Skip to main content

Threat Intelligence

Threat actor activity and indicators

Government building with tall windows and daylight streaming in, abstract agents in background.

US Indicts Russians for Running Bulletproof Hosting Services

The FBI has struck a major blow against cybercrime by indicting three Russian nationals and two companies for operating bulletproof hosting services that enabled devastating attacks on US critical infrastructure. This significant move disrupts the backbone of cybercriminal operations, dealing a crucial win for online safety.

Analyst 207
Modern tech lab with people working, sleek workstation and laptop in foreground.

AI Empowers Cyberattacks with Operational Efficiency

As AI continues to evolve, it's crucial to treat AI-driven threats as a top priority, using the technology to supercharge their attacks and compress timelines. AI is being used by attackers to automate routine work, streamline reconnaissance, and shorten development cycles, turning what once took days into operations that can be executed in just hours.

Analyst 207
Formal facade of a British court building with a government emblem.

UK Prison Sentences Target Scattered Spider Cyber Duo

In a landmark case, two young cybercriminals, Owen Flowers and Thalha Jubair, have been sentenced to five years and six months in prison for their roles in a massive cybercrime operation that targeted Transport for London. The case marks the largest cybercrime prosecution ever brought before UK courts.

Analyst 207
Person in professional attire sits at desk in government agency setting with computer and phone in background.

Telegram Disrupts Links Tied to Sanctioned VPN Service

Telegram swiftly disabled links connected to a sanctioned VPN service after the US Office of Foreign Assets Control took action, demonstrating its commitment to compliance with international regulations. The move came after Domain.Me, the operator of Telegram's t.me shortlinks, identified and suspended the linked domain for approximately a day.

Analyst 207
Federal courthouse interior with subtle law enforcement presence.

US Charges Russian Nationals for Bulletproof Hosting Services

US authorities have charged three Russian nationals with operating illicit bulletproof hosting services that enabled cybercrime, affecting victims across 21 states, including banks, schools, hospitals, and media companies. The accused, Aleksandr Volosovik, Yulia Pankova, and Kirill Zatolokin, allegedly facilitated a range of malicious activities through their services.

Analyst 207
Large data center with rows of servers and racks, hinting at security vulnerability.

OAuth Client ID Spoofing Enables Credential Validation in Microsoft Entra ID Attacks

Researchers have uncovered a sneaky way attackers exploit a blind spot in Microsoft Entra ID's cloud sign-in telemetry, using OAuth Client ID spoofing to validate stolen credentials without triggering a successful sign-in event. By submitting fake client IDs, hackers can cleverly probe accounts and verify login details.

Analyst 207
Control room with industrial equipment and officials monitoring power distribution systems.

UK, EU Attribute Poland Cyberattack to Russian Spies, Warn Infrastructure Operators

The UK and EU have called out Russia's Federal Security Service for a brazen cyberattack on Poland's power grid, saying it's just another example of their reckless attempts to wreak havoc across Europe. The attack, attributed to FSB's Centre 16, was foiled, but serves as a stark warning for infrastructure operators to stay vigilant.

Analyst 207
Police officers work at desks in a brightly-lit station with a large map of Balochistan on the wall.

Chinese and Indian Spies Target Pakistani Police Systems

Suspected Chinese and Indian spies launched a targeted attack on Pakistani police systems, specifically focusing on the Balochistan Police, between February 2024 and April 2026. The intrusion campaigns compromised sensitive data, including biometric records, criminal case files, and national identity information.

Analyst 207
Blurred laptop on minimalist desk in neutral room conveys vulnerability.

AI Agents Expose Identity Security Gap

The alarming truth is that security systems, designed with people in mind, are failing to protect against AI agents - and the consequences are stark. A single compromised machine identity can become a gateway to a vast array of sensitive information, as a recent breach involving an OAuth token and hundreds of organizations painfully illustrates.

Analyst 207
Cluttered home office desk with a lit computer terminal.

GitHub Accounts Used to Map Corporate Orgs in Stealthy Campaigns

Cyber attackers are using sneaky tactics, leveraging old or compromised GitHub accounts, to secretly map out corporate organizations and steal sensitive data. They're exploiting loopholes with automated tools and stolen tokens to quietly gather intel from GitHub APIs.

Analyst 207
Law enforcement officer surrounded by seized electronic devices in a brightly-lit, formal setting.

Interpol Crackdown on Cybercrime Yields 5,800 Arrests Worldwide

In a major global sting operation, authorities in Eswatini seized 240 electronic devices, foreign currency, and a stunning replica of a Brazilian police station - complete with fake uniforms and equipment - as part of Interpol's Operation First Light 2026, which has led to 5,800 arrests worldwide. This massive crackdown on cybercrime was made possible through collaboration between 97 countries and territories, with support from Europol, Aseanapol, and GGCPol.

Analyst 207
Interconnected devices in a neutral setting, forming a network.

China-Linked APT Bolsters Proxy Network with Custom Malware Arsenal

Meet UAT-7810, a China-linked advanced persistent threat that's rapidly expanding its proxy network with custom malware, allowing other attackers to hide their tracks and route traffic through compromised devices. This sophisticated operation, known as LapDogs, has been providing infrastructure for malicious activities for years.

Analyst 207
Law enforcement officials coordinate in a formal office setting.

Spain Seizes Suspect Tied to Russian Hacktivist Group

In a major cybercrime crackdown, Spanish authorities have arrested a suspect linked to a notorious pro-Russian hacktivist group, following a nearly year-long investigation sparked by a tip from the FBI. This breakthrough is a testament to global law enforcement collaboration, with the FBI vowing to continue disrupting cybercriminals worldwide.

Analyst 207
Police officers stand near a computer in a softly lit home interior.

Spain foils pro-Russian hacktivist's escape plan

Spain's National Police have thwarted a daring escape plan by a suspected pro-Russian hacktivist, exposing his secret communications with terrorist groups and freezing his cryptocurrency assets. The suspect, allegedly part of the notorious CyberArmy of Russia Reborn and Z-Pentest groups, was caught after a months-long investigation sparked by a tip from the FBI.

Analyst 207
Dimly lit, cluttered hackerspace with multiple workstations, notes, and tech gadgets.

Scattered Spider Morphs into Decentralized Cybercrime Network

Meet Scattered Spider, a notorious cybercrime collective that's evolved into a decentralized network of independent clusters, sharing tactics and tools to wreak havoc online. This fresh analysis by Group-IB shatters the traditional view of a single, unified gang, revealing a more complex and dynamic threat.

Analyst 207
Police officer stands in doorway of a residential home in a quiet neighborhood.

Spain Arrests Alleged Pro-Russia Hacktivist Tied to Cyber Attacks

Hacktivists aligned with Russia are wreaking havoc on UK organizations with denial-of-service attacks that may be simple, but have a significant impact by disrupting essential services. These attacks can overwhelm important websites and online systems, leaving people unable to access the services they rely on daily.

Analyst 207
Government building in Tel Aviv with people walking nearby, hint of cyber threat in background.

Iran-Linked Cavern Manticore Targets Israel with Modular Cyber Attacks

Meet Cavern Manticore, a highly skilled and disciplined cyber threat group with ties to Iran, targeting Israel's defense and government sectors with modular attacks. Their sophisticated tactics have allowed them to infiltrate organizations with alarming speed and precision.

Analyst 207
Living room with smart TV and streaming box, cityscape visible through window.

Google Disrupts Massive NetNut Residential Proxy Network

Google's Threat Intelligence Group has made a significant dent in the massive NetNut residential proxy network, estimated to comprise at least 2 million home devices worldwide, by partnering with the FBI, Lumen, and other allies to reduce its pool of usable devices by millions. This disruption targeted a network used by both cybercriminal and espionage groups.

Analyst 207
Law enforcement activity outside a federal building, suggesting a cybercrime case.

US Extradites Alleged Scattered Spider Member

In a major cybercrime crackdown, US authorities have extradited a 19-year-old suspect, Peter Stokes, for allegedly being part of the notorious Scattered Spider gang that has wreaked havoc on US companies, extorting employees and causing millions in losses. Stokes, a dual US-Estonian citizen, was arrested in Finland with incriminating evidence and is now in federal custody awaiting cybercrime charges.

Analyst 207
Young man escorted by law enforcement officers in a federal courthouse setting.

US Extradites Alleged Scattered Spider Hacker

A 19-year-old hacker, Peter Stokes, has been extradited to the US from Finland, where he was arrested while trying to flee to Japan, and now faces charges for his alleged role in the notorious Scattered Spider hacking group. Stokes is accused of helping orchestrate over 100 network intrusions that netted more than $100 million in ransom payments.

Analyst 207
Blurred computer screen at a corporate office workstation in bright daylight.

ToddyCat APT Group Exploits Google API for Email Access

Meet ToddyCat, a sneaky APT group that's taken automation to the next level with its new tool, Umbrij - allowing it to secretly tap into corporate email and cloud resources by exploiting Google API. This stealthy move has helped ToddyCat remain undetected by monitoring systems, leaving organizations vulnerable to attack.

Analyst 207
Busy logistics hub with blurred company logos, showing mixed equipment and workers.

FIFA World Cup 2026 Exposes Vast Cyber Threat Landscape

The FIFA World Cup 2026 has a glaring cybersecurity vulnerability, with over a third of official partners lacking adequate protection against domain spoofing, leaving them open to email impersonation and cyber threats. This weakness in the tournament's vast supply chain, which includes airlines, hotels, and broadcast partners, has been exploited to build and deploy fraud infrastructure months before the kickoff.

Analyst 207
Government official's workspace with blurred smartphone screen on desk surrounded by papers.

US Offers Bounty for Hackers Targeting WhatsApp, Signal Users

The US government is cracking down on hackers targeting WhatsApp and Signal users, offering up to $10 million for information that helps track down those behind the attacks. The move aims to take down Russian-linked hacker groups that have been phishing US officials, military leaders, and allied personnel.

Analyst 207
Government agency setting with laptop on table, hinting at technology.

FBI Warns of Russian Intelligence Signal Phishing Attacks

Stay vigilant: Russian intelligence agents are masquerading as automated support accounts to trick victims into revealing sensitive Backup Recovery Keys through phishing messages. The FBI has warned that multiple clusters of Russian hackers, including FSB officers and military hackers, are actively targeting high-risk accounts.

Analyst 207