SafePay lists Australian energy management firm Energy Action on leak site

SafePay has listed Australian energy consultancy Energy Action on its dark web extortion site, with a release deadline now days away.

The listing went up on 1 May, according to a Cyber Daily report on 6 May. The post does not say how much data was taken or what type. SafePay's countdown timer gave just over two days from the time of that report. Energy Action had not publicly disclosed an incident at the time of the report.

Energy Action operates under Australian Business Number 90 137 363 636. It advises corporate clients on energy procurement, usage and emissions reporting, embedded networks and net-zero strategy. The firm says on its corporate website that it manages more than 10 per cent of Australia's commercial business energy spend. Listed clients include hospitality group Accor and the Melbourne Cricket Ground.

A confirmed breach could expose procurement records, energy account data and corporate contact details for part of Energy Action's customer base. The firm has not said whether any data was taken or whether its systems were affected.

SafePay first appeared in October 2024. Its leak site now lists more than 450 victims, with named targets in Australia, the United Kingdom, the United States, Italy, New Zealand, Canada and several other countries. The group rejects the affiliate model used by most modern ransomware crews. "SafePay ransomware has never provided and does not provide the RaaS," the gang said in a statement on its leak page, referring to ransomware-as-a-service.

Its biggest disclosed hit to date was United States IT distributor Ingram Micro in July 2025. That attack compromised the personal information of more than 42,000 individuals.

Energy Action would be the second Australian organisation named by SafePay in recent weeks. South Australian non-profit Genealogy SA appeared on the leak site on 16 April and later confirmed the underlying intrusion.

"We are aware of the claims made by SafePay," the organisation said. "This relates to an incident that was discovered by us back in February 2026. Immediately at the time of discovering the incident, we engaged cyber security experts to contain and investigate the incident. We can confirm that the incident is resolved, and we have communicated with our members about the incident."

Australian organisations covered by the Privacy Act must notify the Office of the Australian Information Commissioner and affected individuals when a breach is likely to result in serious harm. The Australian Cyber Security Centre had not issued a public advisory on the SafePay listing. Energy Action did not respond to a request for comment.