On July 15, 2026, a Reuters report carried by BusinessToday said a ransomware group calling itself World Leaks had uploaded roughly 858,000 files linked to Reliance Group to the dark web, in a breach tied to India's Kudankulam nuclear plant. More than 19,000 of those files were flagged as containing sensitive information. Kudankulam is not just any facility. NPCIL's own site page lists a planned build-out of six 1,000-megawatt reactors there, a combined 6,000 megawatts, the basis for calling it India's largest nuclear power plant. A dark-web dump of hundreds of thousands of files tied to a site like that reads, on first pass, like the worst version of a breach story: a strategic nuclear facility, its files exposed to whoever downloads them.
It is worth slowing down on where those files actually came from. Reliance Group told Reuters, in reporting carried by The Week on July 15, 2026, that a "partial breach" of its data had taken place from a server hosted by Yotta, a third-party Indian data centre provider, not from any system inside NPCIL's own plant network. The leaked files are linked to Reliance Group's data, hosted on a vendor's infrastructure. They are not reported to have come out of Kudankulam's control room. Reliance's presence in that data in the first place traces to a specific, named contract: Reliance Infrastructure won a 2018 EPC contract to design, engineer, supply, erect, test and commission shared systems, structures and civil works for Kudankulam Units 3 and 4, beating rivals including BHEL, L&T and Tata Projects for the work. That is what puts a Reliance-hosted file trove in the same sentence as a nuclear plant: a construction contractor's paperwork, not a plant operator's.
The vendor's server, not the plant's network
That distinction decides which kind of breach this is. A leak from a corporate vendor's data centre is a serious data-security failure, the kind that costs money, invites litigation and can expose real operational detail. A leak from inside a nuclear plant's own control systems is a different category of event, one with implications for physical safety. Reuters, via Insurance Journal, quoted Nickolas Roth, a senior director at the Nuclear Threat Initiative, saying the breach could pose a "serious" risk to the safety of the plant, in the same report that describes Kudankulam as the largest of India's seven nuclear plants and central to the government's plans to expand nuclear capacity. Roth's concern deserves to be taken at face value even though the confirmed facts so far describe a breach on Reliance Group's and Yotta's side of the fence, not NPCIL's.

Source: Reuters, via BusinessToday. Sensitive-file share is The Signal's calculation. Chart: The Signal.
Of the roughly 858,000 files in that dump, a little over 19,000, about 2 percent, were flagged as containing sensitive information. That is still a five-figure count of sensitive documents attached to a strategic site's name. It is also a small fraction of a very large haystack, and the two facts sit awkwardly next to each other: a genuinely large sensitive-file count, inside a dump big enough to make that count look almost incidental.
What that sensitive subset is reported to actually contain matters more than its size. Those files reportedly include engineering drawings for ventilation and cooling systems and floor plans for a common control room, mostly tied to Units 3 and 4. They do not appear to contain designs for the nuclear reactor core or other critical reactor technologies, which are supplied by Russia's state-owned Rosatom, not by Reliance. That is consistent with a contractor's paperwork trove, not a plant operator's engineering archive: significant supporting-infrastructure detail, but not the reactor's own design.
A pattern seven years old
This is not the first cyber incident to touch Kudankulam's name. In October 2019, NPCIL confirmed in a press statement, reported by The News Minute, that malware linked to a North Korean hacking group had been found on the plant's internet-connected administrative network, while stating that the critical control systems were untouched: "this is isolated from the critical internal network," the corporation said in October 2019. That confirmation is now a seven-year-old precedent, not live news, but its shape matches what has just been confirmed for 2026: a compromise on the administrative or vendor side of the operation, with the systems that actually run the reactors reported as separate both times.
Both confirmed incidents describe the same boundary holding.
| Year | What was confirmed | Where it was found | Confirmed by |
|---|---|---|---|
| 2019 | Malware linked to a North Korean hacking group | Kudankulam's internet-connected administrative network, described as isolated from the critical internal network | NPCIL press statement, via The News Minute |
| 2026 | About 858,000 files linked to Reliance Group, over 19,000 flagged sensitive | A server hosted by Yotta, a third-party data centre provider, not NPCIL's own plant network | Reliance Group statement to Reuters, via The Week |
Source: NPCIL, via The News Minute; Reliance Group statement to Reuters, via The Week.
Who is behind it, and who else they have hit
World Leaks, the group behind the Kudankulam-linked leak, is considered a rebrand of the Hunters International ransomware cartel, according to BleepingComputer. Its other recent target says more about how this group operates than the nuclear label does. In June 2026, the group hit Tata Electronics, demanding a $1.5 million ransom after leaking files that reportedly included Apple- and Tesla-linked documents. The common thread across both targets is not the industry. It is the vendor layer: a components maker serving Apple and Tesla in one case, a data-centre tenant whose files happen to reference Kudankulam in the other. Both confirmed breaches describe corporate or contractor infrastructure being hit, not the operational core of the name the attackers are trading on for headlines.
What is actually running at Kudankulam
Whatever the eventual detail on the entry point, Kudankulam's stakes are real enough that the Reliance-Yotta distinction is worth establishing rather than waving away as a technicality. Two of its planned six reactors, Units 1 and 2, were confirmed generating power through NPCIL's own operating data for April to June 2026, a combined operational 2,000 megawatts. The other four units, approved by the Government of India, would take the site to its full planned 6,000 megawatts if built out.

Source: NPCIL, operating performance data; NPCIL, Kudankulam site page. Chart: The Signal.
A breach that reached the operational technology behind even the 2,000 megawatts already running would be a different order of event from a breach of a vendor's file server. That gap is exactly why the confirmed location of this incident, on Reliance Group's and Yotta's side, matters more than the file count.
The honest objection
The strongest case against taking comfort in that distinction is that vendor and administrative networks are not a side issue in critical-infrastructure security. They are the usual way in. A ransomware crew that can pull 858,000 files tied to a nuclear site's vendor relationships has already mapped a path toward that site's perimeter, whatever it hits first. Nickolas Roth's "serious" risk assessment is not a claim that the network boundary will hold forever. It is a warning that the boundary is the only thing being tested here, and boundaries do not always hold.
That case is real. But the two confirmed incidents on record, seven years apart, both describe the same boundary holding: NPCIL's 2019 statement placed the malware on the administrative network, isolated from the critical internal network, and Reliance Group's 2026 statement places this leak's origin on a vendor's server, not NPCIL's own plant network. Two data points are not a guarantee. They are still the entire confirmed record, and both point the same way.
The Signal
The Kudankulam story is not "India's largest nuclear plant was hacked." It is a question of which layer got hit, and on the two occasions anyone has confirmed an answer, the answer has been the vendor and administrative layer, not the reactor. That distinction is worth stating plainly, because treating every breach near a nuclear site's name as a control-room emergency either desensitizes readers to the real thing when it happens or panics them over the wrong one. What would change this story is not a bigger file count. It is a confirmed breach that reaches past the administrative network, the boundary that has held twice so far, into the systems that actually run the reactors. Watch for whether NPCIL, not Reliance Group, is the one issuing the next statement: as of this reporting, NPCIL's chairman, CERT-In and the government's main press office had not responded to repeated requests for comment, leaving the plant operator's own account of the incident still unheard.
Reporting basis: the file counts and the Kudankulam link for the 2026 breach are per a Reuters report carried by BusinessToday. Reliance Group's confirmation of a partial breach from a Yotta-hosted server is per Reuters, as also reported by The Week. The 2019 malware confirmation and NPCIL's isolated-network statement are per NPCIL's own press statement, reported by The News Minute. World Leaks' identity as a Hunters International rebrand and its Tata Electronics attack are per BleepingComputer. Kudankulam's planned and operating capacity figures are from NPCIL's own site and operating-performance pages. Nickolas Roth's risk assessment and Kudankulam's standing among India's seven nuclear plants are per Reuters, as carried by Insurance Journal. Reliance Infrastructure's 2018 EPC contract for Kudankulam Units 3 and 4 is per NS Energy Business's contemporaneous report. The description of the sensitive files as ventilation/cooling and control-room drawings, not reactor-core designs and NPCIL's non-response to requests for comment are per Reuters, as carried by Gulf News and Free Malaysia Today respectively. The roughly 2 percent sensitive-file share is The Signal's calculation from the BusinessToday-reported figures.



