Exclusive: Aussie toy distributor listed by M3rx ransomware

The hackers also published a text file listing every document they claim to have exfiltrated. The data appears to be legitimate and up to date, comprising invoices, sales data, and other documents dated as recently as 2026.

M3rx did not share any details of its ransom demand, nor a deadline for the publication of the stolen data.

KB Toys did not respond to Cyber Daily’s request for comment.

Who is M3rx?

M3rx was first observed on 29 April 2026 and has been steadily adding victims to its leak site since then.

To date, the hackers have listed 15 victims, including KB Toys and Sydney-based building management firm Prime Properties.

VIEW ALL

While little else is known about the group at this time, researchers at IBM X-Force Exchange have gathered a small amount of intelligence on the group’s actual ransomware variant.

“The ransomware uses a PE32+ x64 Go sample, which includes an embedded config, writes a ransom note named RECOVERY_NOTES.TXT, renames encrypted files with a .8hmlsewu extension, and deletes itself through PowerShell after execution. M3rx employs X25519 key exchange, AES-CTR for file content, and AES-GCM to wrap each per-file AES key, with a fixed 0x400-byte footer,” IBM’s security people said.

“The encryptor’s file format is recognisable, and the public trail is still developing. The ransom note claims files were stolen and encrypted, demanding bitcoin after negotiation and threatening publication. The sample shows file-impact behaviours such as encryption, note dropping, Recycle Bin clearing, and self-delete behaviour. Detection artifacts include specific SHA256 and MD5 hashes, embedded config details, and unique strings.”

Who is KB Toys?

KB Toys is based in Sydney and provides a “wide selection of toys and giftware that would be suitable for birthdays, Christmas and celebrations of all sorts”.

The company also hosts tours of its Taren Point warehouse in Sydney, which is linked to the eBay store Nicole’s Toys and Gifts.