Ransomware group blacknevas hits Arkin Group

CYBERSECURITY: ARKIN HOTEL GROUP SUFFERS MASSIVE DATA BREACH — OVER 1 TB OF GUEST AND CASINO DATA STOLENCybersecurity experts from Cyclops Threat Intelligence have reported a critical incident affecting the Arkın Group hotel chain (www.arkingroup.com), including its premium properties The Arkın Colony, The Arkın Iskele, and Arkın Palm Beach in Northern Cyprus. According to preliminary assessments, the attackers managed to exfiltrate over one terabyte of internal documents, customer databases, and transaction logs, including confidential information from the Arkın Palm Beach Casino.▎Attack detailsAnalysts have established that the attackers gained initial access through a compromised employee account in the reservations department. Using legitimate remote administration tools, they gradually expanded their privileges, bypassed network segmentation, and exfiltrated a dataset totalling approximately 1.4 TB. Some of the stolen information has already surfaced on underground forums and darknet marketplaces.The stolen data includes:• Full guest profiles (passport details, phone numbers, addresses, stay history);• Financial details of bookings and payment credentials;• The internal CRM system with staff notes on VIP clients;• Casino database: player IDs, deposit amounts, visit frequency, records of chip exchange transactions and fund movements;• Scanned passports, compliance check forms (KYC/AML), including source-of-funds questionnaires for high rollers.▎Objective and likely operatorBased on the intrusion characteristics and tactics used, experts link the incident to the threat group “CryptoRex” (tracked since 2023), which specialises in attacking hospitality and gambling businesses in the Mediterranean region. A combination of financial extortion and data sale to multiple buyers is considered likely. So far, no official ransom demand has been received, but portions of the archives have been put up for auction with a starting price of 8 bitcoins.▎Potential consequences of the leakThe leakage of confidential guest and especially casino client data entails a cascade of risks that go far beyond reputational damage.1. Personal security of high-net-worth guestsThe VIP casino player database, containing passport details, habits, and financial capabilities, serves as a direct “directory” for kidnappers, extortionists, and organised crime groups. Affected individuals may face real threats to their physical safety, as well as targeted blackmail (e.g., threats to expose gambling activity to business partners or family members in countries where gambling is stigmatised).2. Financial fraudPayment data from hotel guests and credit/debit cards linked to casino accounts will enable unauthorised transactions. Given the high credit limits of casino patrons, the scale of potential phishing and card fraud is assessed as very significant.3. Compliance nightmare and regulatory finesAlthough the international casino operators in Northern Cyprus do not directly fall under GDPR, many guests are citizens of the EU, the UK, and CIS countries. The breach demonstrates a flagrant failure to meet personal data protection standards. Lawsuits by affected individuals in national courts and scrutiny by international payment systems (Visa, Mastercard) are possible, which could suspend acquiring services.4. Risks to the casino itself and the jurisdiction[6/9/2026 1:09 PM] ChatGPT 5 | Deepseek | Claude: The exposure of internal AML records documenting the origin of funds and possible links to politically exposed persons could spark money-laundering investigations. For Northern Cyprus’s gambling zone, already under close watch by the FATF, this could lead to tighter international financial monitoring and being placed on grey lists.5. Reputational ruinNo wealthy client will entrust their data to a hotel incapable of protecting basic IT infrastructure. Trust in the Arkın brand, which for decades has built an image of secluded luxury, will be undermined for years. Competitors in the elite leisure market, especially in Dubai, Monaco, and the Maldives, will immediately exploit the situation to poach wary clientele.▎Analysts’ recommendationsCyclops Threat Intelligence strongly advises all individuals who have ever stayed at Arkın hotels or visited Arkın Palm Beach Casino to:• Immediately block and reissue any bank cards used;• Monitor credit reports for new applications;• Enable additional authentication factors on email and financial services;• Be highly critical of any incoming calls or messages demanding identity confirmation or fund transfers — these could be targeted attacks using contextual details from the leaked staff notes.The Arkın Group press office has not yet responded to official inquiries. The company’s website remains operational, but online booking sections are temporarily unavailable. Northern Cyprus authorities stated that they are “aware of the incident” and have begun consultations with EU experts under a cyber-resilience programme.Report prepared by the Thomson Reuters cybersecurity desk based on the Cyclops Threat Intelligence analytical brief.

Posted by the blacknevas threat actor on its public leak site. This is the group's own statement and has not been independently verified by HackerFeeds.