The Nova ransomware group, a cybercrime operation known for running a ransomware-as-a-service (RaaS) model, has publicly claimed responsibility for a cyberattack targeting the Dutch arm of KPMG. The allegation surfaced on a dark web leak site typically used by ransomware groups to pressure victims into paying ransoms.
According to Nova’s post, the group claims it successfully breached KPMG Netherlands and gained access to internal data. As is common with modern ransomware operations, the claim suggests that sensitive information may have been stolen, with the threat of public disclosure used as leverage during extortion negotiations.
At this stage, however, the claim remains unverified and is based solely on the attackers’ own statements.
Details of the Ransomware Claim
Nova reportedly added KPMG Netherlands to its public list of alleged victims, alongside a countdown timer giving the firm approximately 10 days to respond to the group’s demands. This tactic is consistent with double-extortion ransomware campaigns, where attackers not only threaten to encrypt systems but also to leak stolen data if a ransom is not paid.
Such countdowns are designed to apply psychological and reputational pressure, particularly on large professional services firms that handle sensitive client information. Nova did not immediately publish sample data or technical proof to back up its claims, which is sometimes done by ransomware groups to demonstrate credibility.
The listing was detected and shared by ransomware monitoring and threat-intelligence platforms around January 23, 2026, drawing attention from cybersecurity researchers and industry observers.
KPMG’s Official Response
In response to the allegations, KPMG has publicly denied that any of its managed systems were compromised. The firm stated that it has found no evidence of a breach affecting its infrastructure and emphasized that its security teams continue to monitor the situation closely.
KPMG’s position is clear: based on internal investigations and available information, there is currently nothing to suggest that its systems or client data have been accessed by unauthorized parties.
Importantly, as of now, no independent verification has surfaced to contradict KPMG’s statement. The attackers have not released forensic indicators, leaked documents, or other technical artifacts that could substantiate their claims.
What Is Confirmed and What Remains Unclear
Confirmed Facts
- Nova has publicly posted a claim alleging a breach involving KPMG Netherlands.
- The claim includes a ransom countdown consistent with double-extortion tactics.
- KPMG has formally denied any compromise of its systems.
Still Unconfirmed
- Whether any data was actually exfiltrated from KPMG’s environment.
- Whether systems were encrypted, disrupted, or accessed in any meaningful way.
- How the alleged intrusion occurred, if it occurred at all.
- Whether the claim involves KPMG infrastructure or a third-party supplier or partner.
Without technical evidence, these questions remain unanswered.
Background on the Nova Ransomware Group
Nova, previously known as RALord, operates under a ransomware-as-a-service model, meaning the core group provides malware, infrastructure, and leak sites while affiliates carry out attacks. This structure makes attribution more complex and allows the operation to scale rapidly.
The group has been linked to multiple victim claims across different sectors and regions. Like many ransomware gangs, Nova’s claims have historically ranged from verified incidents to unproven or exaggerated allegations, making caution essential when evaluating new disclosures.
Key Takeaway
At present, the situation should be treated as an unverified ransomware claim rather than a confirmed breach. While Nova has publicly accused KPMG Netherlands of being compromised, the firm’s denial and the lack of released evidence mean there is no proof that an attack actually occurred.
Until independent verification, leaked data, or technical indicators emerge, cybersecurity experts are approaching the claim with skepticism. As with many ransomware incidents, clarity may only come if further evidence is published—or if the claim quietly disappears.
