Kudankulam Nuclear Plant Files Leaked on Dark Web

Get the Geopolitics newsletter
Daily geopolitics — wars, elections, sanctions, the diplomatic moves that move markets. Free.
- World Leaks posted roughly 19,000 files (14.3 gigabytes) tagged "KKNP" on the dark web, dated from 2016 to mid-2025 and online since June 11, according to independent researcher Rakesh Krishnan who first flagged the leak to Reuters.
- Reliance Group confirmed a "partial breach" of its data on a third-party Yotta-hosted server and said the Indian government has been informed, though it did not disclose what was compromised; the conglomerate's subsidiary Reliance Infrastructure holds a 2018 contract to build infrastructure for Kudankulam Units 3 and 4, which are due online next year with a combined 2,000 MW capacity.
- The Nuclear Power Corporation of India stated publicly that the leaked data pertains only to common service facilities and does not involve any nuclear safety or security systems — a claim contradicted by Nickolas Roth of the Nuclear Threat Initiative, who told Reuters the breach poses a "serious" risk to the plant's safety.
- India's CERT-In is investigating the incident and the Nuclear Power Corporation is in communication with Reliance, a source familiar with the matter told Reuters; the source spoke anonymously citing the sensitivity of the issue.
- World Leaks previously targeted Nike and India's Tata Group, demanding $1.5 million in ransom for Tata files containing confidential component designs for Apple and Tesla before posting the data after Tata "ignored" the demand, per the group's statement to Reuters last month.
- The leak purportedly includes blueprints, supplier details, meeting and inspection records, equipment reviews, and insurance policies, making up the most sensitive slice of roughly 858,000 Reliance files on the World Leaks site; Reuters reviewed the documents but said it could not verify their authenticity.
Why it matters: Kudankulam is India's largest nuclear plant and central to Modi's atomic energy expansion, so a confirmed breach via a major contractor like Reliance — even one the government downplays — raises the bar on third-party cybersecurity across India's critical infrastructure. With Units 3 and 4 scheduled to come online by next year and the Nuclear Threat Initiative calling the exposure a "serious" safety risk, the incident puts pressure on Reliance's existing contracts and on CERT-In's enforcement of data-handling rules for nuclear suppliers.




