets, though only part of the claimed leak had appeared publicly.

AkzoNobel is one of the world’s largest paints and coatings companies. Its 2024 annual report lists 34,600 employees, while the company’s Q4 2025 results said it finished 2025 with revenue of €10.7 billion and operations in more than 150 countries.

What AkzoNobel confirmed and what remains unverified

That distinction matters. The company has confirmed an intrusion, but the size of the theft and the exact contents of the allegedly stolen data still come from the threat actor’s side of the story. Until AkzoNobel or regulators publish more detail, those specific leak numbers remain claims, not confirmed facts.

Why the Anubis name matters

Anubis is a ransomware-as-a-service operation that first appeared in late 2024 and later expanded its affiliate activity. BleepingComputer reported in June 2025 that Anubis had added a file-wiping feature designed to destroy data and raise pressure on victims during extortion.

That same reporting said the group promoted an affiliate program on the RAMP cybercrime forum in February 2025 and offered ransomware affiliates an 80% revenue share. Those details help explain why Anubis has become more visible in extortion reporting over the past year.

What companies should take from this incident

• Treat “contained” as the start of the response, not the end.
• Verify whether any data reached public leak sites or third parties.
• Notify impacted people quickly if exposed material includes personal documents or contact data.
• Review segmentation between sites so a local breach stays local.
• Preserve logs and evidence in case regulators or law enforcement request follow-up.

This incident also shows why companies need to separate confirmed facts from extortion-site claims. Threat actors often publish real samples mixed with exaggerated numbers to increase pressure on victims and attract attention. The public reporting here supports the breach confirmation, but it does not independently prove every detail in the leak post.

FAQ