Threat Intelligence
Threat actor activity and indicators

US Indicts Russians for Running Bulletproof Hosting Services
The FBI has struck a major blow against cybercrime by indicting three Russian nationals and two companies for operating bulletproof hosting services that enabled devastating attacks on US critical infrastructure. This significant move disrupts the backbone of cybercriminal operations, dealing a crucial win for online safety.

AI Empowers Cyberattacks with Operational Efficiency
As AI continues to evolve, it's crucial to treat AI-driven threats as a top priority, using the technology to supercharge their attacks and compress timelines. AI is being used by attackers to automate routine work, streamline reconnaissance, and shorten development cycles, turning what once took days into operations that can be executed in just hours.

UK Prison Sentences Target Scattered Spider Cyber Duo
In a landmark case, two young cybercriminals, Owen Flowers and Thalha Jubair, have been sentenced to five years and six months in prison for their roles in a massive cybercrime operation that targeted Transport for London. The case marks the largest cybercrime prosecution ever brought before UK courts.

Telegram Disrupts Links Tied to Sanctioned VPN Service
Telegram swiftly disabled links connected to a sanctioned VPN service after the US Office of Foreign Assets Control took action, demonstrating its commitment to compliance with international regulations. The move came after Domain.Me, the operator of Telegram's t.me shortlinks, identified and suspended the linked domain for approximately a day.

US Charges Russian Nationals for Bulletproof Hosting Services
US authorities have charged three Russian nationals with operating illicit bulletproof hosting services that enabled cybercrime, affecting victims across 21 states, including banks, schools, hospitals, and media companies. The accused, Aleksandr Volosovik, Yulia Pankova, and Kirill Zatolokin, allegedly facilitated a range of malicious activities through their services.

OAuth Client ID Spoofing Enables Credential Validation in Microsoft Entra ID Attacks
Researchers have uncovered a sneaky way attackers exploit a blind spot in Microsoft Entra ID's cloud sign-in telemetry, using OAuth Client ID spoofing to validate stolen credentials without triggering a successful sign-in event. By submitting fake client IDs, hackers can cleverly probe accounts and verify login details.

UK, EU Attribute Poland Cyberattack to Russian Spies, Warn Infrastructure Operators
The UK and EU have called out Russia's Federal Security Service for a brazen cyberattack on Poland's power grid, saying it's just another example of their reckless attempts to wreak havoc across Europe. The attack, attributed to FSB's Centre 16, was foiled, but serves as a stark warning for infrastructure operators to stay vigilant.

Chinese and Indian Spies Target Pakistani Police Systems
Suspected Chinese and Indian spies launched a targeted attack on Pakistani police systems, specifically focusing on the Balochistan Police, between February 2024 and April 2026. The intrusion campaigns compromised sensitive data, including biometric records, criminal case files, and national identity information.

AI Agents Expose Identity Security Gap
The alarming truth is that security systems, designed with people in mind, are failing to protect against AI agents - and the consequences are stark. A single compromised machine identity can become a gateway to a vast array of sensitive information, as a recent breach involving an OAuth token and hundreds of organizations painfully illustrates.

GitHub Accounts Used to Map Corporate Orgs in Stealthy Campaigns
Cyber attackers are using sneaky tactics, leveraging old or compromised GitHub accounts, to secretly map out corporate organizations and steal sensitive data. They're exploiting loopholes with automated tools and stolen tokens to quietly gather intel from GitHub APIs.

Interpol Crackdown on Cybercrime Yields 5,800 Arrests Worldwide
In a major global sting operation, authorities in Eswatini seized 240 electronic devices, foreign currency, and a stunning replica of a Brazilian police station - complete with fake uniforms and equipment - as part of Interpol's Operation First Light 2026, which has led to 5,800 arrests worldwide. This massive crackdown on cybercrime was made possible through collaboration between 97 countries and territories, with support from Europol, Aseanapol, and GGCPol.

China-Linked APT Bolsters Proxy Network with Custom Malware Arsenal
Meet UAT-7810, a China-linked advanced persistent threat that's rapidly expanding its proxy network with custom malware, allowing other attackers to hide their tracks and route traffic through compromised devices. This sophisticated operation, known as LapDogs, has been providing infrastructure for malicious activities for years.

Spain Seizes Suspect Tied to Russian Hacktivist Group
In a major cybercrime crackdown, Spanish authorities have arrested a suspect linked to a notorious pro-Russian hacktivist group, following a nearly year-long investigation sparked by a tip from the FBI. This breakthrough is a testament to global law enforcement collaboration, with the FBI vowing to continue disrupting cybercriminals worldwide.

Spain foils pro-Russian hacktivist's escape plan
Spain's National Police have thwarted a daring escape plan by a suspected pro-Russian hacktivist, exposing his secret communications with terrorist groups and freezing his cryptocurrency assets. The suspect, allegedly part of the notorious CyberArmy of Russia Reborn and Z-Pentest groups, was caught after a months-long investigation sparked by a tip from the FBI.

Scattered Spider Morphs into Decentralized Cybercrime Network
Meet Scattered Spider, a notorious cybercrime collective that's evolved into a decentralized network of independent clusters, sharing tactics and tools to wreak havoc online. This fresh analysis by Group-IB shatters the traditional view of a single, unified gang, revealing a more complex and dynamic threat.

Spain Arrests Alleged Pro-Russia Hacktivist Tied to Cyber Attacks
Hacktivists aligned with Russia are wreaking havoc on UK organizations with denial-of-service attacks that may be simple, but have a significant impact by disrupting essential services. These attacks can overwhelm important websites and online systems, leaving people unable to access the services they rely on daily.

Iran-Linked Cavern Manticore Targets Israel with Modular Cyber Attacks
Meet Cavern Manticore, a highly skilled and disciplined cyber threat group with ties to Iran, targeting Israel's defense and government sectors with modular attacks. Their sophisticated tactics have allowed them to infiltrate organizations with alarming speed and precision.

Google Disrupts Massive NetNut Residential Proxy Network
Google's Threat Intelligence Group has made a significant dent in the massive NetNut residential proxy network, estimated to comprise at least 2 million home devices worldwide, by partnering with the FBI, Lumen, and other allies to reduce its pool of usable devices by millions. This disruption targeted a network used by both cybercriminal and espionage groups.

US Extradites Alleged Scattered Spider Member
In a major cybercrime crackdown, US authorities have extradited a 19-year-old suspect, Peter Stokes, for allegedly being part of the notorious Scattered Spider gang that has wreaked havoc on US companies, extorting employees and causing millions in losses. Stokes, a dual US-Estonian citizen, was arrested in Finland with incriminating evidence and is now in federal custody awaiting cybercrime charges.

US Extradites Alleged Scattered Spider Hacker
A 19-year-old hacker, Peter Stokes, has been extradited to the US from Finland, where he was arrested while trying to flee to Japan, and now faces charges for his alleged role in the notorious Scattered Spider hacking group. Stokes is accused of helping orchestrate over 100 network intrusions that netted more than $100 million in ransom payments.

ToddyCat APT Group Exploits Google API for Email Access
Meet ToddyCat, a sneaky APT group that's taken automation to the next level with its new tool, Umbrij - allowing it to secretly tap into corporate email and cloud resources by exploiting Google API. This stealthy move has helped ToddyCat remain undetected by monitoring systems, leaving organizations vulnerable to attack.

FIFA World Cup 2026 Exposes Vast Cyber Threat Landscape
The FIFA World Cup 2026 has a glaring cybersecurity vulnerability, with over a third of official partners lacking adequate protection against domain spoofing, leaving them open to email impersonation and cyber threats. This weakness in the tournament's vast supply chain, which includes airlines, hotels, and broadcast partners, has been exploited to build and deploy fraud infrastructure months before the kickoff.

US Offers Bounty for Hackers Targeting WhatsApp, Signal Users
The US government is cracking down on hackers targeting WhatsApp and Signal users, offering up to $10 million for information that helps track down those behind the attacks. The move aims to take down Russian-linked hacker groups that have been phishing US officials, military leaders, and allied personnel.

FBI Warns of Russian Intelligence Signal Phishing Attacks
Stay vigilant: Russian intelligence agents are masquerading as automated support accounts to trick victims into revealing sensitive Backup Recovery Keys through phishing messages. The FBI has warned that multiple clusters of Russian hackers, including FSB officers and military hackers, are actively targeting high-risk accounts.