AMSTERDAM – The Nova ransomware group has claimed responsibility for a cyberattack on KPMG Netherlands, listing the major audit and advisory firm on its dark web leak site as of January 23, 2026.
The posting suggests a potential breach of one of the world’s leading professional services networks. As of this report, KPMG Netherlands has not issued an official public statement confirming the incident or verifying the validity of the attackers’ claims.
The Incident
The listing for KPMG Netherlands appeared on the Nova group’s data leak site late Friday. While the specific volume of data allegedly exfiltrated remains unverified, such postings typically signal that attackers have successfully breached a network, encrypted files, and stolen sensitive information.
By publicly listing a victim, ransomware operators utilize “double extortion” tactics. They intend to pressure the organization into paying a ransom to prevent the public release of confidential data. The Nova group traditionally sets deadlines for victims to initiate contact, threatening to publish stolen files if negotiations do not commence.
About the Nova Ransomware Group
Nova is a rapidly emerging threat actor in the cybercrime ransom space, first gaining significant attention in mid-2025. Security researchers have linked the group’s operations to the “RALord” ransomware strain and noted its use of a Ransomware-as-a-Service (RaaS) model.
The group is known for unpredictable and hostile negotiation tactics. In previous attacks, Nova operators have doubled ransom demands after accusing victims of involving law enforcement, signaling a departure from standard transactional criminal negotiations.
What’s Next
The infosec community awaits an official response from KPMG Netherlands. Standard incident response protocols for such claims involve isolating affected systems, engaging forensic experts to verify the scope of the breach, and notifying relevant data protection authorities.
Until the claim is verified or debunked by forensic evidence, stakeholders should monitor the Nova leak site for updates, as the group may release file samples to prove their access.
This story is developing.
