A newly surfaced actor tracked under the name "unsafe" has claimed exactly two victims since its first appearance on June 28, 2026, both in Germany and both posted within the last week, one in financial services (Deutsche Bank) and one in business services (straightperformance.de). No MITRE ATT&CK techniques have been catalogued for this group yet, leaving its actual intrusion and encryption methods undocumented. Open-source characterization describes the group as one that recycles leaks originally claimed by other ransomware operations, a description that should be treated as unverified rather than established fact. With only two data points and under a week of activity, the sample is too thin to assess sector preference or targeting logic beyond the German focus observed so far. Further claims in the coming weeks will be needed to determine whether this is an independent operation or simply a relabeling of stolen or previously published data.