Morpheus Ransomware Steals 680 GB from HDFC AMC; Bombay HC Issues Temporary Injunction

On 16 May 2026, HDFC Asset Management Company's IT administrator noticed anomalies in the company's digital infrastructure. By the end of that day, the company had received an extortion email from a group calling itself "Morpheus," claiming to have exfiltrated more than 680 GB of sensitive investor data and threatening to publish it unless contacted within three days.

What Was Allegedly Stolen

Morpheus claims — and these remain unverified by any independent forensic party at the time of writing — to have taken names, residential addresses, identity documents, Permanent Account Number (PAN) card details, private bank account numbers, mobile numbers, email addresses, and individual investment records belonging to millions of Indian mutual fund investors. HDFC AMC manages assets for a substantial retail investor base across India, making the alleged dataset particularly sensitive: PAN details and bank account numbers together are sufficient to attempt identity fraud or account takeover.

The company says several critical systems were disrupted, including its VPN, SFTP servers, and antivirus management infrastructure. The breach vector has not been publicly confirmed.

Regulatory Disclosures

HDFC AMC filed exchange disclosures with the National Stock Exchange and the Bombay Stock Exchange on 18 May 2026, confirming a cybersecurity incident two days earlier. The company also formally notified the Securities and Exchange Board of India (SEBI) of the incident. HDFC AMC's shares fell roughly 3 per cent on 18 May — reaching a day low of Rs 2,602.20 on the NSE — as investors weighed the disclosure. The company said it activated cyber incident response protocols, isolated affected servers, and engaged external forensic experts. Management characterised the incident as unlikely to disrupt day-to-day business operations.

The Bombay High Court's Response

HDFC AMC filed an urgent plea for legal protection, and on 29 May 2026, Justice Shreeram Shirsat of the Bombay High Court's vacation bench granted a temporary injunction — directed against the unidentified operators of Morpheus (a form of order sometimes characterised legally as a "John Doe" order, though the court itself used the term "temporary injunction") — restraining the group and any associated parties from distributing, disclosing, or trading the stolen data. The court warned of "dreadful consequences" and "irreparable and irreversible damage" should the records of millions of investors be leaked.

The court went further than a simple restraining order. Justice Shirsat directed the Department of Telecommunications (DoT) and the Ministry of Electronics and Information Technology (MeitY) to remove, delete, block, and disable any digital accounts or platforms associated with the stolen data. This is an uncommon step — deploying ministerial-level executive machinery as a co-enforcement mechanism for a civil injunction against anonymous cyber actors.

Why This Type of Order Matters

An injunction against unidentified defendants — sometimes called a John Doe order — allows Indian courts to grant relief without naming specific parties. The technique has precedent in intellectual property cases — primarily to block piracy websites — but its application to ransomware extortion targeting a regulated financial institution is a more recent development. An earlier precedent involved HDFC Life Insurance in a separate matter, also before the Bombay High Court.

The practical difficulty is enforcement. Morpheus is an anonymous group operating outside Indian jurisdiction. A court order binding unknown persons cannot compel them to delete stolen data or cease operations. What the injunction does achieve is: it creates a legal basis for ISPs and internet intermediaries in India to act on blocking requests without waiting for fresh legislation, and it places clear liability on any domestic entity that knowingly assists in publishing or trading the stolen records.

What Comes Next

The matter returns to the Bombay High Court on 16 June 2026. The court is expected to assess what steps DoT and MeitY have taken and whether further interim relief is warranted. HDFC AMC's forensic investigation is ongoing; the company has not publicly confirmed the full scope or verified Morpheus's specific claims about the data exfiltrated.

For India's broader financial services sector, the case is a signal: regulators and courts are moving toward coordinated judicial-executive responses to ransomware, even where the attackers remain unidentified and unreachable. Firms managing large retail investor databases — mutual funds, brokers, depositories — should treat this as a prompt to review their on-premises infrastructure exposure and incident response plans.

This report covers a claimed breach and ongoing legal proceedings. The exfiltration claim originates with the threat actor; independent verification of the specific data taken is not yet available. This article is factual reporting; it does not reproduce or guide exploitation techniques.