FRBNY A.I CyberSecurity Scoring
FRBNY
Company Information
Website:http://www.newyorkfed.org
Employees number:3,228
Number of followers:165,624
NAICS:52
Industry Type:Financial Services
Homepage:newyorkfed.org
FRBNY Risk Score (AI oriented)
Between 650 and 699
FRBNYFinancial Services
Updated:
22/06/2026
22/06/2026
666/1000
Weak
B
FRBNY Global Score (TPRM)
xxxx
FRBNYFinancial Services
Score locked

FRBNYWeak
Current Score
666B (WEAK)
01000
1 incidents
-115 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
667
JUNE 2026
666
MAY 2026
664
APRIL 2026
662
MARCH 2026
660
FEBRUARY 2026
658
JANUARY 2026
769
Ransomware
01 Jan 2026 • FRBNY
Change Healthcare and Federal Reserve: Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags
Ransomware’s Double Trouble: Why Victims Are Being Claimed Twice in 2026
654
CRITICAL-115
CHAFED1782133142
Ransomware’s Double Trouble: Why Victims Are Being Claimed Twice in 2026
In 2026, a troubling trend has emerged in the ransomware landscape: the same victim organizations are appearing on leak sites under two different ransomware group names. Bitdefender’s analysis of this phenomenon based on a curated dataset of 98 claims across 49 distinct victims from January to June 2026 reveals five key explanations for these duplicate postings, each with distinct implications for incident response.
### The Mechanics Behind Duplicate Claims
The median gap between a victim’s first and second appearance on leak sites is 12 days, with a mean of 23 days and a maximum of 96 days. While five cases were posted simultaneously, most followed a staggered timeline, suggesting different underlying causes. The patterns also hint at structured relationships between groups such as Beast preceding Qilin or Devman preceding DragonForce rather than random overlaps.
#### 1. One Attack, Two Group Names (Cartel Rebranding)
Some duplicate claims stem from a single breach posted by two brands within the same criminal network. For example, DragonForce absorbed affiliates from RansomHub after its shutdown, leading to the same victim appearing under both names. Similarly, Hunters International rebranded as World Leaks, carrying over infrastructure and extortion tactics. In these cases, the victim faces one incident, not two, but public statistics inflate the count.
#### 2. Same Data, Second Extortion (Affiliate Churn)
A single breach can generate two extortion attempts if an unpaid affiliate reposts stolen data under a new group. The Change Healthcare case exemplifies this: an ALPHV/BlackCat affiliate allegedly resurfaced the same data via RansomHub after a payment dispute. The 1-to-30-day gap in many duplicate claims aligns with this model, where sequential postings indicate a handoff rather than simultaneous access sales.
#### 3. Two Real Breaches (Repeat Victimization)
In 16 of the 49 cases, the gap between claims exceeded 31 days, suggesting two genuinely separate breaches. Often, this occurs when an organization fails to address systemic vulnerabilities such as weak identity controls, unpatched systems, or flat networks after the first attack. Access brokers may also resell compromised credentials, enabling multiple independent intrusions.
#### 4. No Breach at All (Fabrication or Plagiarism)
Some claims are entirely fabricated. 0APT, a group that surfaced in early 2026, posted 549 victims in two months later revealed to be fake after a rival group, KryBit, leaked its logs. Similarly, LockBit falsely attributed Evolve Bank data to the Federal Reserve post-disruption, while Dispossessor simply reposted existing victim lists from Cl0p and Hunters International. These cases invert the problem: victims may have no breach to remediate, but false claims still trigger unnecessary disclosures.
### The Statistical Impact of Noise
The prevalence of fabricated claims distorts ransomware metrics. In Q1 2026, raw leak-site data showed 3,014 victims a 15% increase from 2025. However, removing 0APT’s 549 fake claims reversed the trend, revealing a 6% decline. This underscores how one fraudulent group can flip the narrative from "ransomware surged" to "ransomware fell."
### Key Takeaways for Defenders
- Same-day or near-simultaneous claims often indicate cartel rebranding or shared access.
- Days-to-weeks gaps suggest affiliate churn or re-extortion.
- Months-long gaps point to repeat victimization due to unaddressed vulnerabilities.
- No proof or recycled data signals fabrication verification is critical before responding.
The rise of duplicate claims complicates incident response, requiring defenders to distinguish between new intrusions, recycled access, and outright fraud to avoid misallocating resources or making flawed disclosure decisions.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
DECEMBER 2025
769
NOVEMBER 2025
769
OCTOBER 2025
769
SEPTEMBER 2025
769
AUGUST 2025
769
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for FRBNY ??
What was FRBNY's A.I Rankiteo Cyber Score in June 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in May 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in April 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in March 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in February 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in January 2026 ??
What was FRBNY's A.I Rankiteo Cyber Score in December 2025 ??
What was FRBNY's A.I Rankiteo Cyber Score in November 2025 ??
What was FRBNY's A.I Rankiteo Cyber Score in October 2025 ??
What was FRBNY's A.I Rankiteo Cyber Score in September 2025 ??
What was FRBNY's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on FRBNY's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with FRBNY ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view FRBNY's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?