The D1R extortion group claimed it breached Synopsys and used information from that access to target customers including Bosch and Arm. Posts attributed to the group alleged theft of a Synopsys corporate client database containing roughly 40,000 entries, access to Bosch engineering-related material including a claimed CAN module implementation, and the download of Arm’s Athena Download Manager. The attackers also asserted that leaked Synopsys data and third-party access paths helped them identify and pursue additional victims, while saying Arm’s repeated 2FA prompts slowed but did not stop their activity.
Synopsys said its investigation found no evidence of unauthorized access to its systems or customer technical data, and stated the threat actor had not contacted the company. Reporting also cast doubt on D1R’s proof-of-compromise claims: a screenshot presented as evidence of Bosch data exposure appeared to match a publicly available Bosch user manual, and Bosch did not confirm any breach, issuing only a general statement on its cybersecurity posture. The competing claims leave the alleged downstream exposure of Synopsys customers unverified, even as D1R attempts to pressure multiple high-profile firms with breach and leak assertions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
SecurityWeek reported that Bosch did not confirm a breach after D1R alleged it had obtained Bosch intellectual property through Synopsys. Bosch responded only with a general statement emphasizing its cybersecurity posture.
SecurityWeek reported that Synopsys said its investigation found no evidence of unauthorized access to its systems or customer technical data after D1R's claims. The company also said the threat actor had not contacted it.
A HookPhish report said ARM was identified as a victim of a ransomware-related breach attributed to D1R. The incident was explicitly stated as discovered on July 13, 2026, and the attackers alleged they used Synopsys-leaked data to gain access and download the Athena Download Manager.
A HookPhish report said Bosch was a victim of a ransomware-related data breach attributed to D1R. The incident was explicitly stated as discovered on July 13, 2026, with attackers alleging access tied to technical leaks and possible third-party compromise.
A HookPhish report said Synopsys was identified as a victim of a ransomware-related data breach attributed to D1R. The incident was explicitly stated as discovered on July 13, 2026 at 11:32 UTC.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
teiss.co.uk
Open sourcescworld.com
Open sourcemalware.news
Open sourcesecurityweek.com
Open sourcehookphish.com
Open sourcehookphish.com
Open sourcehookphish.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.