Stormous ransomware claims cyber attack on Volkswagen
Threat actors have claimed an attack on major car manufacturer Volkswagen Group, claiming to have exfiltrated the personal and security data of customers and their vehicles.
Volkswagen Group is the second largest car manufacturer in the world in sales, the largest in the world in revenue and the largest company in Europe. It owns brands such as Porsche, Audi, Bently, Lamborghini, Cupra, SEAT, Škoda and Volkswagen.
On June 1, 2025, the Stormous ransomware gang listed Volkswagen Group on its dark web leak site, claiming to have exfiltrated an unspecified amount of data.
You’re out of free articles for this month
According to the listing, the threat actors stole “user account data (partially hidden emails), authentication tokens (OAuth tokens, JWT tokens), login links for external systems”, session cookies, identity and access information including phone numbers, emails, profile details, vehicle VIN numbers, and “authentication and access control details.”
As mentioned, Stormous did not say how much data was exfiltrated, listing the size as “?GB”. Additionally, the group did not post a data sample. However, it has said that it will publish the data in a number of days.
While the lack of evidence could bring the breach’s legitimacy into question, Stormous are a long existing and well known threat actor with a reputation to uphold. They could be withholding a sample to later use as leverage against Volkswagen in an attempt to pay. However, nothing has yet been confirmed.
Volkswagen Group is yet to publicly acknowledge the incident. Cyber Daily has reached out to the company for more information.
This is the second time that Volkswagen customers have had their data at least potentially compromised in 2025, after the car manufacturer unintentionally left a database containing details of electric vehicle owners publicly accessible.
As discovered by a German ethical hacking group, the Chaos Computer Club (CCC), vehicle owner data stored on the Amazon Cloud was left exposed to the public for months thanks to a misconfiguration in the car company’s software subsidiary, Cariad.
The data included names and precise vehicle locations, which would allow one with the technical knowledge to track a driver’s movements.
The data affected Volkswagen, Audi, Skoda and Seat vehicle owners. According to reports, the cloud database contained terabytes of data, and the geolocation data was as exact as within a few centimetres.
According to reports, 460,000 of the almost 800,000 vehicles affected had their geolocation data exposed.
Of the affected vehicles, 300,000 were based in Germany, followed by Norway with 80,000, Sweden with 68,000, Belgium also with 68,000, the UK with 63,000, the Netherlands with 61,000, France with 53,000, and Denmark with 35,000.
A fix was quickly implemented according to Cariad, which was verified by the CCC. Cariad also said that its investigation suggests that beyond the CCC ethical hackers, nobody had accessed the vehicle data and that no misuse had occurred.
Daniel Croft
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
