NEW DELHI – Blueprint files, supplier documents, and equipment inspection records tied to India’s largest nuclear power complex are now accessible on the dark web, posted by a ransomware group with a track record of hitting major corporations and publishing stolen data when extortion demands go unmet.
The breach, first identified in June 2026 by cybersecurity researcher Rakesh Krishnan, involves data attributed to Reliance Group, a contractor at the Kudankulam Nuclear Power Plant in Tamil Nadu. The group World Leaks posted approximately 19,000 files totaling 14.3 gigabytes on its dark web portal, claiming the material was taken from Reliance Group’s data stored on third-party servers operated by Yotta Data Services.
Reliance Group confirmed what it called a “partial breach” limited to the Yotta-hosted server. The Nuclear Power Corporation of India Limited, which operates Kudankulam, issued a narrower statement: the breach “does not relate to any nuclear safety or nuclear security-related systems.” Neither the corporation nor India’s official regulators have confirmed which specific documents were compromised, nor whether the 19,000 files are authentic.
The documents reportedly span from 2016 to 2025 and include construction blueprints, supplier directories, meeting minutes, and equipment review records. A senior official at the Nuclear Threat Initiative, the Washington-based nonproliferation organization, told Al Jazeera the exposure posed a “serious” risk to plant safety, a characterization that cuts sharply against the official posture from NPCIL.
The critical distinction lies in how nuclear security is typically framed. Nuclear power corporations maintain hardened perimeters around their operational and control systems. Data that moves outward to contractors, and from contractors to third-party cloud and data center providers, carries no equivalent protections. The Yotta breach fits the pattern of a supply chain security failure: the plant’s official networks may have remained untouched while years of project documentation traveled across a more exposed chain and ended up on a criminal marketplace.

World Leaks is a financially motivated criminal group with an escalating record. Before Kudankulam, the group demanded $1.5 million from Tata Group before publishing Tata’s files when the company declined to pay. It has also targeted Nike. The group operates a dark web site requiring specialised browser access, and cybersecurity analysts describe its infrastructure as professionally maintained. Whether a ransom demand was made to Reliance Group or Yotta has not been publicly disclosed by either company.
India’s Computer Emergency Response Team, CERT-In, has opened an investigation. The agency has jurisdiction over cybersecurity incidents affecting critical infrastructure, but its public disclosure record on such cases is limited. The 2019 discovery of malware on Kudankulam’s administrative network follows a familiar pattern: Indian officials first denied the incident, then acknowledged it weeks later. The government’s instinct in nuclear-related security incidents has been to minimize public information, at least in the initial phase.
Kudankulam was built with Russian engineering and technology under a bilateral framework that has become one of the defining elements of the India-Russia strategic relationship. Units 1 and 2 are operational and supply power to India’s southern grid; Units 3 and 4 are under active construction, adding 2,000 megawatts of capacity to a complex that Prime Minister Narendra Modi has positioned as central to India’s long-term energy security ambitions. Russia’s state nuclear agency Rosatom is the principal engineering partner in a collaboration that, as the Eastern Herald reported, has been described by Moscow as a vital pillar of global stability.
That Russia built Kudankulam adds a layer to the incident that neither government has addressed publicly. The plant’s blueprints encode Rosatom’s reactor design standards, supplier specifications, and engineering tolerances developed under Russian oversight. Whether Moscow has been informed about the breach, or consulted on the scope of the exposed documentation, is not publicly known.
The 29 agreements Modi and Putin formalized during their December 2025 summit, spanning defence, energy, and strategic cooperation, included frameworks for expanding the nuclear partnership between the two countries. A breach that exposes a decade of Kudankulam documentation, if verified, touches that partnership at an engineering level that formal diplomatic agreements do not address.
The scope of what was actually taken remains the central unresolved question. Nineteen thousand files is a large archive, and the categories assigned to data by a ransomware group are not independent verification. Reuters, which reviewed reporting on the breach, stated it could not verify the authenticity of the documents posted by World Leaks. A criminal enterprise has every incentive to inflate the apparent sensitivity of stolen material; it also has access to genuine documents obtained from compromised servers, and there is no public basis for dismissing the files as fabricated.
India’s nuclear regulators and the broader government establishment have historically treated transparency about facility security as a risk in itself. That posture has served domestic purposes. It does not translate well to an era in which ransomware groups can post plant blueprints to the open internet and wait months before any official response takes shape.
CERT-In’s investigation is the formal mechanism for what comes next. What it produces, and what the government chooses to disclose from it, will be a test of whether India’s nuclear governance can respond to a threat environment that no longer waits for official channels, according to Al Jazeera’s reporting on the breach.

