FBI Warning: Hackers Are Physically Walking Into Law Firms and Stealing Data With USB Drives — 38 Firms Already Leaked
The FBI just issued a FLASH alert about something that sounds like it belongs in a spy thriller, not a cybersecurity bulletin: a Russia-linked extortion gang called the Silent Ransom Group is physically sending operatives into American law firms, posing as IT support staff, plugging USB drives into office computers, and walking out with terabytes of confidential client data. At least 38 law firms have already had their stolen data published on a public website, and researchers say the real attack count exceeds 100.
This is not a sophisticated zero-day exploit or an AI-powered cyberattack. It is someone in a polo shirt with a clipboard, pretending they are from tech support, plugging a device into a workstation, and leaving before anyone realizes what happened. And it is working devastatingly well against some of the most prestigious law firms in the United States.
The FBI FLASH Alert That Every Law Firm Should Read
On May 26, 2026, the FBI published a FLASH alert specifically warning about the Silent Ransom Group (SRG), also tracked under the names Luna Moth, Chatty Spider, and UNC3753. The alert describes a campaign that has been escalating sharply since early 2026, with law firms as the primary target.
What makes this alert unusual is the attack methodology. Most FBI cybersecurity warnings focus on remote threats — malware, phishing emails, zero-day exploits, or compromised credentials. This one describes a threat that walks through your front door. The FBI specifically highlights that SRG operatives are conducting in-person visits to law firm offices, impersonating IT support personnel after initial phone-based social engineering.
The physical component makes this attack vector particularly difficult to defend against with traditional cybersecurity tools. Firewalls, endpoint detection, and email filtering are designed to stop digital threats. They cannot stop a person who has been given physical access to a workstation by a well-meaning receptionist or office manager.
How the Attack Works: Phone Calls, Fake IT Staff, and USB Drives
The Silent Ransom Group’s attack chain starts with a phone call. An operative calls the law firm’s front desk or directly contacts individual employees, claiming to be from the firm’s IT department or an external IT contractor. They reference specific details about the firm’s technology setup — information that can be gathered from job postings, LinkedIn profiles, and vendor relationships — to build credibility.
After establishing trust by phone, SRG sends a person to the office. This operative arrives dressed appropriately, acts professionally, and requests access to a workstation to “fix a reported issue” or “perform a routine update.” In many cases, law firm staff — especially at reception desks that regularly interact with various vendors — grant access without escalating to management.
Once at a workstation, the operative inserts a storage device and rapidly copies files. Law firms store enormous volumes of confidential data — client communications, litigation strategies, merger negotiations, financial documents, intellectual property, and privileged legal advice. A single USB drive can hold terabytes of this data, and the exfiltration takes minutes, not hours.
No Malware, No Ransomware, No Encryption — Just Stolen Data
Here is what makes the Silent Ransom Group uniquely dangerous: they deploy no malware. No ransomware. No encryption. No backdoors. The attacked systems continue to function normally. IT systems show no signs of compromise. Antivirus software detects nothing. Security monitoring tools see nothing unusual.
The attack remains entirely invisible until a ransom email arrives threatening to publish the stolen data on SRG’s publicly accessible clearnet leak site. By then, the data is already gone, and the firm faces an impossible choice: pay an undisclosed ransom with no guarantee of data deletion, or watch their most confidential client information appear on the open internet.
This approach is a deliberate evolution beyond traditional ransomware. Encrypting systems triggers immediate incident response, business continuity plans, and often backup restoration. Data theft without disruption avoids all of these defensive responses. The firm does not know it has been breached until the extortion begins — days, weeks, or even months after the physical intrusion.
38 Law Firms Already Leaked on a Public Website
Data from more than 38 law firms has already been published on SRG’s leak site, which is accessible on the regular internet — not the dark web. This is a deliberate choice. By hosting their leak site on the clearnet rather than Tor, SRG ensures maximum visibility and pressure on victims. Anyone can visit the site and download stolen documents — opposing counsel, journalists, competitors, or anyone with a grudge.
Notable confirmed victims include Orrick, Herrington and Sutcliffe (breached January 2026), Jones Day, Wood Smith Henning and Berman (Q1 2026), and Ropers Majeski (May 2026). Researchers tracking SRG’s operations believe the total attack count exceeds 100, with many firms choosing to pay the ransom rather than risk exposure.
The leaked data includes attorney-client privileged communications, litigation strategies, confidential financial documents, and personal information of both attorneys and their clients. For law firms, this is not just a data breach — it is a potential violation of professional responsibility obligations and could trigger malpractice litigation from affected clients.
Who Is the Silent Ransom Group?
SRG is believed to be a Russia-linked cybercriminal operation that has been active since at least 2023. The group initially focused on callback phishing — sending emails that trick recipients into calling a phone number, where an operator then guides them through installing remote access software. The physical intrusion component is a newer evolution of their tactics.
The group’s pivot to law firms appears strategic. Legal sector targets offer higher-value data than most other industries, firms often have weaker physical security than their digital defenses suggest, and the attorney-client privilege creates unique pressure to prevent disclosure. A law firm that loses privileged client data faces regulatory sanctions, malpractice exposure, and devastating reputational damage.
Intelligence analysts note that SRG’s activity has surged sharply in early 2026, suggesting either an expansion of the group’s operations or increased confidence in their methodology after successful attacks went unpunished. The FBI’s decision to issue a FLASH alert indicates a level of concern that exceeds typical cybersecurity advisories.
Why Law Firms Are the Perfect Target
Law firms occupy a unique position in the cybersecurity landscape. They store extraordinarily sensitive information — often the most confidential data that their corporate clients possess — but frequently lack the security infrastructure and culture of the financial or technology sectors.
Physical security at most law firms is designed to manage client visits and vendor access, not to defend against sophisticated social engineering. Reception staff are trained to be welcoming and accommodating. Office layouts often place workstations in accessible areas. And the constant flow of external visitors — clients, witnesses, expert consultants, IT vendors, courier services — creates numerous opportunities for an operative to blend in.
The legal sector’s conservative approach to technology also plays a role. Many firms are slower to adopt security measures like USB port blocking, network access control, or behavioral analytics that might have detected or prevented physical intrusion attacks. The cultural resistance to security measures that create friction in daily operations — badge-in requirements, visitor escorts, workstation lockdowns — makes law firms softer targets than other high-value industries.
How Law Firms Can Protect Themselves
The FBI’s alert includes specific defensive recommendations. At the most basic level, firms should implement strict visitor verification protocols: no one should gain access to any workstation without identity verification and management approval, regardless of how convincingly they claim to be from IT.
Technical controls are equally important. USB ports on workstations should be disabled or restricted by policy. Network access control should prevent unauthorized devices from connecting to the firm’s network. Data loss prevention tools should alert when large volumes of data are copied to removable media. And all workstations should require authentication before use — an unattended, logged-in workstation is an open invitation.
Firms should also implement callback verification for any IT-related requests. If someone claims to be from the IT department, employees should hang up and call the IT department directly using a known number — not a number provided by the caller. This simple step would defeat the initial social engineering phase that precedes physical intrusions.
The Bigger Trend: Social Engineering Is Beating Technology
The Silent Ransom Group’s success highlights an uncomfortable truth about modern cybersecurity: the most effective attacks often bypass technology entirely. While organizations invest millions in firewalls, endpoint detection, AI-powered security tools, and zero-trust architectures, a well-dressed person with a convincing cover story can walk past all of it.
The Verizon 2026 Data Breach Investigations Report noted that social engineering remains the most common initial access vector across all industries. And physical social engineering — the kind SRG specializes in — is the hardest to defend against because it exploits human trust and professional courtesy rather than technical vulnerabilities.
For law firms, the message from the FBI is clear: your most dangerous cybersecurity vulnerability might not be in your network — it might be at your front desk. And the person exploiting it might be standing in your office right now, asking to take a look at a computer that is working perfectly fine.
