Hackers are claiming to have stolen a trove of data belonging to Lockheed Martin, the world’s largest defense contractor and an American aerospace company. They are now selling it on the dark web.
The situation began on March 26, 2026, when a Telegram account linked to a dark web marketplace known as Threat Market, which posts in both Russian and English, claimed it had been approached by a group described as “APT IRAN.” According to the post, the group requested infrastructure support to sell what was described as 375 terabytes of data allegedly taken from Lockheed Martin.[1]
The message further stated that direct access to the platform’s administrative panel had been granted to the APT IRAN group to facilitate the sale. It also referenced the use of cryptocurrency mixers to handle proceeds, a method often used to make payments harder to trace.
Three days later, on 29 March, the same Telegram account announced that the entire 375TB of data was officially listed for sale. The listing advertised a “complete dump” with a stated value of roughly $374 million ($374,821,400) and an exclusive buyout price close to $600 million ($598,500,000).
Messages in Russian and English language posted by Threat Market administrators (Image credit: Hackread.com)
Screenshots from the marketplace analyzed by Hackread.com show categorized data segments, including references to internal projects, source code, and personnel-related information. The structure and presentation resemble typical dark web data sale pages, though authenticity remains unconfirmed.
It is worth noting that large breach claims involving hundreds of terabytes are not unusual on the dark web markets, where exaggerated figures are frequently used to attract buyers or media attention. However, a buyout price of $600 million is something never seen before.
Screenshot from the Threat Market dark web site selling the alleged Lockheed Martin data (Image credit: Hackread.com)
Lockheed Martin Related Claims From Another Group - Around the same time, on 26 March 2026, a group calling itself Handala Hack Team, described as Iran-linked and recently in the news for breaching the personal Gmail account of Kash Patel, the FBI Director, and targeting Stryker Corporation, published a separate message referencing Lockheed Martin employees.
This was different from the Threat Market claim; this post focused on personal data of a limited number of individuals, specifically engineers allegedly connected to defense projects. The group claimed it had accessed detailed personal information and had contacted some of the individuals directly. It also issued threats and a 48-hour ultimatum tied to geopolitical demands.
There’s no clear link between this activity and the alleged 375TB data. The timing may just be coincidental, and the two claims seem to involve different kinds of data. However, this isn’t the first time a group has claimed access to Lockheed Martin employee data. In August 2022, the pro-Russia hacker group Killnet said it had obtained personal information, including employee email addresses and phone numbers. While these claims have not been independently verified, they underscore the ongoing interest of Russian cybercriminal groups in targeting prominent defense contractors and highlight the complex landscape of international cyber threats.
APT IRAN refers to a group believed to be associated with Iranian state-sponsored cyber activities, often labeled as an Advanced Persistent Threat (APT). Such groups typically target high-profile organizations for espionage, data theft, or disruption, using sophisticated tactics and infrastructure. Their involvement in this incident suggests a calculated, organized approach to leveraging stolen data for financial or strategic gain.
Handala Hack Team - The Handala Hack Team is a group reportedly associated with Iran, known for its involvement in various high-profile cyber incidents. Around late March 2026, this group made headlines for breaching the personal Gmail account of Kash Patel, the FBI Director, and targeting Stryker Corporation, a major medical technology company. In addition to these attacks, the Handala Hack Team published a message referencing Lockheed Martin employees, claiming to have accessed detailed personal information of engineers allegedly linked to defense projects. Their communication focused on the personal data of a limited number of individuals and included threats, along with a 48-hour ultimatum tied to specific geopolitical demands.
The activities attributed to Handala Hack Team are distinct from other claims circulating at the same time, such as the alleged sale of 375TB of Lockheed Martin data on dark web marketplaces. While there is no clear connection between these separate incidents, they highlight the ongoing targeting of prominent defense contractors and the complex landscape of international cyber threats. The group’s tactics typically involve direct contact with affected individuals and issuing threats, underscoring the aggressive nature of their campaigns.
At this point, the situation remains unclear. There is no public confirmation from Lockheed Martin regarding any breach of this nature, and trusted security researchers have verified no sample data.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/dark-web-market-375tb-lockheed-martin-data/
Comments