Ransomware Attack Hits 2GO Group Inc., Threat Actor “The Gentlemen” Claims Responsibility
Philippine logistics giant 2GO Group Inc. has reportedly fallen victim to a ransomware attack launched by a threat group known as “The Gentlemen.” The incident was first reported on October 5, 2025.
https://iili.io/Khf9uGs.png
According to the alert, the threat actor “The Gentlemen” claimed responsibility for compromising the systems of 2GO Group Inc. (2go.com.ph) — one of the country’s leading integrated logistics and transportation companies, majority-owned by SM Investments Corporation. The ransomware group has also announced its intention to publish the stolen data within 9 to 10 days, unless undisclosed conditions are met.
A screenshot from the group’s dark web leak site shows a detailed company profile of 2GO Group, including references to its stock symbol (2GO) and corporate background. The post lists the company’s official website, ZoomInfo profile, and Wikipedia entry, signaling a typical ransomware pre-disclosure tactic used to pressure affected organizations.
2GO Group Inc. is a major player in the Philippine logistics and transport sector, offering a broad range of services such as domestic sea freight, passenger travel, courier and parcel delivery, project logistics, freight forwarding, specialized container transport (including ISO tanks and temperature-controlled units), express and last-mile delivery, warehousing, inventory management, and nationwide cargo drop-off through retail outlets.
As of 2025, the company operates a fleet of nine vessels — eight RoRo/RoPax ships and one freighter — connecting 19 ports across Luzon, Visayas, and Mindanao, with major operational hubs in Manila, Cebu, Iloilo, Bacolod, and Cagayan de Oro.
At the time of writing, 2GO Group has not yet released an official statement regarding the alleged ransomware breach.
However, the presence of a countdown timer (“Activates in 238:23:31”) on the threat actor’s portal suggests that the group may begin releasing the compromised data after the stated deadline, potentially exposing sensitive internal files or client information.
Deep Web Konek will continue to monitor the situation and issue updates as new information becomes available.
