-
Threat actor “DreamFyre” claims to have breached Goknur Gida and stolen 10.7TB of corporate and operational data.
-
The actor reportedly listed the alleged dataset for sale on a cybercrime forum and is demanding 25 BTC for access.
-
The claims remain unverified, but the leaked data allegedly includes industrial systems, financial records, employee information, and proprietary business assets.
A threat actor operating under the alias “DreamFyre” has claimed responsibility for a massive cyberattack against Turkish food and beverage manufacturer Goknur Gida, alleging that it extracted approximately 10.7 terabytes of sensitive company data.
According to Daily Dark Web Intelligence, the actor advertised the alleged dataset on an underground cybercrime forum and is seeking 25 Bitcoin for access. Based on current cryptocurrency prices, the demand represents a significant financial amount.
Daily Dark Web Intelligence stated that it has not independently verified the claims. However, the actor describes the incident as a complete compromise of Goknur Gida’s infrastructure, affecting both corporate and industrial environments.
Threat Actor Claims Access to Critical Infrastructure
DreamFyre alleges that the breach affected several core systems used across the company’s operations. The actor claims to have obtained access to Active Directory services, industrial control environments, virtualization platforms, and business management systems.
According to the listing, the stolen information totals around 10.7TB. The actor claims the collection includes roughly 5.2TB of backup data, 3.3TB of file server information, and another 2.2TB consisting of user files and internal corporate documents.
The threat actor further claims to possess Active Directory architecture details and NTDS.dit database files, which may contain authentication-related information used across enterprise networks. The advertised dataset allegedly contains network configurations, ESXi virtualization data, firewall settings, cybersecurity documentation, and infrastructure records.
More notably, DreamFyre claims to have accessed operational technology environments used in manufacturing processes. These systems reportedly include Supervisory Control and Data Acquisition (SCADA) platforms, Programmable Logic Controllers (PLCs), and Remote Terminal Unit (RTU) configurations.
If the claims prove accurate, exposure of such operational technology assets could create risks that extend beyond conventional data theft and potentially affect production environments.
Financial, Customer, and Employee Records Allegedly Exposed
The actor also claims to possess extensive business and financial information belonging to the company.
According to the forum listing, the alleged dataset contains customer records, commercial agreements, contracts, banking information, cash flow documentation, and financial reports. The actor further claims to have obtained supply chain records, procurement data, logistics information, inventory databases, and stock management systems.
Corporate data and network access are highly valued on underground markets. Another listing offers access to corporate networks and an Italian airport, highlighting the demand for compromised enterprise environments.
Employee information reportedly forms a significant part of the alleged breach. DreamFyre claims the dataset contains salary records, Turkish national identification numbers, authentication-related information, passport details, and contact information belonging to employees and senior executives.
The actor additionally alleges access to enterprise resource planning (ERP) and customer relationship management (CRM) systems, as well as contracts involving distributors, subcontractors, dealers, and service providers.
Among the most sensitive claims is the alleged theft of intellectual property. The listing reportedly includes production recipes, proprietary formulas, manufacturing know-how, product designs, CAD drawings, patents, and research and development materials.
Authenticity of Claims Yet to Be Verified
Cybersecurity researchers frequently caution organizations to treat data breach advertisements on underground forums with caution until independent verification confirms the claims. Threat actors sometimes exaggerate the scale of intrusions or overstate the value of stolen information to attract buyers.
Nevertheless, if the claims are confirmed, the incident could rank among the more significant cyber events affecting a manufacturing organization. The alleged exposure spans information technology systems, industrial operations, employee records, financial assets, customer information, and intellectual property.
Such a combination of data could enable a wide range of threats, including corporate espionage, targeted phishing campaigns, financial fraud, supply chain attacks, and intellectual property theft. Exposure of proprietary manufacturing processes could also create long-term competitive risks for the company.
Daily Dark Web Intelligence reported that it observed the underground forum listing on June 1, 2026. As of publication, no independent source had confirmed the alleged breach, and Goknur Gida had not publicly addressed the claims.
