FBI Warns of In-Person Data Theft Attacks Linked to Extortion Group

The FBI has issued a warning that the Silent Ransom Group, also known as SRG, is now targeting U.S.-based law firms through in-person data theft operations.

According to an FBI flash alert released Tuesday, SRG actors have been using social engineering tactics since at least Spring 2026. In these attacks, the threat actors pose as members of a victim organization’s IT department. They may contact employees directly by phone or send phishing emails urging employees to call a fake IT support representative.

Once on the phone, the attacker attempts to convince the employee to grant access through a remote desktop session. If remote access is unsuccessful, the group may send an individual to the victim’s physical location to gain access to a company computer and connect an external storage device, such as a USB drive or hard drive, to steal data.

The FBI identified several warning signs of this activity, including unauthorized USB drives or external hard drives connected to company computers, as well as unknown or unauthorized individuals claiming to be IT support and attempting to access employee workstations.

The stolen data is then used for extortion. SRG typically sends ransom demands threatening to sell or publish the stolen information on a leak site. The group may also contact employees, clients, or business partners to increase pressure on the victim organization to begin ransom negotiations.

SRG is also tracked under the names Luna Moth, Chatty Spider, and UNC3753. The group has been active since at least 2022 and has targeted legal and financial organizations in the United States since early 2023.

Previous reporting has linked the same threat actors to BazarCall campaigns, which were used to gain initial access to corporate networks in Conti and Ryuk ransomware operations. After the Conti ransomware group shut down in March 2022, these actors reportedly separated and formed Silent Ransom Group, focusing on data theft and extortion following targeted phishing attacks.

This latest FBI alert follows a May 2025 private industry notification warning that SRG had been targeting U.S. law firms through callback phishing and social engineering attacks for more than two years. A separate May 2025 report from EclecticIQ also found that the group registered domains designed to impersonate IT helpdesk and support portals for major U.S. law firms and financial institutions, often using typosquatted domain names.

Organizations should remain alert for suspicious IT support calls, unexpected remote access requests, unauthorized visitors claiming to provide technical support, and unknown external storage devices connected to company systems.