Criminals with potential links to the notorious Clop ransomware mob are bombarding Oracle execs with extortion emails, claiming to have stolen sensitive data from Big Red’s E-Business Suite, according to researchers.

Google’s Threat Intelligence Group (GTIG) and Mandiant are tracking the “high-volume” activity, which began last month, and are investigating whether there is any truth to the attackers’ boasts.

In a statement to The Register, Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG, said: “This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group.”

The campaign appears to be the work of cybercriminals with possible ties to the Clop ransomware crew, according to analysts at the Chocolate Factory. Clop has a long history of targeting enterprise software vendors and exploiting high-value platforms, most notably during the MOVEit file transfer attacks of 2023, which affected thousands of organizations worldwide.

However, unlike previous Clop-linked operations, the current activity is limited to email-based extortion attempts, without any public release of data to support the criminals’ assertions.

Mandiant CTO Charles Carmakal told The Register that two specific contact addresses used in the malicious emails are publicly listed on Clop’s dark web leak site. “This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation,” he added.

Google and Mandiant have not identified evidence of a vulnerability or breach in Oracle’s E-Business Suite, a widely used enterprise resource planning (ERP) platform that manages financials, human resources, and supply chain operations. The lack of proof has raised questions about whether the extortionists genuinely obtained customer data or if this is an opportunistic scam using Oracle’s name to scare execs into paying up.

Oracle has yet to grace El Reg with a response. The database behemoth has long been catnip for crooks thanks to its deep roots in corporate IT estates, and its E-Business Suite contains some of the most sensitive data handled by enterprises. If accurate, the attackers’ claims could imply access to to payroll records, contracts, and financial data from some of the world’s largest companies.

For now, though, the allegations remain unverified, and Carmakal cautions that name-dropping high-profile vendors is a common tactic used in extortion. By claiming access to something as central as Oracle’s ERP, attackers increase the pressure on corporate boards and CISOs, regardless of whether they have the goods.

For Mandiant and GTIG, the job right now is to help organizations figure out if anyone is actually breached. In the meantime, the execs receiving these emails are left in a tricky spot: take the threats seriously enough to dig in, but without giving oxygen, or cash, to what could just be a cheap bluff.

Whether or not Clop – or a Clop impersonator – has really breached Oracle’s crown jewels, the gambit underlines how fear of exposure remains one of the most powerful weapons in the cybercriminal arsenal. ®