Play ransomware posted six victims to its dark web leak site on May 25, 2026, led by US consumer brand MyPillow alongside a telecommunications provider, a Canadian agricultural firm, and a Netherlands logistics company — a sector-spanning batch that reflects the group’s pattern of simultaneous multi-geography targeting under a ransomware-as-a-service model.
Play’s Six-Victim Batch Spans Consumer Goods to Telecommunications
The six victims disclosed on May 25 span four countries and six distinct sectors: consumer goods (MyPillow, USA), business services (GW Mechanical, USA), agriculture (NL Fisher, Canada), hospitality (Round Hill Country Club, USA), telecommunications (Legend Networking & Telecom, USA), and transportation and logistics (De Waard Transport, Netherlands).
Play, also known as Playcrypt, has operated since mid-2022 and regularly posts multi-victim batches to its leak site. The group uses a double-extortion model that combines file encryption with data theft, and has targeted organizations across North America, Europe, and the Asia-Pacific. Its RaaS structure means the May 25 batch likely reflects attacks conducted by multiple independent affiliates whose payment deadlines expired around the same date.
MyPillow’s 616-User Exposure and the Consumer Data Profile at Stake
MyPillow, the US direct-to-consumer bedding company founded by Mike Lindell, is the highest-profile name in the batch. Play’s disclosure reportedly identifies 616 compromised users in connection with the listing — a figure that likely represents a subset of the total affected records rather than the full exfiltrated dataset. As a direct-to-consumer e-commerce operation, MyPillow maintains customer payment records, home address data, purchase histories, and potentially loyalty account credentials for a large US consumer base.
The reputational exposure for a consumer brand differs from a B2B victim: customer-facing companies face direct harm to individual consumers whose payment and identity data may be published on the leak site if the ransom deadline passes.
Legend Networking & Telecom: Subscriber Records and Infrastructure at Risk
Legend Networking & Telecom, a US telecommunications provider, represents one of the more sensitive targets in the batch. Telecommunications companies hold call detail records, subscriber identity data, network routing configurations, and potentially law enforcement intercept infrastructure. A ransomware-driven breach of telecom operator data creates secondary risk that extends beyond the company’s own internal files — subscriber data for the individuals and businesses that rely on the network may also be exposed.
Play’s willingness to list a telecom provider alongside a consumer bedding brand and a country club illustrates the group’s sector-agnostic targeting model, where no industry category is treated as off-limits.
Play’s 33-Day Average Delay and the April Compromise Window
Play’s average delay between the initial compromise of a victim organization and the public leak site disclosure is approximately 33 days. Applied to the May 25 batch, this timeline places the likely attack window in April 2026 — meaning the organizations listed on May 25 were probably compromised weeks before the disclosure appeared.
This delay pattern reflects Play’s double-extortion model: victims are given time to pay before data is published, and the leak site listing marks the expiration of that window, not the date of the original attack. Organizations that discover Play ransomware activity should investigate whether exfiltration preceded the encryption event, as the group combines both tactics.
NL Fisher, De Waard Transport, and Play’s Agricultural and Logistics Targeting
NL Fisher, a Canadian agricultural company, and De Waard Transport, a Netherlands-based logistics firm, extend Play’s geographic reach into the Canadian agricultural sector and the European supply chain. Agricultural operations face compounded pressure from ransomware during peak production and shipping cycles: disruption at critical seasonal moments increases the leverage ransomware operators hold over victims who cannot afford prolonged downtime.
De Waard Transport’s inclusion in a batch dominated by US and Canadian victims is consistent with Play’s established European targeting. The RaaS model allows affiliates in different geographies to operate independently, with victims from European and North American operators appearing together in the same public disclosure batch when payment deadlines coincide.
