Japanese game and anime publisher reportedly pays $3 million ransom to Russia-linked hackers

A major Japanese media company known for producing manga, anime and video games appears to have paid nearly $3 million to Russia-linked hackers following a data breach earlier this year.

The news agency Kyodo News cited two pieces of evidence that the company, Kadokawa, potentially made an extortion payment to BlackSuit, the ransomware group that claimed the attack:

Emails sent from BlackSuit to multiple executives at the company, saying it had received the ransom in cryptocurrency. The news agency received them from an anonymous source at Kadokawa.An investigation by security firm Unknown Technologies, commissioned by Kyodo News, that uncovered online records of a $2.98 million cryptocurrency transaction made in June, the same month the attack allegedly occurred.

Kadokawa previously confirmed that some of its data — including contracts, internal company documents, and personal information on all employees — was leaked in the ransomware attack. BlackSuit is said to have accessed 1.5 TB of the company’s data.

BlackSuit is a rebrand of the Royal ransomware group, whose operators are believed to originate from the now-defunct Conti cybercrime gang.

According to the investigation, the hackers targeted Kadokawa servers located in a data center. As a result of the attack, the subsidiary Niconico — a major video-posting site in Japan — temporarily shut down its live-streaming platform and user channels.

In September, Kadokawa announced it was still investigating the cyberattack after reports emerged that BlackSuit had leaked a new batch of the company’s data on the dark web. 

Kyodo News claimed to have obtained emails confirming negotiations between the hackers and one of the chief operating officers of Dwango, a Kadokawa subsidiary that operates Niconico.

According to the emails, the hackers initially demanded $8.25 million in ransom. However, the company stated it couldn’t pay more than $3 million due to “strict compliance measures.” The hackers reportedly responded that they would delete the stolen data only if they received the agreed ransom within 48 hours.

It is not clear how the negotiation ended, as the hackers released some of the stolen information despite allegedly receiving the ransom.

“Negotiations should not be made so casually, as many hackers do not keep their promises,” a researcher at Unknown Technologies told local media.

Kadokawa has not responded to any of Recorded Future News’ requests for comment regarding the attack or the alleged ransom payment.

In a statement issued in November, Kadokawa announced that it expects to record an extraordinary loss of 2.3 billion yen ($15 million) in the fiscal year ending March 2025 due to the impact of a cyberattack.

The news of the alleged payment comes as another Japanese tech giant, Sony, announced it is considering acquiring Kadokawa.

Local media reported that the majority of Kadokawa’s staff views the potential acquisition as a positive change, expressing dissatisfaction with the current administration. Employees criticized the company for failing to hold a press conference after the cyberattack, which exposed their personal information.