Cheeky.com.ar Ransomware Claim by Safepay (April 2026)

Claim Summary

The Safepay ransomware group has posted an unverified claim on its data leak site, alleging a cyberattack against Cheeky.com.ar, a prominent Argentine children’s fashion brand owned by CHEEK S.A. The group claims to have executed the attack on April 17, 2026. According to the threat actor’s post, they have exfiltrated data from the company. The exact volume and specific content of the allegedly stolen data were not disclosed in the initial claim, though the post references general corporate background information.

Threat Actor Profile

Safepay is a ransomware-as-a-service (RaaS) operation with a significant volume of claimed victims, listing 444 organizations on its leak site at the time of this report. This high count suggests an active, widespread campaign, though the authenticity of each claim requires individual verification. The group is known to leverage a set of common tools for lateral movement and data staging, including Invoke-ShareFinder for network reconnaissance, archiving utilities like 7-Zip and WinRAR, and living-off-the-land binaries (LOLBins) such as CMSTPLUA, dllhost.exe, and Regsvr32.exe for execution and persistence. No public, in-depth technical research or associated YARA rules specifically for Safepay payloads were readily available at the time of writing, indicating a potential gap in public threat intelligence.

Alleged Data Exposure

The threat actor claims to have stolen data from Cheeky.com.ar but has not provided a detailed leak sample or file list in the initial post. The description on the leak site contains publicly available information about the company’s history and location. The lack of specific evidence or data samples in the claim makes it difficult to assess the scope and sensitivity of the purported breach. Ransomware groups often withhold proof to pressure the victim during negotiations.

Potential Impact

If the claim is valid, the potential impact on Cheeky.com.ar could be severe. As a consumer-facing brand in the children’s fashion sector, a breach could compromise sensitive customer data, internal financial records, and proprietary design information. This could lead to regulatory scrutiny under data protection laws, significant reputational damage, and loss of customer trust. The operational disruption from a ransomware attack could also halt e-commerce and supply chain activities.

What to Watch For

Monitor the Safepay leak site for any updates, such as the publication of proof-of-hack files or a sample data dump, which would lend more credibility to the claim. Security teams, particularly in the retail and consumer services sectors, should be aware of Safepay’s documented TTPs, especially the use of Invoke-ShareFinder and the specified LOLBins for detection. Watch for any official statement from CHEEK S.A. regarding a cybersecurity incident. Increased phishing campaigns or fraudulent communications targeting the company’s customers or partners could follow if data is eventually leaked.

Disclaimer

This report is based on an unverified claim from a ransomware group’s data leak site. Yazoul Security has not independently confirmed the breach of Cheeky.com.ar or the validity of the data allegedly exfiltrated. The details presented, including the attack date, tools used, and data claims, originate solely from the threat actor and may be exaggerated or fabricated to extort the victim. This information is provided for situational awareness and threat intelligence purposes only.