Marvell, a semiconductor company, appears to have suffered a data breach – which has been claimed by the LockBit ransomware group.
In a briefly resurrected .onion (“dark web”) site the ransomware group said that it had accessed a wide range of data belonging to the Nasdaq-listed semiconductor company, demanding $2.9 million to destroy the data.
Marvell has a market capitalisation of over $142 billion. It sells products across what it describes as a “broad suite of differentiated IP” including Ethernet switches, ARM compute, and advanced packaging, including die-to-die interconnects and chiplets. It has more than 10,000 patents.
Reached by The Stack, a Marvell spokesperson said:
“We are aware that a cyber threat actor claims to possess Marvell data. We are investigating the claims, and at this time, we believe that the matter stems from an incident involving a third-party”
The ransomware group claimed that it had breached network infrastructure company Allied Telesis to steal 500 gigabytes of data.
"After a lengthy correspondence, the company refuses to pay* and conduct long-distance dialogue, so we provide the data to the company’s clients and partners,” LockBit said, apparently referring to Allied Telesis.
See also: Mandiant confirms 165 Snowflake breach victims – sees custom .NET and Java reconnaissance tool
Within hours of resurrecting a ransom portal that also named alleged victims like the Federal Reserve (sharing no evidence of this latter claim – The Stack also reached out to the Fed for comment late Monday and had not received one as we published) the .onion site was unavailable again.
Between June 2022 and February 2024 the LockBit group and 194 affiliates engaged in 2,500 attacks globally. In February this year, a global law enforcement effort saw the group’s infrastructure taken over with “source code, details of victims and ransoms paid, data, chats and much more” requisitioned by the UK’s National Crime Agency and partners.
The agency noted at the time that “LockBit have created a new leak site on which they have inflated apparent activity by publishing victims targeted prior to the NCA taking control of its services in February, as well as taking credit for attacks perpetrated using other ransomware strains.”
*A round of applause from us.
