Normal view

Received — 8 June 2026 Threat Intelligence Blog | Flashpoint

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • “Underground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • “Programming, Development”: Includes posts and articles about programming languages and administration.
  • “Library”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • “Business Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • “Lounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • “Trading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • “People’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • “Ours”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • “Private: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking underground—with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerce—shutting down all buying, selling, and auctions entirely—-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminished—it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

Received — 20 May 2026 Threat Intelligence Blog | Flashpoint

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

Blogs

Blog

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

A monthly analysis of how artificial intelligence is used in illicit communities, based on Flashpoint proprietary intelligence and direct visibility into real threat actor environments.

SHARE THIS:

A finance employee joins a video call with their CFO and several colleagues. The request is routine. The faces match. The voices sound authentic. Minutes later, $25 million is transferred—only to be discovered later that every participant on the call, except one, was AI-generated.

Techniques behind incidents like this—synthetic video, voice cloning, scripted interactions—are now being discussed openly in the same environments where threat actors exchange tools and methods. In April 2026 alone, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity.

This volume reflects a larger shift: artificial intelligence is now deeply embedded across cybercrime ecosystems, influencing fraud, impersonation, social engineering, and access operations at scale. It shows up in how content is generated, how identities are replicated, and how workflows are executed and refined over time.

That’s why we created the monthly AI Threat Report to examine how threat actors are using artificial intelligence in real-world illicit environments. Drawing on Flashpoint proprietary intelligence and direct visibility into primary source communities across forums, marketplaces, and chat services, the report analyzes the tactics, tools, and operational patterns shaping malicious AI use. Analysis of April’s activity shows a focus on prompt-sharing, jailbreak methods, and alternative models that support fewer safeguards or moderation controls.

AI Activity Volume and What It Represents

In April 2026, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity across forums, marketplaces, and chat services.

Mentions of AI in conjunction with illicit advertisements and discussions in April 2026. (Source: Flashpoint)

The underlying activity was concentrated around a familiar set of use cases and workflows:

  • identity verification bypass
  • fraud enablement and scripting
  • impersonation through synthetic media
  • prompt-sharing and jailbreak workflows

However, the emphasis within those discussions shifted in several places in April.

  • Posts tied to custom malicious LLM development appeared less frequently than discussions centered on usability: how to bypass safeguards, generate more reliable outputs, or move activity onto platforms perceived as less restrictive. 
  • References to alternative models and prompt collections appeared more often throughout the month, alongside requests for jailbreak methods and phishing-oriented outputs.

This activity points to a more mature stage of adoption. The focus is less on building entirely new tooling and more on improving reliability, portability, and ease of use within workflows that already exist.

That pattern shows up repeatedly across monitored sources. Users exchange prompts, repost working methods, and refine outputs through direct feedback. In many cases, the same underlying techniques continue circulating with only minor changes between platforms or communities.Looking across April activity helps identify which methods continue to generate demand, where threat actors are adapting around platform restrictions, and which workflows remain active across multiple environments.

Where AI Activity Is Concentrated

AI-related activity in April remained concentrated on a small number of platforms, though the distribution shifted noticeably compared to March.

Telegram accounted for the majority of observed activity, with 1,395,075 posts tied to AI services and discussions. Reddit, GitHub Gist, Pastebin, Discord, and smaller forums accounted for significantly lower volumes.

Posts selling AI services (in red) and posts seeking to purchase AI services (in blue) on Telegram in April 2026. (Source: Flashpoint)

The lower Telegram volume does not indicate reduced interest in AI-enabled activity. The platform continues to function as a primary distribution layer for prompts, jailbreak methods, fraud tooling, and service advertisements.

Across April, the same prompts, offers, and workflows appeared repeatedly across channels, often reposted with only minor adjustments. Sellers updated listings based on user feedback, while buyers requested revisions tied to specific outputs or platforms.

Other platforms served more targeted roles:

  • GitHub Gist and paste sites hosted scripts or supporting material
  • forums supported reputation building and longer technical discussions
  • Discord communities centered around specific models, prompt collections, or jailbreak workflows

The activity remains connected across environments. Methods introduced in one community frequently reappear elsewhere, particularly when they produce reliable outputs or help users work around moderation controls.Tracking how these discussions move between sources helps identify which workflows continue to gain traction and which techniques are becoming more broadly operationalized.

AI-Enabled Fraud and Identity Verification Bypass

Across April, Flashpoint analysts observed 63,763 posts advertising or discussing KYC bypass methods using artificial intelligence, including deepfake-enabled verification workflows.

The methods were active across Telegram channels dedicated to identity verification bypass services.

Posts continued to advertise:

  • synthetic video generation designed to mimic live verification behavior
  • voice cloning and scripted interaction prompts
  • bundled “KYC bypass kits” tailored to onboarding and verification workflows

Some offerings included guidance on how to adapt responses for specific platforms or verification requirements. Others promoted combinations of synthetic video, matching fake documentation, and AI-generated scripts designed to support impersonation attempts from start to finish.

The broader workflow remains consistent. AI supports how identities are replicated, how verification checks are navigated, and how fraud operations are scaled across different services.

This activity connects directly to the wider access ecosystem already observed across illicit communities. Stolen credentials, session tokens, phishing infrastructure, and AI-enabled impersonation methods increasingly operate alongside one another within the same workflows.

Across April, posts tied to these methods continued to show active refinement through user feedback, reposting, and platform-specific variations.

For security teams, this activity remains relevant at the control layer. Verification systems, onboarding workflows, and account recovery processes continue to be tested in the same environments where these methods are exchanged and improved.

Malicious LLM Usage and Prompt-Based Workflows

Across April, discussions tied to malicious or unrestricted LLM usage focused heavily on jailbreak methods, prompt-sharing workflows, and access to alternative models perceived as less restricted than mainstream platforms.

The top observed malicious LLMs mentioned within Flashpoint Collections in April 2026. (Source: Flashpoint)

Flashpoint analysts observed a significant increase in discussions related to VeniceAI, driven in part by newly created Reddit and Discord communities dedicated to the platform. The increase highlights continued interest in models that users believe operate with fewer safeguards or moderation controls than services like ChatGPT or Gemini.

The activity centers on usability and output reliability.

Posts reference:

  • jailbreak prompts designed to bypass safeguards
  • phishing and fraud-oriented prompt collections
  • step-by-step instructions for generating specific outputs
  • requests for prompts tailored to impersonation or social engineering workflows

Many of these prompts are shared in collections that include updates, revisions, or support channels. Users exchange feedback when prompts stop working, outputs degrade, or platforms introduce new restrictions. Updated versions frequently follow within short timeframes.

This type of activity reinforces how prompt engineering has developed into its own service layer across illicit communities. The focus is not limited to the underlying model itself, but to the ability to generate repeatable outputs that can be applied directly within fraud, phishing, or impersonation workflows.

Across April, the same prompt structures and jailbreak methods appeared repeatedly across multiple sources, often with only small adjustments tied to platform or target.

The emphasis remains on accessibility, portability, and ease of use rather than custom model development.

Operational Patterns and What Holds Across Sources

Across April, the same behaviors continued to appear across different environments with only minor variation.

Prompt libraries, jailbreak methods, phishing workflows, and identity verification bypass techniques circulated across Telegram channels, forums, Discord communities, and paste sites. The wording changed slightly between platforms, though the underlying structure and outputs remained consistent.

This reuse is visible in how content moves between sources. A jailbreak prompt shared in one channel appears elsewhere with revised wording or additional instructions. A phishing workflow posted to a forum is copied into a paste site and redistributed through Telegram. Users request modifications, test outputs, and repost updated versions when restrictions change or methods stop working.

That cycle appeared repeatedly throughout April.

The activity also showed strong feedback loops tied to usability. Discussions focused heavily on which prompts generated reliable outputs, which models produced fewer restrictions, and which workflows required the least adjustment before use.

Across monitored sources, the same operational priorities appeared consistently:

  • reliability of outputs
  • ease of reuse
  • ability to bypass safeguards
  • compatibility with existing fraud and impersonation workflows

Looking across April activity reinforces how AI-enabled methods continue to mature through repetition, iteration, and distribution across connected communities.

What Security Teams Should Take Away

The activity tracked in this report shows how artificial intelligence is being used in environments where techniques are developed, tested, and shared before they surface elsewhere.

Across these communities, methods tied to fraud, impersonation, and access are reused, adjusted, and circulated in forms that others can apply directly. That process does not require significant change to move from discussion into use.

For security teams, the priority is maintaining visibility into how these methods are evolving and where they are being applied. That visibility supports earlier detection, more focused response, and a clearer understanding of which techniques are actively in circulation.

Monitoring these sources provides that context. It connects observed activity to the methods behind it and helps teams track how those methods develop over time.

If you want to see how this activity maps to your environment, request a demo.

Request a demo today.

The post AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities appeared first on Flashpoint.

Received — 23 April 2026 Threat Intelligence Blog | Flashpoint

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Blogs

Blog

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.

SHARE THIS:
Default Author Image
April 10, 2026

Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.

From Phishing Kits to a Service-Based Fraud Economy

PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.

Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.

Modern PhaaS platforms now operate similarly to legitimate SaaS providers:

  • Subscription-based pricing models
  • Prebuilt templates for major brands and services
  • Integrated delivery mechanisms (email, SMS, QR phishing)
  • Real-time dashboards for campaign tracking and credential harvesting

This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.

MFA Bypass and AI Are Reshaping Phishing Capabilities

As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.

Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.

At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.

Threat actors are using AI to:

  • Generate convincing, localized phishing lures
  • Clone brand interfaces with high fidelity
  • Optimize campaigns through automated testing and iteration

This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.

The PhaaS Pipeline: How the Ecosystem Operates

What distinguishes modern phishing operations is not just tooling, but coordination.

A typical PhaaS campaign follows a structured lifecycle:

This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.

Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized

Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.

Infrastructure and Kit Development

Phishing kit developers provide increasingly sophisticated tooling, including:

  • Reverse proxy (AiTM) capabilities for MFA bypass
  • Anti-bot protections to evade researchers
  • “Live panels” enabling real-time interaction with victims

Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.

SMS Delivery and Spoofing

Smishing has become a critical delivery vector.

Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.

Credential Exfiltration and Telegram Integration

Credential collection is increasingly automated and centralized.

Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.

From Credential Theft to Financial Monetization

The ultimate goal of PhaaS operations is monetization.

Stolen credentials are used to enable account takeover (ATO), which allows attackers to:

  • Access financial accounts
  • Lock out legitimate users
  • Initiate fraudulent transactions
  • Launch follow-on scams

Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.

Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.

This highlights how phishing is only the entry point into a broader fraud pipeline.

A Distributed Ecosystem of Threat Actors

The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.

Examples include:

  • Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
  • IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
  • Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
  • System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities

These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.

Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.

Law Enforcement Pressure Is Increasing, but the Model Persists

Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.

These efforts have:

  • Disrupted infrastructure
  • Increased operational costs for threat actors
  • Accelerated collaboration between intelligence providers and law enforcement

However, the underlying PhaaS model remains resilient.

Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.

What This Means for Security Teams

Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.

Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.

For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:

  • MFA bypass techniques such as AiTM
  • Rapid infrastructure rotation and evasion
  • The integration of phishing into broader fraud and access broker pipelines

Protecting Your Organization from the PhaaS Ecosystem

Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.

Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.

To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.

Begin your free trial today.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

Blogs

Blog

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

In this post, we examine how threat actors are executing tax refund fraud schemes, from sourcing identity data to bypassing verification and cashing out fraudulent returns, and what these patterns reveal about evolving fraud ecosystems.

SHARE THIS:
Default Author Image
April 9, 2026

Tax refund fraud remains a persistent and evolving threat within cybercrime and fraud communities. Threat actors actively advertise and refine schemes designed to file fraudulent returns and intercept refund payments from legitimate taxpayers.

Across illicit forums, Telegram channels, and marketplaces, discussions point to a structured ecosystem built around identity data, social engineering, verification bypass, and increasingly sophisticated cash-out methods.

For intelligence teams, these conversations provide insight into how fraud operations are scaling and where defenses are being tested and adapted.

The Structure of Modern Tax Refund Fraud Schemes

At a high level, most tax refund fraud schemes follow a consistent model: obtain identity data, file a fraudulent return, bypass verification, and extract funds.

Flashpoint analysis shows that threat actors focus on several key stages:

  • Sourcing victims or identity “fullz” (complete PII packages)
  • Obtaining or bypassing identity and return verification
  • Leveraging social engineering to support fraud workflows
  • Using tutorials and shared methods to maximize refund amounts
  • Converting refunds into cash or cryptocurrency

These stages are not isolated. They are supported by overlapping communities that specialize in identity theft, financial fraud, and account access.

Identity Data as the Foundation of Fraud

The success of tax refund fraud depends heavily on access to high-quality identity data.

Threat actors typically rely on “fullz,” which include a victim’s name, date of birth, address, and Social Security number. In some cases, fraudsters also recruit “clients” or “tax heads” — individuals who knowingly or unknowingly provide accurate tax documents and assist in bypassing verification steps.

This distinction is important. While fullz can be purchased or harvested at scale, clients often provide more reliable and current information, increasing the likelihood that a fraudulent return will be accepted.

A threat actor shares a screenshot of a text exchange with a client in which they obtain access to their TurboTax account and tax forms accessible through the account. (Source: Telegram, Flashpoint Collections).

Threat actors also seek additional data points to legitimize filings, including:

  • Identity Protection (IP) PINs
  • Adjusted Gross Income (AGI) from previous tax years
  • Access to tax preparation accounts or IRS records

These elements are frequently obtained through compromised accounts, social engineering, or access to verified identity platforms.

Verification Bypass as a Critical Enabler

Filing a fraudulent return is only part of the process. Successfully passing identity and return verification is often the deciding factor.

Threat actors place significant emphasis on accessing or creating verified accounts tied to identity systems used by government agencies. These accounts allow fraudsters to:

  • Retrieve tax transcripts and historical data
  • Respond to IRS verification requests
  • Validate identity during filing and follow-up processes

In many cases, fraudsters rely on social engineering to obtain this access. Common approaches include:

  • Creating fake job postings or tax preparation services to collect documents
  • Running romance or employment scams to gather personal information
  • Coercing victims into creating or sharing verified accounts

Threat actors also prepare for additional verification steps, such as responding to IRS letters or completing phone and in-person identity checks. These workflows often involve scripts, impersonation tactics, and coordination with cooperating “clients.”

Fraud Tactics Are Increasingly Systematic

Beyond basic filing, threat actors share detailed tutorials and playbooks designed to maximize refunds and improve success rates.

These often include:

  • Using real or falsified income data to inflate returns
  • Targeting specific tax credits, such as the Child Tax Credit (CTC), Earned Income Tax Credit (EITC), or Employer Retention Credit (ERC)
  • Claiming dependents or benefits that increase refund amounts
  • Adapting methods based on state-specific programs or eligibility requirements

A notable development is the use of fraudulent income submission schemes, where threat actors pre-populate tax records with inflated income and withholding data before filing a return.

This process typically involves:

  1. Submitting false wage data to the IRS or Social Security Administration using employer identifiers
  2. Waiting for the data to appear on official tax transcripts
  3. Filing a return that matches the fabricated figures

By aligning submitted data with filed returns, fraudsters increase the likelihood that filings will appear legitimate during verification.

Social Engineering Extends Beyond Victims

Social engineering plays a central role throughout the fraud lifecycle—and not just at the initial data collection stage.

Threat actors also target:

  • IRS representatives, attempting to verify fraudulent returns over the phone
  • Clients, persuading them to attend verification appointments or share official correspondence
  • Government offices, including outreach to congressional staff to resolve refund holds

In some cases, fraudsters use AI-generated communications to scale these efforts, including drafting messages designed to appear legitimate and urgent.

These tactics highlight how fraud operations extend into real-world processes and human interactions, not just digital systems.

Cash-Out Methods Continue to Evolve

Once a fraudulent refund is secured, the focus shifts to converting funds into usable, untraceable assets.

Common cash-out methods include:

  • Direct deposits into accounts controlled by the fraudster
  • Accounts opened by “clients” on behalf of the operation
  • Digital banking platforms and payment apps
  • Prepaid cards and alternative financial instruments

Increasingly, threat actors are moving funds into cryptocurrency to reduce traceability. This often involves:

  • Using verified exchange accounts to pass KYC requirements
  • Converting refunds into Bitcoin or other assets
  • Transferring funds to wallets controlled by the fraudster

In some workflows, the entire process — from filing to conversion — can occur within a single mobile or digital ecosystem.

Fraud Communities Enable Scale and Adaptation

Tax refund fraud does not operate in isolation. It is embedded within broader fraud ecosystems where identity data, tools, and tutorials are continuously shared.

Telegram remains a central hub for this activity, with large channels distributing:

  • Screenshots of successful refunds
  • Tutorials and “sauce” (paid or free methods)
  • Listings for identity data and services

Dark web forums also host discussions, though typically with lower volume and higher signal.

The structure of these communities allows fraud techniques to spread quickly, adapt to changing controls, and persist across multiple platforms.

What This Means for Threat Intelligence Teams

Tax refund fraud reflects a broader shift toward operationally mature, community-driven fraud ecosystems.

Flashpoint analysts assess that these schemes are becoming more structured, with clearly defined workflows for identity acquisition, verification bypass, and monetization.

For security and intelligence teams, this has several implications:

  • Identity data remains a critical point of exposure across multiple fraud types
  • Verification systems are actively targeted and tested by threat actors
  • Social engineering continues to bridge technical and human vulnerabilities
  • Fraud techniques are rapidly shared, refined, and scaled across communities

Understanding how these components connect is essential for identifying emerging fraud patterns and anticipating how threat actors will adapt.

Supporting Security Teams with Threat Intelligence During Tax Season and Beyond

Understanding how tax fraud schemes are executed from identity sourcing to verification bypass and cash-out provides critical context for detecting and disrupting fraudulent activity.

Flashpoint delivers leading intelligence that helps organizations monitor fraud communities, track evolving tactics, and identify emerging schemes before they scale. By combining primary source collection with contextual analysis, security teams can move from reactive detection to proactive defense.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Frequently Asked Questions About Tax Refund Fraud

What is tax refund fraud?

Tax refund fraud is a form of identity-based financial crime in which threat actors file fraudulent tax returns using stolen or manipulated personal information to obtain refund payments before the legitimate taxpayer files.

How do threat actors obtain the information needed to commit tax fraud?

Threat actors typically rely on stolen identity data, often referred to as “fullz,” which includes a victim’s name, date of birth, address, and Social Security number. This information is sourced from infostealer malware logs, phishing campaigns, data breaches, social engineering, and illicit marketplaces.

In some cases, fraudsters also recruit “clients” who provide real tax documents or assist in verification processes.

How do fraudsters bypass identity verification for tax returns?

Fraudsters use a combination of tactics to bypass identity and return verification, including:

  • Accessing or creating verified identity accounts used for tax authentication
  • Obtaining prior-year tax data such as adjusted gross income (AGI)
  • Using stolen or socially engineered identity protection (IP) PINs
  • Responding to IRS verification requests using scripts, impersonation, or cooperating individuals

These methods allow fraudulent returns to appear legitimate during processing.

What are common tax fraud tactics used by threat actors?

Common tactics include:

  • Filing returns using stolen personal information
  • Inflating income or tax withholding amounts to increase refunds
  • Claiming fraudulent dependents or tax credits
  • Submitting false wage data to government systems before filing
  • Using real tax forms combined with manipulated data

These approaches are often shared and refined within fraud communities.

What is a “fullz” in tax fraud?

A “fullz” refers to a complete set of personally identifiable information (PII) about an individual, typically including name, date of birth, address, and Social Security number. Fullz are used by fraudsters to file tax returns, open accounts, and conduct other identity-based financial crimes.

How do fraudsters cash out fraudulent tax refunds?

After a fraudulent return is accepted, threat actors typically attempt to convert the refund into usable funds through:

  • Direct deposits into controlled or intermediary accounts
  • Accounts opened by recruited participants
  • Digital banking platforms or prepaid cards
  • Cryptocurrency conversion using verified exchange accounts

The goal is to move funds quickly and reduce traceability.

Why is tax refund fraud difficult to detect?

Tax refund fraud can be difficult to detect because it leverages legitimate systems and processes, including real identity data, authentic tax preparation services, and verified accounts. Fraudsters also adapt quickly by sharing new techniques and bypass methods across online communities.

How do fraud communities support tax refund fraud schemes?

Fraud communities, particularly on platforms like Telegram and dark web forums, enable threat actors to share tutorials, tools, and identity data. These communities accelerate the spread of techniques, allowing fraud schemes to scale and evolve rapidly.

What should security and fraud teams monitor to detect tax fraud activity?

Teams should monitor for:

  • Unusual access to identity data or tax-related accounts
  • Indicators of compromised credentials or identity verification systems
  • Discussions of tax fraud methods, tutorials, or cash-out techniques in illicit communities
  • Patterns in fraudulent filings or refund activity

Incorporating intelligence from fraud communities can provide early visibility into emerging tactics.

How does Flashpoint help organizations detect and prevent tax refund fraud?

Flashpoint helps organizations detect and respond to tax fraud by providing intelligence on how threat actors source identity data, bypass verification systems, and cash out fraudulent returns.

Through primary source collection across platforms like Telegram and dark web forums, Flashpoint enables teams to monitor fraud communities, identify emerging tactics, and understand how schemes are evolving. This intelligence helps organizations move from reactive detection to more proactive identification of fraud risk.

Begin your free trial today.

The post Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels appeared first on Flashpoint.

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

Blogs

Blog

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

In this post, we examine how Iran-aligned militias and foreign terrorist organizations (FTOs) responded to the current US–Israel–Iran conflict, what their statements suggest about operational intent, and why this points to a wider risk environment for US and Israeli interests across the region.

SHARE THIS:
Default Author Image
March 19, 2026

The current phase of the US–Israel–Iran conflict is generating more than rhetorical support from militant actors aligned with Tehran. Public messaging from groups across Iraq, Lebanon, Yemen, and Gaza indicates a coordinated effort to frame the conflict as a regional, long-term confrontation rather than a contained exchange.

For threat intelligence teams, these statements matter not only because of what they say, but because of what they signal. Across multiple theaters, Iran-aligned groups are using similar language, emphasizing shared objectives, and in some cases pointing to an expanded target set that reaches beyond their traditional operating areas. Taken together, this messaging suggests continued alignment across militant networks and a heightened likelihood of retaliatory or opportunistic activity targeting US and Israeli interests.

Leadership Losses Are Being Used to Reinforce Mobilization

Several militant statements referenced the reported deaths of senior Iranian officials in strikes in Tehran, including Supreme Leader Ali Khamenei, Defense Minister Aziz Nasirzadeh, and IRGC Commander Mohammad Bagheri. These losses were framed not simply as blows against Iran, but as attacks on the broader resistance movement.

That framing is important. By portraying the strikes as an assault on a shared regional project rather than a national leadership event confined to Iran, these groups are reinforcing the rationale for broader mobilization. Statements from actors such as Akram al-Kaabi of Harakat al-Nujaba and Abdul-Malik al-Houthi of Ansarallah reflect that posture, emphasizing retaliation, readiness, and continued support for Iran.

This kind of messaging is consistent with efforts to maintain cohesion across the so-called resistance network during periods of escalation. It also helps set the informational conditions for follow-on activity by justifying future attacks as part of a collective response.

Messaging Points to a Longer Conflict Horizon

Some of the clearest signals in the reporting come from groups that described the conflict as a prolonged struggle rather than a short-lived escalation.

Kata’ib Hizballah called on fighters to prepare for a “long-term war of attrition,” while Kata’ib Sayyid al-Shuhada similarly urged readiness for a “long battle.” These statements go beyond symbolic solidarity. They suggest that at least some actors within Iran’s aligned militant ecosystem are preparing their audiences and personnel for sustained operations over time.

That distinction matters for defenders. A messaging environment centered on endurance, attrition, and regional confrontation raises the likelihood that groups will seek to maintain operational tempo across multiple fronts rather than respond with a single retaliatory action.

Militant Activity May Extend Beyond Traditional Operating Areas

Another notable feature of the reporting is the implied expansion of targeting scope.

Claims and statements referenced possible or actual activity in locations including Jordan, the Red Sea, and Israeli military sites near Haifa. This suggests that militant responses linked to the conflict may not remain confined to the actors’ most established operating environments in Iraq and Syria.

The claim by Rijal al-Bas al-Shadid of a drone strike on Muwaffaq Salti Air Base in Jordan is one example. Hezbollah’s claim of a strike south of Haifa is another. Together, these claims reinforce the broader picture presented in the messaging: a conflict environment in which Iran-aligned groups are attempting to demonstrate reach across multiple geographies and domains.

Even where operational claims remain difficult to verify independently, the messaging itself is still analytically significant. It helps illustrate how these groups want the conflict to be understood — as regional, coordinated, and capable of generating pressure well beyond a single front.

Responses Across the Network Reflect Coordinated Alignment

The organizational responses themselves show a high degree of consistency in tone and framing.

Hezbollah, Hamas, and the Houthis

Hezbollah claimed a strike on the Mishmar HaCarmel missile defense site south of Haifa using missiles and drone swarms, presenting the operation as a legitimate response within the broader confrontation. Although Hezbollah is actively engaged in countering the Israeli ground offensive into Southern Lebanon, the group could still pose a regional threat. Al-Qassam Brigades issued a eulogy for Iranian leadership figures and indicated that their deaths would intensify resistance rather than weaken it. Ansarallah declared full readiness for further military developments and signaled preparedness to target US bases and Israeli interests across the region.

Iraqi Militias and FTOs

Harakat al-Nujaba condemned the strikes and called for military retribution. Kata’ib Hizballah emphasized long-term attritional conflict. Saraya Awliya al-Dam declared maximum readiness and stated that it was prepared to target US military sites inside and outside Iraq. Kata’ib Sayyid al-Shuhada warned that US presence in the Middle East would lose any safe foothold as the conflict develops.

Specialized and Emerging Actors

Rijal al-Bas al-Shadid claimed a retaliatory drone attack in Jordan. Shabab al-Wa’ad al-Sadiq Forces announced its formation as a new entity aligned with Iran and the resistance axis. Ajnad Beit al-Maqdis used its first official statements to announce allegiance to al-Qaeda, tying that move to the current conflict and broader anti-US and anti-Israel narratives.

Taken together, these responses highlight not just ideological alignment, but messaging discipline. Similar themes appear across multiple organizations: retaliation for leadership losses, preparation for sustained conflict, and a shared portrayal of the United States and Israel as part of a unified adversarial front.

What This Means for Threat Intelligence Teams

From an intelligence perspective, the most important takeaway is not any single statement or claim. It is the degree of coordination visible across the messaging environment.

Flashpoint analysts assess that the current US–Israel–Iran conflict is generating aligned signaling among multiple militant organizations across the Middle East. This messaging indicates continued support for potential operations targeting US and Israeli interests and will likely contribute to increased militant activity across Iraq, Lebanon, Gaza, Yemen, and surrounding areas.

For security and intelligence teams, that means monitoring should extend beyond traditional flashpoints and beyond one-for-one retaliation models. The current environment suggests a broader risk picture shaped by networked militant cooperation, narrative synchronization, and the possibility of operations emerging across several theaters at once.

Supporting Security Teams with Threat Intelligence

Understanding how Iran-aligned militant networks communicate, coordinate, and signal intent is critical for anticipating how conflict dynamics may translate into real-world activity.

Flashpoint provides primary source intelligence that helps security teams track emerging threats, identify shifts in adversary behavior, and contextualize risk across regions and domains. From monitoring militant group messaging to analyzing operational indicators, our intelligence enables organizations to move from reactive response to informed, proactive defense.To learn how Flashpoint can support your team with real-time intelligence and analysis, schedule a demo.

Begin your free trial today.

The post Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict appeared first on Flashpoint.

Received — 12 March 2026 Threat Intelligence Blog | Flashpoint

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

Understanding the DarkCloud Infostealer

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

SHARE THIS:
Default Author Image
February 25, 2026

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

A screenshot from DarkCloud’s clearnet site calling itself “surveillance software.” (Source: DarkCloud clearnet site)

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud describes itself as a keylogger despite the original advertisement on XSS describing it as an infostealer. (Source: DarkCloud)

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

  • Hex-encoded encrypted strings
  • Base64-encoded keys
  • Seed calculation through a custom algorithm
  • Resetting the VB pseudo-random number generator to a known state
  • Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

  • Outlook
  • eM Client
  • FoxMail
  • Thunderbird
  • 163Mail
  • MailMaster

File transfer applications:

  • FileZilla
  • WinSCP
  • CoreFTP

Browsers:

  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Brave
  • Opera
  • Yandex
  • Vivaldi
  • (and many additional Chromium- and Firefox-based browsers)

Other applications:

  • Pidgin
  • NordVPN

When extracting browser data, DarkCloud steals:

  • Login credentials
  • Cookies
  • Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

  • SMTP
  • FTP
  • Telegram
  • HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

  • Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
  • Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
  • Audit credential reuse across browser and email applications
  • Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.

The post Understanding the DarkCloud Infostealer appeared first on Flashpoint.

Received — 5 February 2026 Threat Intelligence Blog | Flashpoint

Cyber and Physical Risks Targeting the 2026 Winter Olympics

Blogs

Blog

Cyber and Physical Risks Targeting the 2026 Winter Olympics

In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.

SHARE THIS:
Default Author Image
February 5, 2026

The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.

Kinetic and Physical Security Challenges

The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.

Terrorist and Extremist Threats

Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.

Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.

Protests

Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:

  • US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
  • Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
  • Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
  • Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.

On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.

Cyber Threats Facing the 2026 Winter Olympics

The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.

Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4. 

Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.

Staying Safe at the 2026 Winter Games

The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.

To stay safe at this year’s Games, participants should:

  1. Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
  2. Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
  3. Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
  4. Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
  5. Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.

Stay Safe Using Flashpoint

While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.

To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

The post Cyber and Physical Risks Targeting the 2026 Winter Olympics appeared first on Flashpoint.

Protecting the Big Game: A Threat Assessment for Super Bowl LX

Blogs

Blog

Protecting the Big Game: A Threat Assessment for Super Bowl LX

This threat assessment analyzes potential physical and cyber threats to Super Bowl LX.

SHARE THIS:
Default Author Image
February 4, 2026
Superbowl LIX Threat Assessment | Flashpoint Blog
Table Of Contents

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.

Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.

Online Sentiment

Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.

Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.

Potential Physical Threats

Protests and Boycotts

Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.

In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.

Terrorist and Extremist Threats

Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.

Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.

Mitigation Strategies and Executive Protection

Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.

Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.

The nearest medical facilities are:

  • O’Connor Hospital (Santa Clara Valley Healthcare)
  • Kaiser Permanente Santa Clara Medical Center
  • Santa Clara Valley Medical Center
  • Valley Health Center Sunnyvale

Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.

The primary law enforcement facility near the venue is:

  • Santa Clara Police Department

As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.

    Stay Safe Using Flashpoint

    Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

    Request a demo today.

    Received — 24 January 2026 Threat Intelligence Blog | Flashpoint

    The Top Threat Actor Groups Targeting the Financial Sector

    Blogs

    Blog

    The Top Threat Actor Groups Targeting the Financial Sector

    In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

    SHARE THIS:
    Default Author Image
    January 6, 2026

    Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

    However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

    Why Finance?

    The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

    These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

    Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

    The Threat Actors Targeting the Financial Sector

    To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

    RansomHub

    Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

    Akira

    Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

    LockBit Ransomware

    A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

    Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

    FIN7

    This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

    Scattering Spider

    Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

    Lazarus Group

    This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

    Top Attack Vectors Facing the Financial Sector

    Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

    Third-Party Compromise

    Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

    Initial Access Brokers (IABs)

    Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

    Insider Threat

    Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

    Deepfake and Impersonation

    The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

    Defend Against Financial Threats Using Flashpoint

    The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

    Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

    Request a demo today.

    Received — 16 January 2026 Threat Intelligence Blog | Flashpoint

    Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

    Blogs

    Blog

    Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

    In this post, we break down the 91,321 instances of insider activity observed by Flashpoint™ in 2025, examine the top five cases that defined the year, and provide the technical and behavioral red flags your team needs to monitor in 2026.

    SHARE THIS:
    Default Author Image
    January 15, 2026

    Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

    In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

    An insider threat, any individual with authorized access, possesses the unique ability to bypass traditional security gates. Whether driven by financial gain, ideological grievances, or simple human error, insiders can potentially compromise a system with a single keystroke. To protect our customers from this internal risk, Flashpoint monitors the illicit forums and marketplaces where these threats are being solicited. 

    In this post, we unpack the evolving insider threat landscape and what it means for your security strategy in 2026. By analyzing the volume of recruitment activity and the specific industries being targeted, organizations can move from a reactive posture to a proactive defense.

    By the Numbers: Mapping the 2025 Insider Threat Landscape

    Last year, Flashpoint collected and researched:

    • 91,321 posts of insider solicitation and service advertising
    • 10,475 channels containing insider-related illicit activity
    • 17,612 total authors

    On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

    Insider Threat Landscape by Industry

    The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

    Insider Threat data from January 1, 2025 to November 24, 2025

    Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

    Top Industries for Insiders Advertising Services (Supply):

    1. Telecom
    2. Financial
    3. Retail
    4. Technology

    Top Industries for Threat Actors Soliciting Access (Demand):

    1. Technology
    2. Financial
    3. Telecom
    4. Retail

    6 Notable Insider Threat Cases of 2025

    The following cases highlight the variety of ways insiders impacted enterprise systems this year, ranging from intentional fraud to massive technical oversights.

    Type of IncidentDescription
    MaliciousApproximately nine employees accessed the personal information of over 94,000 individuals, making illegal purchases using changed food stamp cards.   
    NonmaliciousAn unprotected database belonging to a Chinese IoT firm leaked 2.7 billion records, exposing 1.17 TB of sensitive data and plaintext passwords. 
    MaliciousAn insider at a well-known cybersecurity organization was terminated after sharing screenshots of internal dashboards with the Scattered Lapsus$ Hunters threat actor group.
    MaliciousAn employee working for a foreign military contractor was bribed to pass confidential information to threat actors.
    MaliciousA third-party contractor for a cryptocurrency firm sold customer data to threat actors and recruited colleagues into the scheme, leading to the termination of 300 employees and the compromise of 69,000 customers.
    MaliciousTwo contractors accessed and deleted sensitive documents and dozens of databases belonging to the Internal Revenue Service and US General Services Administration.

    Catching the Warning Signs Early

    Potential insiders often display technical and nontechnical behavior before initiating illicit activity. Although these actions may not directly implicate an employee, they can be monitored, which may lead to inquiries or additional investigations to better understand whether the employee poses an elevated risk to the organization.

    Flashpoint has identified the following nontechnical warning signs associated with insiders:

    • Behavioral indicators: Observable actions that deviate from a known baseline of behaviors. These can be observed by coworkers or management or through technical indicators. Behavioral indicators can include increasingly impulsive or erratic behavior, noncompliance with rules and policies, social withdrawal, and communications with competitors.
    • Financial changes: Significant and overlapping changes in financial standing—such as significant debt, financial troubles, or sudden unexplained financial gain—could indicate a potential insider threat. In the case of financial distress, an employee can sell their services to other threat actors via forums or chat services, thus creating additional funding streams while seeming benign within their organization.
    • Abnormal access behavior: Resistance to oversight, unjustified requests for sensitive information beyond the employee’s role, or the employee being overprotective of their access privileges might indicate malicious intent.
    • Separation on bad terms: Employees who leave an organization under unfavorable circumstances pose an increased insider threat risk, as they might want to seek revenge by exploiting whatever access they had or might still possess after leaving.
    • Odd working hours: Actors may leverage atypical after-hours work to pursue insider threat activity, as there is less monitoring. By sticking to an atypical schedule, threat actors maintain a cover of standard work activity while pursuing illicit activity simultaneously.
    • Unusual overseas travel: Unusual and undocumented overseas travel may indicate an employee’s potential recruitment by a foreign state or state-sponsored actor. Travel might be initiated to establish contact and pass sensitive information while avoiding raising suspicions in the recruit’s home country.

    The following are technical warning signs:

    • Unauthorized devices: Employees using unauthorized devices for work pose an insider threat, whether they have malicious intent or are simply putting themselves at higher risk of human error. Devices that are not controlled and monitored by the organization fall outside of its scope of operational security, while still carrying all of the sensitive data and configuration of the organization.
    • Abnormal network traffic: An unusual increase in network traffic or unexplained traffic patterns associated with the employee’s device that differ from their normal network activity could indicate malicious intent. This includes network traffic employing unusual protocols, using uncommon ports, or an overall increase in after-hours network activity.
    • Irregular access pattern: Employees accessing data outside the scope of their job function may be testing and mapping the limits of their access privileges to restricted areas of information as they evaluate their exfiltration capabilities for their planned illicit actions.
    • Irregular or mass data download: Unexpected changes in an employee’s data handling practices, such as irregular large-scale downloads, unusual data encryption, or uncharacteristic or unauthorized data destinations, are significant indicators of an insider threat.

    Insider Threats: What to Expect in 2026

    As 2026 unfolds, insider threat actors will continue to be a major threat to organizations. Ransomware groups and initial access threat actors will continue recruiting interested insiders and exploiting human vulnerabilities through social engineering tactics. Following Telegram’s recent bans on many illicit groups and channels, Flashpoint assesses that threat actors are likely to migrate to different platforms, such as Signal, where encrypted chats make their activity harder to monitor.

    As AI technologies continue to advance, organizations will be better equipped to identify and mitigate insider risks. At the same time, threat actors will likely increasingly abuse AI and other tools to access sensitive information. 
    Is your organization equipped to spot the warning signs? Request a demo to learn more and to mitigate potential risk from within your organization.

    Request a demo today.

    The post Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy appeared first on Flashpoint.

    Received — 11 January 2026 Threat Intelligence Blog | Flashpoint

    Flashpoint Weekly Vulnerability Insights and Prioritization Report

    Blogs

    Blog

    Flashpoint Weekly Vulnerability Insights and Prioritization Report

    Week of December 20 – December 26, 2025

    Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.

    SHARE THIS:
    Default Author Image
    December 31, 2025

    Flashpoint’s VulnDB™ documents over 400,000 vulnerabilities and has over 6,000 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.

    Key Vulnerabilities:
    Week of December 20 – December 26, 2025

    Foundational Prioritization

    Of the vulnerabilities Flashpoint published this week, there are 34 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.

    Diving Deeper – Urgent Vulnerabilities

    Of the vulnerabilities Flashpoint published last week, four are highlighted in this week’s Vulnerability Insights and Prioritization Report because they contain one or more of the following criteria:

    • Are in widely used products and are potentially enterprise-affecting
    • Are exploited in the wild or have exploits available
    • Allow full system compromise
    • Can be exploited via the network alone or in combination with other vulnerabilities
    • Have a solution to take action on

    In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.

    To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.

    CVE IDTitleCVSS Scores (v2, v3, v4)Exploit StatusExploit ConsequenceRansomware Likelihood ScoreSocial Risk ScoreSolution Availability
    CVE-2025-33222NVIDIA Isaac Launchable Unspecified Hardcoded Credentials5.0
    9.8
    9.3
    PrivateCredential DisclosureHighLowYes
    CVE-2025-33223NVIDIA Isaac Launchable Unspecified Improper Execution Privileges Remote Code Execution10.0
    9.8
    9.3
    PrivateRemote Code ExecutionHighLowYes
    CVE-2025-68613n8n Package for Node.js packages/workflow/src/expression-evaluator-proxy.ts Workflow Expression Evaluation Remote Code Execution9.0
    9.9
    9.4
    PublicRemote Code ExecutionHighHighYes
    CVE-2025-14847MongoDB transport/message_compressor_zlib.cpp ZlibMessageCompressor::decompressData() Function Zlib Compressed Protocol Header Handling Remote Uninitialized Memory Disclosure (Mongobleed)10.0
    9.8
    9.3
    PublicUninitialized Memory DisclosureHighHighYes
    Scores as of: December 30, 2025

    NOTES: The severity of a given vulnerability score can change whenever new information becomes available. Flashpoint maintains its vulnerability database with the most recent and relevant information available. Login to view more vulnerability metadata and for the most up-to-date information.

    CVSS scores: Our analysts calculate, and if needed, adjust NVD’s original CVSS scores based on new information being available.

    Social Risk Score: Flashpoint estimates how much attention a vulnerability receives on social media. Increased mentions and discussions elevate the Social Risk Score, indicating a higher likelihood of exploitation. The score considers factors like post volume and authors, and decreases as the vulnerability’s relevance diminishes.

    Ransomware Likelihood: This score is a rating that estimates the similarity between a vulnerability and those known to be used in ransomware attacks. As we learn more information about a vulnerability (e.g. exploitation method, technology affected) and uncover additional vulnerabilities used in ransomware attacks, this rating can change.

    Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for CVE-2025-33223 looks like.



    This record provides additional metadata like affected product versions, MITRE ATT&CK mapping, analyst notes, solution description, classifications, vulnerability timeline and exposure metrics, exploit references and more.

    Analyst Comments on the Notable Vulnerabilities

    Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.

    CVE-2025-33222

    NVIDIA Isaac Launchable contains a flaw that is triggered by the use of unspecified hardcoded credentials. This may allow a remote attacker to trivially gain privileged access to the program.

    CVE-2025-33223

    NVIDIA Isaac Launchable contains an unspecified flaw that is triggered as certain activities are executed with unnecessary privileges. This may allow a remote attacker to potentially execute arbitrary code.

    CVE-2025-68613

    n8n Package for Node.js contains a flaw in packages/workflow/src/expression-evaluator-proxy.ts that is triggered as workflow expressions are evaluated in an improperly isolated execution context. This may allow an authenticated, remote attacker to execute arbitrary code with the privileges of the n8n process.

    CVE-2025-14847

    MongoDB contains a flaw in the ZlibMessageCompressor::decompressData() function in mongo/transport/message_compressor_zlib.cpp that is triggered when handling mismatched length fields in Zlib compressed protocol headers. This may allow a remote attacker to disclose uninitialized memory contents on the heap.

    Previously Highlighted Vulnerabilities

    CVE/VulnDB IDFlashpoint Published Date
    CVE-2025-21218Week of January 15, 2025
    CVE-2024-57811Week of January 15, 2025
    CVE-2024-55591Week of January 15, 2025
    CVE-2025-23006Week of January 22, 2025
    CVE-2025-20156Week of January 22, 2025
    CVE-2024-50664Week of January 22, 2025
    CVE-2025-24085Week of January 29, 2025
    CVE-2024-40890Week of January 29, 2025
    CVE-2024-40891Week of January 29, 2025
    VulnDB ID: 389414Week of January 29, 2025
    CVE-2025-25181Week of February 5, 2025
    CVE-2024-40890Week of February 5, 2025
    CVE-2024-40891Week of February 5, 2025
    CVE-2024-8266Week of February 12, 2025
    CVE-2025-0108Week of February 12, 2025
    CVE-2025-24472Week of February 12, 2025
    CVE-2025-21355Week of February 24, 2025
    CVE-2025-26613Week of February 24, 2025
    CVE-2024-13789Week of February 24, 2025
    CVE-2025-1539Week of February 24, 2025
    CVE-2025-27364Week of March 3, 2025
    CVE-2025-27140Week of March 3, 2025
    CVE-2025-27135Week of March 3, 2025
    CVE-2024-8420Week of March 3, 2025
    CVE-2024-56196Week of March 10, 2025
    CVE-2025-27554Week of March 10, 2025
    CVE-2025-22224Week of March 10, 2025
    CVE-2025-1393Week of March 10, 2025
    CVE-2025-24201Week of March 17, 2025
    CVE-2025-27363Week of March 17, 2025
    CVE-2025-2000Week of March 17, 2025
    CVE-2025-27636
    CVE-2025-29891
    Week of March 17, 2025
    CVE-2025-1496
    Week of March 24, 2025
    CVE-2025-27781Week of March 24, 2025
    CVE-2025-29913Week of March 24, 2025
    CVE-2025-2746Week of March 24, 2025
    CVE-2025-29927Week of March 24, 2025
    CVE-2025-1974 CVE-2025-2787Week of March 31, 2025
    CVE-2025-30259Week of March 31, 2025
    CVE-2025-2783Week of March 31, 2025
    CVE-2025-30216Week of March 31, 2025
    CVE-2025-22457Week of April 2, 2025
    CVE-2025-2071Week of April 2, 2025
    CVE-2025-30356Week of April 2, 2025
    CVE-2025-3015Week of April 2, 2025
    CVE-2025-31129Week of April 2, 2025
    CVE-2025-3248Week of April 7, 2025
    CVE-2025-27797Week of April 7, 2025
    CVE-2025-27690Week of April 7, 2025
    CVE-2025-32375Week of April 7, 2025
    VulnDB ID: 398725Week of April 7, 2025
    CVE-2025-32433Week of April 12, 2025
    CVE-2025-1980Week of April 12, 2025
    CVE-2025-32068Week of April 12, 2025
    CVE-2025-31201Week of April 12, 2025
    CVE-2025-3495Week of April 12, 2025
    CVE-2025-31324Week of April 17, 2025
    CVE-2025-42599Week of April 17, 2025
    CVE-2025-32445Week of April 17, 2025
    VulnDB ID: 400516Week of April 17, 2025
    CVE-2025-22372Week of April 17, 2025
    CVE-2025-32432Week of April 29, 2025
    CVE-2025-24522Week of April 29, 2025
    CVE-2025-46348Week of April 29, 2025
    CVE-2025-43858Week of April 29, 2025
    CVE-2025-32444Week of April 29, 2025
    CVE-2025-20188Week of May 3, 2025
    CVE-2025-29972Week of May 3, 2025
    CVE-2025-32819Week of May 3, 2025
    CVE-2025-27007Week of May 3, 2025
    VulnDB ID: 402907Week of May 3, 2025
    VulnDB ID: 405228Week of May 17, 2025
    CVE-2025-47277Week of May 17, 2025
    CVE-2025-34027Week of May 17, 2025
    CVE-2025-47646Week of May 17, 2025
    VulnDB ID: 405269Week of May 17, 2025
    VulnDB ID: 406046Week of May 19, 2025
    CVE-2025-48926Week of May 19, 2025
    CVE-2025-47282Week of May 19, 2025
    CVE-2025-48054Week of May 19, 2025
    CVE-2025-41651Week of May 19, 2025
    CVE-2025-20289Week of June 3, 2025
    CVE-2025-5597Week of June 3, 2025
    CVE-2025-20674Week of June 3, 2025
    CVE-2025-5622Week of June 3, 2025
    CVE-2025-5419Week of June 3, 2025
    CVE-2025-33053Week of June 7, 2025
    CVE-2025-5353Week of June 7, 2025
    CVE-2025-22455Week of June 7, 2025
    CVE-2025-43200Week of June 7, 2025
    CVE-2025-27819Week of June 7, 2025
    CVE-2025-49132Week of June 13, 2025
    CVE-2025-49136Week of June 13, 2025
    CVE-2025-50201Week of June 13, 2025
    CVE-2025-49125Week of June 13, 2025
    CVE-2025-24288Week of June 13, 2025
    CVE-2025-6543Week of June 21, 2025
    CVE-2025-3699Week of June 21, 2025
    CVE-2025-34046Week of June 21, 2025
    CVE-2025-34036Week of June 21, 2025
    CVE-2025-34044Week of June 21, 2025
    CVE-2025-7503Week of July 12, 2025
    CVE-2025-6558Week of July 12, 2025
    VulnDB ID: 411705Week of July 12, 2025
    VulnDB ID: 411704Week of July 12, 2025
    CVE-2025-6222Week of July 12, 2025
    CVE-2025-54309Week of July 18, 2025
    CVE-2025-53771Week of July 18, 2025
    CVE-2025-53770Week of July 18, 2025
    CVE-2025-54122Week of July 18, 2025
    CVE-2025-52166Week of July 18, 2025
    CVE-2025-53942Week of July 25, 2025
    CVE-2025-46811Week of July 25, 2025
    CVE-2025-52452Week of July 25, 2025
    CVE-2025-41680Week of July 25, 2025
    CVE-2025-34143Week of July 25, 2025
    CVE-2025-50454Week of August 1, 2025
    CVE-2025-8875Week of August 1, 2025
    CVE-2025-8876Week of August 1, 2025
    CVE-2025-55150Week of August 1, 2025
    CVE-2025-25256Week of August 1, 2025
    CVE-2025-43300Week of August 16, 2025
    CVE-2025-34153Week of August 16, 2025
    CVE-2025-48148Week of August 16, 2025
    VulnDB ID: 416058Week of August 16, 2025
    CVE-2025-32992Week of August 16, 2025
    CVE-2025-7775Week of August 24, 2025
    CVE-2025-8424Week of August 24, 2025
    CVE-2025-34159Week of August 24, 2025
    CVE-2025-57819Week of August 24, 2025
    CVE-2025-7426Week of August 24, 2025
    CVE-2025-58367Week of September 1, 2025
    CVE-2025-58159Week of September 1, 2025
    CVE-2025-58048Week of September 1, 2025
    CVE-2025-39247Week of September 1, 2025
    CVE-2025-8857Week of September 1, 2025
    CVE-2025-58321Week of September 8, 2025
    CVE-2025-58366Week of September 8, 2025
    CVE-2025-58371Week of September 8, 2025
    CVE-2025-55728Week of September 8, 2025
    CVE-2025-55190Week of September 8, 2025
    VulnDB ID: 419253Week of September 13, 2025
    CVE-2025-10035Week of September 13, 2025
    CVE-2025-59346Week of September 13, 2025
    CVE-2025-55727Week of September 13, 2025
    CVE-2025-10159Week of September 13, 2025
    CVE-2025-20363Week of September 20, 2025
    CVE-2025-20333Week of September 20, 2025
    CVE-2022-4980Week of September 20, 2025
    VulnDB ID: 420451Week of September 20, 2025
    CVE-2025-9900Week of September 20, 2025
    CVE-2025-52906Week of September 27, 2025
    CVE-2025-51495Week of September 27, 2025
    CVE-2025-27224Week of September 27, 2025
    CVE-2025-27223Week of September 27, 2025
    CVE-2025-54875Week of September 27, 2025
    CVE-2025-41244Week of September 27, 2025
    CVE-2025-61928Week of October 6, 2025
    CVE-2025-61882Week of October 6, 2025
    CVE-2025-49844Week of October 6 2025
    CVE-2025-57870Week of October 6, 2025
    CVE-2025-34224Week of October 6, 2025
    CVE-2025-34222Week of October 6, 2025
    CVE-2025-40765Week of October 11, 2025
    CVE-2025-59230Week of October 11, 2025
    CVE-2025-24990Week of October 11, 2025
    CVE-2025-61884Week of October 11, 2025
    CVE-2025-41430Week of October 11, 2025
    VulnDB ID: 424051Week of October 18, 2025
    CVE-2025-62645Week of October 18, 2025
    CVE-2025-61932Week of October 18, 2025
    CVE-2025-59503Week of October 18, 2025
    CVE-2025-43995Week of October 18, 2025
    CVE-2025-62168Week of October 18, 2025
    VulnDB ID: 425182Week of October 25, 2025
    CVE-2025-62713Week of October 25, 2025
    CVE-2025-54964Week of October 25, 2025
    CVE-2024-58274Week of October 25, 2025
    CVE-2025-41723Week of October 25, 2025
    CVE-2025-20354Week of November 1, 2025
    CVE-2025-11953Week of November 1, 2025
    CVE-2025-60854Week of November 1, 2025
    CVE-2025-64095Week of November 1, 2025
    CVE-2025-11833Week of November 1, 2025
    CVE-2025-64446Week of November 8, 2025
    CVE-2025-36250Week of November 8, 2025
    CVE-2025-64400Week of November 8, 2025
    CVE-2025-12686Week of November 8, 2025
    CVE-2025-59118Week of November 8, 2025
    VulnDB ID: 426231Week of November 8, 2025
    VulnDB ID: 427979Week of November 22, 2025
    CVE-2025-55796Week of November 22, 2025
    CVE-2025-64428Week of November 22, 2025
    CVE-2025-62703Week of November 22, 2025
    VulnDB ID: 428193Week of November 22, 2025
    CVE-2025-65018Week of November 22, 2025
    CVE-2025-54347Week of November 22, 2025
    CVE-2025-55182Week of November 29, 2025
    CVE-2024-14007Week of November 29, 2025
    CVE-2025-66399Week of November 29, 2025
    CVE-2022-35420Week of November 29, 2025
    CVE-2025-66516Week of November 29, 2025
    CVE-2025-59366Week of November 29, 2025
    CVE-2025-14174Week of December 6, 2026
    CVE-2025-43529Week of December 6, 2026
    CVE-2025-8110Week of December 6, 2026
    CVE-2025-59719Week of December 6, 2026
    CVE-2025-59718Week of December 6, 2026
    CVE-2025-14087Week of December 6, 2026
    CVE-2025-62221Week of December 6, 2026

    Transform Vulnerability Management with Flashpoint

    Request a demo today to see how Flashpoint can transform your vulnerability intelligencevulnerability management, and exposure identification program.

    Request a demo today.

    The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

    Blogs

    Blog

    The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

    In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

    SHARE THIS:
    Default Author Image
    December 22, 2025

    Infostealer-driven credential theft in 2025 has surged, with Flashpoint observing a staggering 800% increase since the start of the year. With over 1.8 billion corporate and personal accounts compromised, the threat landscape finds itself in a paradox: while technical defenses have never been more advanced, the human attack surface has never been more vulnerable.

    Information-stealing malware has become the most scalable entry point for enterprise breaches, but to truly defend against them, organizations must look beyond the malware itself. As teams move into 2026 security planning, it is critical to understand the deceptive initial access vectors—the latest tactics Flashpoint is seeing in the wild—that threat actors are using to manipulate users and bypass modern security perimeters.

    Here are the latest methods threat actors are leveraging to facilitate infections:

    1. Neutralizing Mark of the Web (MotW) via Drag-and-Drop Lures

    Mark of the Web (MotW) is a critical Windows defense feature that tags files downloaded from the internet as “untrusted” by adding a hidden NTFS Alternate Data Stream (ADS) to the file. This tag triggers “Protected View” in Microsoft Office programs and prompts Windows SmartScreen warnings when a user attempts to execute an unknown file.

    Flashpoint has observed a new social engineering method to bypass these protections through a simple drag-and-drop lure. Instead of asking a user to open a suspicious attachment directly, which would trigger an immediate MotW warning, threat actors are instead instructing the victim to drag the malicious image or file from a document onto their desktop to view it. This manual interaction is highly effective for two reasons:

    1. Contextual Evasion: By dragging the file out of the document and onto the desktop, the file is executed outside the scope of the Protected View sandbox.
    2. Metadata Stripping: In many instances, the act of dragging and dropping an embedded object from a parent document can cause the operating system to treat the newly created file as a local creation, rather than an internet download. This effectively strips the MotW tag and allows malicious code to run without any security alerts.

    2. Executing Payloads via Vulnerabilities and Trusted Processes

    Flashpoint analysts uncovered an illicit thread detailing a proof of concept for a client-side remote code execution (RCE) in the Google Web Designer for Windows, which was first discovered by security researcher Bálint Magyar.

    Google Web Designer is an application used for creating dynamic ads for the Google Ads platform. Leveraging this vulnerability, attackers would be able to perform remote code execution through an internal API using CSS injection by targeting a configuration file related to ads documents.

    Within this thread, threat actors were specifically interested in the execution of the payload using the chrome.exe process. This is because using chrome.exe to fetch and execute a file is likely to bypass several security restrictions as Chrome is already a trusted process. By utilizing specific command-line arguments, such as the –headless flag, threat actors showed how to force a browser to initiate a remote connection in the background without spawning a visible window. This can be used in conjunction with other malicious scripts to silently download additional payloads onto a victim’s systems.

    3. Targeting Alternative Softwares as a Path of Least Resistance

    As widely-used software becomes more hardened and secure, threat actors are instead pivoting to targeting lesser-known alternatives. These tools often lack robust macro-protections. By targeting vulnerabilities in secondary PDF viewers or Office alternatives, attackers are seeking to trick users into making remote server connections that would otherwise be flagged as suspicious.

    Understanding the Identity Attack Surface

    Social engineering is one of the driving factors behind the infostealer lifecycle. Once an initial access vector is successful, the malware immediately begins harvesting the logs that fuel today’s identity-based digital attacks.

    As detailed in The Proactive Defender’s Guide to Infostealers, the end goal is not just a password. Instead, attackers are prioritizing session cookies, which allow them to perform session hijacking. By importing these stolen cookies into anti-detect browsers, they bypass Multi-Factor Authentication and step directly into corporate environments, appearing as a legitimate, authenticated user.

    Understanding how threat actors weaponize stolen data is the first step toward a proactive defense. For a deep dive into the most prolific stealer strains and strategies for managing the identity attack surface, download The Proactive Defender’s Guide to Infostealers today.

    Request a demo today.

    The post The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion appeared first on Flashpoint.

    Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

    Blogs

    Blog

    Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

    In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

    SHARE THIS:
    Default Author Image
    December 10, 2025

    Last week, Hudson Rock published a blog on “Trevor Greer,” a persona tied to a North Korean IT Worker. Flashpoint shared additional insights with our clients back in July, and we’re now making those findings public.

    Trevor Greer, a North Korean operative, was identified via an infostealer infection on their own machine. Information-stealing malware, also known as Infostealers or stealers, are malware designed to scrape passwords and cookies from unsuspecting victims. Stealers (like LummaC2 or RedLine) are typically used by cybercriminals to steal login credentials from everyday users to sell on the Dark Web. It is rare to see them infect the machines of a state-sponsored advanced persistent threat group (APT).

    However, when adversaries unknowingly infect themselves, they can expose valuable insights into the inner workings of their campaigns. Leveraging Flashpoint intelligence sourced from the leaked logs of “Trevor Greer,” our analysts uncovered a myriad of fake identities and companies used by DPRK APTs.

    Finding Trevor Greer

    Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

    ByBit Compromise

    The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

    A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

    Tracing the Infection

    Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

    Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

    What the Logs Revealed

    Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

    The data painted a vivid picture of how these threat actors operate:

    Preparation for “Contagious Interviews”

    The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

    Reliance on AI Tools

    The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

    Pivoting: One Node to a Network

    By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

    • Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
    • Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims. 
    • Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
    • Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify. 
    • Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

    Disrupt Threat Actors Using Flashpoint

    The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

    Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too. 

    Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

    Request a demo today.

    The post Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor appeared first on Flashpoint.

    Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution

    Blogs

    Blog

    Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution

    CVE-2025-55182 (VulnDB ID: 428930), is a severe, unauthenticated RCE impacting a major component of React and its ecosystem, putting global applications at immediate, high-fidelity risk.

    SHARE THIS:
    Default Author Image
    December 4, 2025

    The React team disclosed a critical vulnerability impacting three products in the React Server Components (RSC) that allows for unauthenticated remote code execution. 

    Flashpoint’s vulnerability research team assesses significant enterprise and supply chain risk given React’s ubiquity: the impacted JavaScript library underpins modern UIs, with 168,640 dependents and more than 51 million weekly downloads.

    How CVE-2025-55182 Works

    CVE-2025-55182 (VulnDB ID: 428930) impacts all React versions since 19.0.0, meaning that this issue has been potentially exploitable since November 14, 2024. This vulnerability stems from how React handles payloads sent to React Server Function endpoints and deserializes them.

    Flashpoint’s VulnDB entry for CVE-2025-55182

    Depending on the implementation of this library, a remote, unauthenticated threat actor could send a crafted payload that would be deserialized in a way that causes remote code execution. This would lead to a total compromise of the system hosting the application, allowing for malware such as infostealers, ransomware, or cryptojackers (cryptocurrency mining) to be downloaded.

    A working exploit for CVE-2025-55182 has already been published that is effective against some installations. In addition, Amazon has reported that two threat actors, attributed to Chinese Advanced Persistent Threat Groups (APTs), have begun to exploit this vulnerability. Those groups are:

    • Earth Lamia (STAC6451, REF0657, CL-STA-0048)
    • Jackpot Panda (iSoon, DRAGNET PANDA, Anxun Information, deepclif, Poison Carp, Houndstooth Typhoon)

    Understanding the Impact and Scope of CVE-2025-55182

    It is critical that security teams fully understand the potential downstream scope and impact so that they can fully focus on mitigation, rather than time-consuming research. While the vendor has provided a full disclosure, there are several important caveats to understand about CVE-2025-55182:

    1. Applications not implementing any React Server Function endpoints may still be vulnerable as long as it supports React Server Components.
    2. If an application’s React code does not use a server, it is not affected by this vulnerability.
    3. Applications that do not use a framework, bundler, or bundler plugins that support React Server Components are unaffected by this vulnerability.

    Additionally, several React frameworks and bundlers have been discovered to leverage vulnerable React packages in various ways. The following frameworks and bundlers are known to be affected:

    • next
    • react-router
    • waku
    • @parcel/rsc
    • @vitejs/plugin-rsc
    • rwsdk

    NPMJS.com currently shows that the react-dom package, which is effectively part of React, has 168,640 dependents. This means that an incredible number of enterprise applications are likely to be affected. Nearly every commercial application is built on hundreds, sometimes thousands of components and dependencies. Furthermore, applications coded via Vibe and similar technology are also likely to leverage React: potentially amplifying the downstream risk this vulnerability poses.

    How to Mitigate CVE-2025-55182

    For mitigation, the React library has released versions 19.0.1, 19.1.2, and 19.2.1 that resolve the issue. Flashpoint advises organizations to upgrade their respective libraries urgently. Security teams leveraging dynamic SBOMs (Software Bill of Materials) can drastically increase risk mapping and triage for deployed React versions.

    CloudFlare has upgraded their web-application firewall (WAF) to protect against CVE-2025-55182. It is available for both free and paid plans but requires that React application traffic is proxied through the CloudFlare WAF.

    To avoid confusion, security teams should ignore CVE-2025-66478. It has been rejected for being a duplicate of the preferred CVE-2025-55182.

    Mitigate Critical Vulnerabilities Using Flashpoint

    Flashpoint strongly recommends security teams treat this vulnerability with utmost urgency. Our vulnerability research team will continue to monitor this vulnerability and its downstream impacts. All updates will be provided via Flashpoint’s VulnDB

    Request a demo today and gain access to quality vulnerability intelligence that helps address critical threats in a timely manner.

    Request a demo today.

    The post Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution appeared first on Flashpoint.

    Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel

    Blogs

    Blog

    Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel

    Examining current and potential involvement of militant terrorist groups in the Israel-Hamas conflict, beginning with the October 7 attacks

    SHARE THIS:
    Default Author Image
    October 18, 2023

    October 7: Hamas attacks Israel

    In the midst of the Israel-Hamas War, which erupted with a surprising and devastating attack on October 7, 2023 that resulted in the deaths of more than 1,300 Israelis, it is becoming increasingly apparent that the dynamics of this complex conflict extend beyond the actions of Hamas alone. While Hamas took the lead in launching the initial assault, there is evidence, outlined in this article, that numerous other militant and terrorist groups worked in concert with Hamas, which continues to shape the trajectory of the ongoing conflict.

    Based on frontline reportage, open-source intelligence, including social media and message platforms, and Flashpoint collections surrounding the events on October 7, we explore the roles and actions of additional militant and terrorist factions, shedding light on their collective impact in the evolving Israel-Hamas War. 

    We will update this article as the situation in Israel, Gaza, and the Middle East develops.

    Militant and Terrorist Groups Involved in October 7 Attack on Israel

    Izz al-Din al-Qassam Brigades (كتائب الشهيد عز الدين القسام)

    Operation Al-Aqsa Tufan (Flood) involved coordinated attacks from the Gaza Strip into bordering areas in Israel on October 7, coinciding with a major Jewish holiday and marking the beginning of the 2023 Israel–Hamas war. The attack included a rocket barrage of thousands of missiles, vehicle-transported incursions into Israeli territory, kidnappings, including at a music festival, and significant civilian casualties. It has been described as one of the bloodiest days in Israel’s history and the deadliest for Jews since the Holocaust. Founded in the late 1980s, Izz al-Din al-Qassam Brigades is the militant wing of the terrorist organization Hamas. It has been designated as a terrorist organization by several countries, including the United States, Israel, and the European Union. 

    Palestinian Islamic Jihad (الجهاد الإسلامي الفلسطيني)

    As we previously reported, Hamas and PIJ communicate often with followers via Telegram. On the day after the October 7 attacks, PIJ, in one of its main channels, posted that “the elite of Al-Quds Brigades is entering the border to support al-Qassam Brigades fighters (Hamas) and supply them with weapons.” It has also been reported that PIJ took part in the October 7 attacks alongside Hamas.

    On October 17, a rocket hit the Al Ahli Arab Hospital in Gaza, killing hundreds of Palestinian civilians. In a statement, Israeli Defense Forces said that “[Palestinian] Islamic Jihad is responsible for the failed rocket launch which hit the hospital in Gaza.” PIJ has denied the allegation in a statement, reportedly calling it “false and baseless.”

    Palestinian Islamic Jihad (PIJ) is a Palestinian terrorist organization that is designated by several countries, including the United States, Israel, and the European Union. It was founded in the late 1970s with the goal of establishing an Islamic Palestinian state and has carried out attacks against Israel.

    Al-Aqsa Martyrs Brigade (كتائب شهداء الأقصى)

    The Al-Aqsa Martyrs Brigade is a Palestinian militant organization affiliated with Fatah, a major Palestinian political party, that has carried out attacks and other activities against Israel. One of the key players in Palestinian politics today, Al-Aqsa Martyrs brigade was founded in the late 1950s and has historically been associated with the Palestine Liberation Organization (PLO). The group was designated a Foreign Terrorist Organization by the US Department of State in 2002.

    Above: Screengrab from October 7 showing a video of a man wearing a headband with the Al-Aqsa Martyrs Brigade emblem. The video, posted in an official Al-Aqsa Martys Brigade Telegram channel, shows the man speaking alongside a gravely injured Israeli soldier. The message hashtag translates to “#Scenes_of_enemy_soldiers_capture” (Image: Flashpoint)

    Democratic Front for the Liberation of Palestine (الجبهة الديمقراطية لتحرير فلسطين)

    The Democratic Front for the Liberation of Palestine (DFLP) is a Palestinian political and militant organization founded in 1969, known for its left-wing and Marxist ideologies. It has historically aimed for the liberation of Palestine and the establishment of an independent Palestinian state through both militaristic and political means. While a member of the Palestine Liberation Organization (PLO), it has not been as prominent as other Palestinian factions like Fatah or Hamas in recent years.

    Above: Pictures posted by an official Democratic Front for the Liberation of Palestine showing armed militants reportedly inside Israeli territory on October 7. (Image: Flashpoint)

    Palestinian Mujahideen Movement (حركة المجاهدين الفلسطينيين)

    The Palestinian Mujahideen Movement is a Palestinian militant organization that emerged in the early 1970s with the goal of resisting Israeli occupation and achieving Palestinian self-determination through various armed activities and operations against Israeli forces. However, it is not as widely recognized or prominent as Palestinian terrorist groups like Hamas or the Palestinian Islamic Jihad (PIJ).

    Above: Screengrab of an official Palestinian Mujahideen Movement channel showing an image of Dr. Asaad Abu Sharia, the General of the Palestinian Mujahideen Movement, congratulating the “heroes…who stormed the positions and settlements of [Israel].”

    We have shared this Telegram message in lieu of the many messages shared in the same channel the day prior, October 7, that showed graphically violent images of what appears to be soldiers in IDF uniforms. (Image: Flashpoint)

    Popular Resistance Committees (لجان المقاومة الشعبية)

    The Popular Resistance Committees (PRC), whose military wing is referred to as Al-Nasser Salah al-Deen Brigades (ألوية الناصر صلاح الدين), are a coalition of various Palestinian factions and armed groups in the Gaza Strip. They were formed in the early 2000s during the Second Intifada, a period of intense Palestinian-Israeli conflict. The PRC includes members from different political and militant backgrounds and has carried out attacks against Israel. While not as prominent as terrorist organizations like Hamas or the Palestinian Islamic Jihad (PIJ), the PRC has played a role in the ongoing Israeli-Palestinian conflict, as evidenced by the events of October 7, 2023.

    Above: Screengrab of communications within the official Al-Nasser Salah al-Din Brigades Telegram channel from October 7, alongside photos of allegedly confiscated military equipment and IDs belonging to captured Israeli soldiers. (Image: Flashpoint)

    Those who could join the fight

    Lebanese Hezbollah (حزب الله اللبناني)

    Though not directly involved in the October 7 attacks, Lebanese Hezbollah and Israel have exchanged assaults in connection with the ongoing Israel-Hamas War since October 8.

    Also known as Hezbollah, Lebanese Hezbollah is a Shiite Islamist political and militant organization based in Lebanon. It was founded in the early 1980s with support from Iran, following the Israeli invasion of Lebanon. Hezbollah’s primary goal is to resist Israel and promote Shiite interests in Lebanon and the wider region. The group was designated a Foreign Terrorist Organization by the US Department of State in 1997, the same year as Hamas and PIJ.

    Lions’ Den (عرين الأسود)

    Saraya al-Quds Military spokesman Abu Hamza has called for Lions’ Den and Jenin Brigade, another Palestinian militant group, to join the fight.

    The Lions’ Den is a Palestinian militant group in the Israeli-occupied West Bank, formed in August 2022. Comprising members from various Palestinian militant and terrorist organizations, including Hamas and Palestinian Islamic Jihad, along with disaffected Fatah members, it resonates with some young Palestinians frustrated by the Israeli occupation, settlements, settler violence, and the perceived ineffectiveness of the Palestinian Authority. They have engaged in various West Bank attacks, funded in part by Hamas.

    These profiles represent the most meaningful actors on the digital and physical frontlines of the Israel-Hamas War at the moment. Flashpoint has seen an expansion of participants as the conflict unfolds and expands into new physical and digital theaters. We will therefore update this article as the situation continues to develop.

    Request a demo today.

    The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

    Blogs

    Blog

    The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

    Analyzing Telegram’s role in facilitating communication and strategy for Hamas and PIJ during the initial days of the Israel-Hamas War

    SHARE THIS:
    Default Author Image
    October 11, 2023

    Telegram: A crucial modern warfare channel

    Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals. The platform’s role in open-source intelligence (OSINT) is vital, offering real-time insights into unfolding global events, such as the ongoing military conflict between Hamas and Israel, and becoming an essential tool for intelligence professionals navigating the multifaceted landscape of contemporary warfare. Organizations with regional interests should perceive Telegram as a crucial asset in understanding their risk apertures and navigating through conflict complexities.

    In the context of recent global conflicts, including the Russia-Ukraine war and the Hamas-Israel conflict, platforms like Telegram have demonstrated their significance by providing real-time updates, documenting potential war crimes, and offering a platform for anti-war narratives amidst governmental censorship. Both scenarios underscore Telegram’s evolving role in modern warfare, influencing narratives and strategies, and providing a digital battlefield for organizations and intelligence professionals to navigate and anticipate conflict dynamics.

    October 7: Surprise Hamas attack

    This digital battlefield, while shaping the narratives and strategies in contemporary conflicts, abruptly collided with reality on October 7, when the virtual orchestrations of Hamas transformed into a tangible, devastating surprise attack on Israel.

    Hamas militants launched an unexpected, devastating attack on Israel on October 7, resulting in hundreds of casualties and numerous hostages. Over 2,000 rockets were fired into Israel, causing significant casualties and prompting Prime Minister Benjamin Netanyahu to declare war on Hamas, mobilizing the military and reserves. The assault, occurring on the fiftieth anniversary of the 1973 Egypt and Syria attack and during the Jewish holiday, Shemini Atzeret, took Israel by surprise. 

    Reports state that the attack resulted in hundreds dead and more than 500 injuries, the kidnappings of Israeli soldiers, and vehicle takeovers, while Hezbollah celebrated the assault. The US Embassy in Jerusalem issued an alert and initiated shelter-in-place protocols for its personnel. Militants breached the Gaza-Israel barrier using various methods, and Hamas commander Mohammed Deif urged Palestinians and Arabs to join the operation, raising fears of a wider conflict.

    At around 5:30 a.m. UTC, Hamas posted in one of its main Telegram channels, that the Commander-in-Chief of Al-Qassam Brigades announced the beginning of Hamas’s Al-Aqsa Tufan (Flood) and the firing of over 5,000 rockets aimed at Israel. Shortly thereafter, reports show that air raid sirens sounded in Jerusalem around 6:30 a.m. local time, signaling an attack and instructing citizens to take cover.

    Hamas Telegram post announcing the start of Al-Aqsa Tufan (Image: Flashpoint)

    This message represents one of 1,145 messages sent over Hamas’s main Telegram channel on October 7. For context, the day prior, 373 messages were sent over the same channels, showing more than a 3X spike in chatter from October 6.

    October 8: Violence escalates

    The conflict intensifies with continued assaults and counter-assaults from both Israel and Hamas. The death toll rises sharply on both sides, and the situation garners international attention and condemnation. Hamas issues a threat to execute Israeli hostages, prompting further international outrage. The U.S. confirms that several American citizens have been killed in the attacks and expresses its unwavering support for Israel. Various nations and international leaders continue to condemn the violence and express solidarity with Israel.

    On October 8, Palestinian Islamic Jihad posted that “the elite of Al-Quds Brigades is entering the border to support Al-Qassam Brigades fighters and supply them with weapons.” (Image: Flashpoint)

    On Sunday, 1,129 posts were sent between PIJ and its followers on Telegram, with messages such as above sharing updates of the assault.

    October 9: Broadening battlefields

    The conflict takes a new turn as rockets are fired from Lebanon toward Israel, prompting Israeli forces to retaliate against Lebanese territories. The U.S. updates the number of American citizens killed in the attacks and acknowledges that Americans are among those taken hostage by Hamas. Israeli Defense Minister Yoav Gallant orders a “complete siege” on Gaza and promises a robust and unrestrained response to the ongoing attacks, vowing to eliminate any threats against Israel.

    Telegram post from a major Hamas channel linking to a video of Abu Obaida, the spokesperson for the al-Qassam Brigades, in which he signals further violence to Israelis, particularly hostages (Image: Flashpoint).

    Throughout Monday, Telegram activity from Hamas and PIJ fell by almost half compared to the day prior. Within the first 72 hours of the Israeli-Hamas War, Flashpoint observed a total of 5,472 Telegram posts shared by both Hamas and PIJ across their main channels.

    The post The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram appeared first on Flashpoint.

    Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

    Blogs

    Blog

    Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

    The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

    SHARE THIS:
    Table Of Contents
    Table of Contents
    More
    subscribe to our newsletter

    Race to the bottom

    Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

    Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

    The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

    Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

    Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

    Related reading

    Another One Bites the Dust: The (Apparent) End of Breach Forums

    Read now

    Timeline

    Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

    • March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.
    • March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
    • However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.
    • May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.
    • June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
    • Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.
    • June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.
    • That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.
    • June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
    • OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.
    • June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

    Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

    Get Flashpoint on your side

    Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

    Request a demo today.

    Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

    Blogs

    Blog

    Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

    Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war

    Share:
    Default Author Image
    June 28, 2023

    Putin Vs. Prigozhin

    The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.

    Mentions count in Flashpoint collections for variations on searches for Prigozhin and the Wagner Group. (Image: Flashpoint)

    Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.

    Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.

    Flashpoint’s physical security intelligence platform showing results for a global search seeking mentions of Prigozhin across OSINT-related collections.

    June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews

    On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.

    Flashpoint’s physical security intelligence platform showing results across real-time open-source intelligence for terms related to “Prigozhin” and “coup”.

    In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”

    Round 2: #Shoigu hits back.

    "All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc

    — Jason Corcoran (@jason_corcoran) June 23, 2023

    The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.

    June 24: Prigozhin’s March To Moscow

    On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.

    Flashpoint’s physical security intelligence platform showing search results in Rostov-on-Don.

    In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.” 

    Related Blog

    Timeline of Russia’s Invasion of Ukraine: Cyber and Physical Warfare

    Read now

    Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.

    Screengrab of a video posted on a pro-Wagner Telegram channel showing Wagner supporters in Rostov as they demonstrate support to departing Wagner troops. (Image: Telegram)

    Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.

    Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.

    Concluding thoughts

    In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities. 

    Get Flashpoint on your side

    Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

    Request a demo today.

    Risk Intelligence Index: Cyber Threat Landscape by the Numbers

    Blogs

    Blog

    Risk Intelligence Index: Cyber Threat Landscape by the Numbers

    Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, insider threats, and takedowns of illicit forums and shops.

    SHARE THIS:
    Default Author Image
    April 13, 2023
    Table Of Contents
    subscribe to our newsletter

    Ransomware

    Flashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, as cybercriminals employ increasingly sophisticated—and effective—tactics. Last month, our analysts observed a total of 397 ransomware attacks.

    Key takeaways for the state of ransomware

    • Organizations in the United States bore the brunt of ransomware attacks, accounting for a staggering 211 incidents—a 66 percent increase compared to last month.
    • The top three industries targeted by ransomware were Professional Services, Internet Software & Services, and Construction & Engineering.
    • Clop ransomware has emerged as one of the most active ransomware groups, securing the second spot in March’s top 10 ranking. Last month, Clop garnered attention by exploiting a remote code execution vulnerability—allegedly enabling them to acquire data from over 100 organizations, although they only disclosed a few victim names on their blog.

    Vulnerabilities

    According to our intelligence, 2,245 new vulnerabilities were reported in March, with 379 of them being missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).

    Key takeaways for the state of vulnerability intelligence

    • Approximately 34 percent of March’s disclosed vulnerabilities are rated as high-to-critical in severity, which if exploited, could pose a significant risk to an organization’s security posture.
    • Over 78 percent of March’s vulnerabilities are remotely exploitable, meaning that if threat actors are able to leverage these issues, they can execute malicious code no matter where the device is located.
    • Nearly 29 percent of March’s vulnerabilities already have a documented public exploit, which drastically lessens the difficulty to exploit.
    • Vulnerability Management teams can potentially lessen workloads by nearly 88 percent by first focusing on actionable, high severity vulnerabilities—i.e., vulnerabilities that are remotely exploitable, that have a public exploit, and a viable solution; 253 of March’s vulnerabilities meet this criteria.

    Insider Threat

    The tactic of recruiting insiders has become immensely popular amongst threat actors aiming to breach systems and/or commit ransomware attacks.

    In March, our analysts collected 5,586 posts advertising insider services—both from threat actors seeking insiders and malicious employees offering their services. Of those, 1,127 were unique posts from individuals in illicit and underground communities.

    Key takeaways for the state of insider threat intelligence

    • In March, Flashpoint tracked 5,586 posts related to insider threats activity—both from threat actors attempting to solicit insider-facilitated access and from disgruntled employees offering their services. Of the total, 1,127 were unique postings.
    • At this time, the Telecom industry is the most targeted sector, followed by Financial and Retail.
    • Looking into the state of insider threats further, Flashpoint found that the majority of insider threat related postings originated from inside the organization with malicious insiders offering their services. Most of this activity came from the Telecom sector. 

    Takedowns

    In March 2023, there were numerous takedowns, voluntary shutdowns, and arrests affecting ransomware, markets, account shops, card shops, and individual cybercriminals. Here are the high-profile takedowns.

    Breach Forums

    On March 21, 2023, mid-tier hacking forum Breach Forums was shut down following the arrest of its administrator, Conor Brian Fitzpatrick (aka “pompompurin”), six days prior.

    Read the court doc here.

    Worldwiredlabs

    On March 3, a US Magistrate Judge issued a seizure warrant for Worldwiredlabs[.]com, a domain used by cybercriminals to sell malware, including remote access trojan (RAT) “NetWire,” which is capable of targeting and infecting major computer operating systems.

    On March 7, an international law enforcement effort led to the seizure of Worldwiredlabs. The FBI had begun its investigation in 2020, and uncovered that it was the only known online distributor of NetWire.

    Read the court doc here.

    Get best-in-class intel

    The following data is derived from the Flashpoint Intelligence Platform and VulnDB, the most comprehensive and timely source of vulnerability intelligence available. Sign up for a free trial today.

    Request a demo today.

    ❌