A cybercrook claims to have breached Pickett and Associates, a Florida-based engineering firm whose clients include major US utilities, and is selling what they claim to be about 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. The price is 6.5 bitcoin, which amounts to about $585,000.

Based in Tampa, Florida, Pickett USA provides transmission and distribution design, project management, surveying, aerial mapping, and LiDAR (Light Detection and Ranging) services to utilities and mining operations across the US and Caribbean. 

When contacted by The Register, a Pickett USA spokesperson said the company has no comment on the alleged breach.

In screenshots shared on social media and posted on Daily Dark Web, the criminal claims to have stolen 892 files belonging to the engineering firm, which they describe on the for-sale post as "real, operational engineering data from active projects of major utilities and is suitable for infrastructure analysis and risk assessment."

The crim says the haul spans more than 800 classified raw LiDAR point cloud files in .las format ranging from 100 MB to 2 GB each; full coverage of transmission line corridors and substations, which includes layers for bare earth, vegetation, conductors, and structures; high-resolution orthophotos in .ecw format; MicroStation design files and PTC settings; large vegetation feature files in .xyz format; and other files from active projects.

According to the crook – and, as we have repeatedly warned: criminals aren't the most trustworthy lot, so take this for what it is – the stolen files belong to some very large American utilities. Tampa Electric Company serves about 860,000 customers, including 90,000 businesses, across West Central Florida, while Duke Energy Florida has about 2 million residential and business customers across the state, and American Electric Power serves nearly 5.6 million customers across 11 states. The crook has offered four sample files to interested buyers as proof.

A Duke Energy spokesperson told The Register that it is investigating the criminal's claims.

"With threats evolving every day, Duke Energy's highly skilled cyber security team works diligently to protect our businesses, systems and information technology assets and responds quickly if a cyber incident occurs," the spokesperson said in an email sent to The Register. "We are taking the necessary actions to investigate this claim."

The other two companies did not respond to our request for comment.

This same criminal is also selling what they claim to be an internal database belonging to Germany's Enerparc AG and containing details about solar projects in Spain's Mallorca and Alicante regions.

• Amazon security boss blames Russia's GRU for years-long energy-sector hacks
• This is the FBI, open up. China's Volt Typhoon is on your network
• Ransomware scum have put a target on the no man's land between IT and operations
• Death, torture, and amputation: How cybercrime shook the world in 2025

These recent alleged breaches come as miscreants increasingly target critical sectors, and (if true) are especially concerning as they put transmission lines, energy stations, and ongoing projects at risk.

Last month, Amazon's Chief Information Security Officer blamed Russia's Main Intelligence Directorate (GRU) for a years-long campaign targeting Western countries' energy sectors and other critical infrastructure providers, and US government agencies and international partners warned operational technology (OT) owners and operators to secure their critical networks against attacks by pro-Russian hackers.

In late 2023 China's Volt Typhoon famously targeted power utilities in an effort to prepare Beijing for destructive cyberattacks against those targets.

It's not just government-backed attackers breaking into these critical facilities. Ransomware gangs and other financially motivated criminals have also shown an interest in critical infrastructure targets, as energy and water providers are more likely to pay extortion demands to keep the lights and heat on for customers and keep water flowing out of their faucets.

According to the FBI's most recent Internet Crime Complaint Center (IC3) annual report, ransomware posed the biggest threat to critical infrastructure organizations in 2024 with the number of complaints to the IC3 increasing nine percent compared to the year prior. In fact, America's critical infrastructure operators reported almost 4,900 cybersecurity threats in 2024 with ransomware (1,403 complaints) topping the list. ®

Editor's note: This story was amended post-publication with comment from Duke Energy.