Attack alert: safepay targets lampus.com - FR

Introduction

The SafePay ransomware group has claimed responsibility for a cyberattack against Lampus.com, a French digital agency specializing in web and mobile development. This compromise, detected on December 15, 2025, exposes the company to significant risks, particularly concerning sensitive customer data and the e-commerce projects it manages for its partners. Classified as an XC level attack (SIGNAL level) according to our XC-Classify analysis protocol, this incident illustrates the persistent vulnerability of SMEs in the technology sector to cybercriminal threats. The agency, which has between 10 and 50 employees and generates an estimated €2 million in revenue, joins the long list of SafePay victims in France.

SafePay is a malicious actor still active in the cybercrime scene, operating according to the classic double-extortion ransomware model. This cybercriminal group encrypts the systems of targeted organizations while first exfiltrating large volumes of sensitive data, which it then threatens to release publicly if the ransom is not paid. This maximum pressure strategy aims to force victims to negotiate, even when they have working backups.

Analyse détaillée

SafePay's modus operandi is consistent with the tactics, techniques, and procedures (TTPs) observed among modern ransomware groups. The actor typically exploits unpatched vulnerabilities in internet-exposed infrastructures, targeted phishing campaigns aimed at employees, or initial access purchased on underground forums from Initial Access Brokers (IABs). Once persistence is established on the compromised network, the group conducts thorough reconnaissance of the environment, identifying critical digital assets and privilege escalation paths.

SafePay's previous victims demonstrate a deliberate sector diversification, affecting both industrial companies and digital service providers. This opportunistic approach suggests that the group prioritizes targets with an exploitable attack surface rather than strict vertical specialization. The group's business model, likely structured as Ransomware-as-a-Service (RaaS), allows affiliates to deploy the malicious infrastructure in exchange for profit sharing, thus multiplying the reach of the campaigns.

Founded in 2010, Lampus.com has positioned itself as a leading digital agency in the French technology ecosystem. With a team of 10 to 50 employees, the company supports its clients in the design and development of customized web and mobile solutions. Its portfolio notably includes critical e-commerce projects involving the handling of transactional data, banking information, and confidential customer files.

The organization operates in a highly competitive sector where digital trust is a fundamental strategic asset. The compromise of its systems exposes not only its own internal data—proprietary source code, technical documentation, and commercial contracts—but also information entrusted to it by its business partners. This dual exposure significantly amplifies the potential impact of the incident, transforming a targeted intrusion into a widespread threat to its entire customer ecosystem.

Geographically based in France, Lampus.com operates in a strict regulatory environment, subject to the obligations of the General Data Protection Regulation (GDPR) and potentially the NIS2 Directive, depending on the criticality of the services provided. Its mid-sized form, typical of tech SMEs, places it in a particular vulnerability zone: sufficiently structured to manage sensitive projects, but sometimes with limited cybersecurity resources when facing sophisticated adversaries.

The XC exposure level, classified as SIGNAL, indicates a detected compromise, but the exact extent of the exfiltrated data is still being analyzed by our Cyber Threat Intelligence (CTI) teams. This status suggests that SafePay published a claim of responsibility for the attack on its leak site, without necessarily immediately disclosing all the compromised files. This intermediate step is often a maximum-pressure strategy, leaving uncertainty about the volume and sensitivity of the digital assets in the attackers' hands.

Review of the available metadata indicates that the intrusion likely targeted the agency's production and development environments, critical areas housing both client project source code and operational databases. The initial attack vector remains under investigation, although compromises of digital agencies frequently result from exploiting vulnerabilities in collaboration tools or project management platforms exposed without robust multi-factor authentication.

The incident timeline reveals a detection on December 15, 2025, right in the middle of the end-of-year period when technical teams are often reduced and vigilance is lower. This timing is likely not coincidental: malicious actors strategically exploit organizational vulnerabilities to maximize their undetected persistence time before encryption is activated. The data suggests that the exfiltration preceded the public claim of responsibility by several days, a period during which SafePay was able to methodically extract the most sensitive files.

The French technology sector is facing a surge in cyberattacks specifically targeting digital service providers. These companies, by their very nature, hold multi-client data, transforming each breach into a potential chain reaction affecting their entire business ecosystem. Digital agencies like Lampus.com frequently manage privileged access to their clients' infrastructures, administrative credentials, and cryptographic secrets—all valuable assets on the black market.

French regulations impose strict obligations regarding the notification of security incidents. The GDPR requires Lampus.com to notify the CNIL (French Data Protection Authority) within 72 hours of becoming aware of a data breach if it poses a risk to the rights and freedoms of the individuals concerned. Simultaneously, the ANSSI (French National Cybersecurity Agency) must be alerted in accordance with the provisions applicable to operators of essential services and digital service providers. These legal obligations are accompanied by potentially heavy financial penalties in the event of non-compliance or proven negligence in data protection.

Technology companies operating in France must also anticipate the gradual implementation of the NIS2 Directive, which significantly expands the scope of entities subject to enhanced cybersecurity obligations. Critical digital service providers now fall under the scope of this regulation, entailing increased requirements for risk management, incident notification, and security governance.

Precedents in the sector demonstrate that breaches of digital agencies frequently generate domino effects. When a service provider is compromised, attackers can exploit established trust relationships to pivot to customer infrastructures, transforming a single intrusion into a widespread attack campaign. This dynamic demands collective vigilance: every Lampus.com partner must now consider the possibility of indirect exposure and urgently review the access and privileges granted to the agency.

This attack against Lampus.com is certified via the XC-Audit protocol, guaranteeing immutable and verifiable traceability on the Polygon blockchain. Unlike the centralized and opaque verification systems traditionally used in the cybersecurity industry, our blockchain approach allows anyone to independently validate the authenticity and timestamp of the compromise.

Conclusion

The cryptographic hash of the incident is permanently recorded on the public Polygon blockchain, creating tamper-proof proof of SafePay's claim. This radical transparency is a fundamental differentiator of DataInTheDark: our analyses are not based on unverifiable claims, but on cryptographically certified and publicly auditable evidence. Businesses, researchers, and authorities can therefore rely on certified data rather than incident reports whose veracity remains questionable.