Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaʼs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies.
Geopolitical competition over mining and refining critical elements and REEs is accelerating. Competition to mine them will almost certainly expand into the Arctic, Greenland, Antarctica, the seabed, and space. These emerging arenas introduce legal ambiguity, environmental tension, and strategic rivalry, creating new geopolitical flashpoints.
Cyber operations are increasingly intertwined with resource competition. Insikt Group has identified state-sponsored and criminally aligned cyber threat actors targeting mining organizations to gain a strategic advantage. As critical mineral supply chains grow in importance, cyber activity targeting the sector is expected to increase, with criminal groups potentially serving as proxies or access brokers for state-backed operations.
Figure 1: Map of where critical elements and REEs are being mined or have been located, along with key findings in the report Source: Recorded Future)
Analysis
What Are Rare Earth Elements and Critical Elements?
Rare earth elements (REEs) are a group of seventeen metals that are essential to modern technologies. REEs are vital to the Fourth Industrial Revolution, a term for the current era of connectivity, advanced analytics, automation, and advanced manufacturing technology. REEs are used in small but essential quantities; they significantly impact the efficiency, precision, and reliability of equipment. They also differ from most other critical elements because they are difficult to process and refine. The refining process requires complex separation, making supply chains slow to build and capital-intensive.
Figure 2: Simplified REE production process from mining to refining (Source: Recorded Future)
Critical elements such as lithium, copper, nickel, cobalt, and graphite are primarily used as structural, conductive, or energy-storage materials and are consumed in much larger quantities. These elements form the physical backbone of products like batteries, wiring, and digital infrastructure. In simple terms, critical elements build the systems, and REEs enable the systems to perform at high levels.
Where Are REEs and Critical Elements Located?
On land, critical elements are unevenly distributed globally, with mining concentrated in a few countries. REEs are primarily mined in China, with significant deposits in Australia and the United States (US).
Figure 3: The distribution of where critical minerals were mined in 2023 Source: World Resources Institute)
The seabed is an emerging arena for mining due to vast critical mineral reserves that are believed to lie on the ocean floor. On the seabed, minerals are packed into potato-sized nodules, form hard crusts, accumulate in sediment layers, and are emitted from hydrothermal vents. In April 2025, the Trump administration issued an executive order directing the US to rapidly scale its capability to mine and process seabed critical elements. Meanwhile, China continues to expand its deep-sea mining capabilities. Japan is also accelerating its deep-sea mining program and, in February 2026, recovered REEs from 6,000 meters below the surface of the Pacific Ocean.
Figure 4: Diagram showing how minerals containing critical elements can be extracted from the seabed Source: US Government Accountability Office)
Arctic ice volume has declined by more than 70% since the 1980s, opening new shipping routes and exposing vast natural resources. As ice retreats, significant deposits of critical elements such as cobalt, tin, and REEs are becoming accessible, alongside oil and gas reserves. Mineral-rich seabed nodules are also being uncovered, attracting increasing interest from both nation-states and private investors.
Greenlandcontains 25 of the European Commission’s 34 designated critical raw materials as well as substantial oil and gas potential. Mining remains difficult due to harsh conditions and limited infrastructure, but continued ice retreat combined with sufficient capital investment could unlock resources of major economic and geopolitical importance.
Figures 5 and 6: Map showing critical minerals located on Greenland (left) Source: The Telegraph);Map showing critical minerals in the Arctic region (right) Source: The Economist)
Antarctica is currently off-limits to mining until at least 2048 under a 1991 environmental agreement that designated the continent as a natural reserve. Antarctica is believed to hold significant reserves of oil, coal, and iron ore, which are already attracting growing interest for the future. China and Russia have announced plans to expand their presence in Antarctica. China’s intentions appear to be focused on resource exploitation, which could open up a new geopolitical fault line, this time in the South Pole.
Space is quickly becoming the next frontier for critical resource extraction. Critical elements are abundant on asteroids and on the Moon. As companies move toward space mining, the US and China are simultaneously racing to establish a permanent presence in space by the 2030s, intensifying an already highly competitive astropolitical environment.
What Is the Geopolitical Importance of REEs and Critical Elements?
Because industrialized nations need critical elements and REEs to manufacture advanced technologies, global demand is rapidly accelerating. China’s control over critical elements and REEs stems primarily from its dominance of processing and refining rather than extraction. By controlling much of the world’s REE separation and refining capacity, China holds significant leverage over global supply chains and strategic technologies.
This reliance has heightened anxiety in the US over access to critical and rare earth elements. In 2025, China demonstrated its leverage by threatening to suspend REE exports to the US, which compelled Washington to back away from plans to restrict the transfer of critical semiconductor technology.
The US government has since accelerated international critical minerals deals and begun investing in US mining operations to minimize its reliance on China, where over 90% of the world’s REEs are processed. Furthermore, we are now seeing the US strategically stockpiling critical minerals and seeking to form “critical minerals trade blocs.”
Have Any Cyberattacks Been Linked to REEs and Critical Elements?
State-sponsored cyber capabilities are deployed to support national objectives linked to mining operations and the exploration of new critical minerals.
In 2021, Insikt Group identified infrastructure previously linked to APT15, a Chinese state-sponsored threat actor targeting a Canada-based mining company focused on mining zinc, copper, and lead. While there is no public record of Chinese investment in that specific mining company, Chinese firms invested approximately CAD 40 million (USD $30 million) in other Canadian lithium miners during the same period. Ottawa later forced those companies to divest on national security grounds.
In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. These cyberattacks occurred around the same time that China entered into seabed exploration and mining partnerships with nations such as the Cook Islands, Kiribati, and Tonga. This campaign was almost certainly driven by a desire to gain advanced insight into deep-sea mining rules and rival nations' positions, helping it protect its critical minerals dominance and secure strategic seabed access ahead of its competitors.
Between January 2021 and January 2026, Insikt Group identified multiple sophisticated cyber operations targeting Indonesia. While not every intrusion can be conclusively attributed to mining activity, these attacks align with China’s strategic interest in Indonesia’s natural resources; for example, Chinese companies control about 75% of Indonesia’s nickel refining capacity. Furthermore, Indonesia holds approximately 55 million metric tons of nickel reserves, which is over 40% of global reserves.
Figure 7: Timeline of Chinese cyber threat actor campaigns identified by Insikt Group targeting Indonesia from January 2021 to January 2026,alongside large mining deals Source: Recorded Future)
In 2025, a hacker group known as Silent Lynx (or YoroTrooper) was reported to be targeting Russia's mining sector. Security researchers assessed that Silent Lynx is likely Kazakhstan-based, due to its language fluency, use of local currency, and regional targeting.
Ransomware and criminal cyber groups frequently target the mining sector, primarily for financial gain. As the sector’s global economic importance grows, it may attract increased extortion efforts. Insikt Group has previously identified ransomware groups operating in close coordination with state actors, effectively using ransomware as a smokescreen; as a result, we cannot rule out criminal groups increasingly providing access to mining organizations for state-sponsored cyber operations.
Figure 8: Data from Recorded Futureʼs Ransomware Dashboard showing the top five ransomware groups targeting the mining and metals sector in 2025 Source: Recorded Future)
Figure 9: Timeline from January 2021 to January 2026 showing mining companies being named on ransomware extortion sites,
alongside mining company access being sold on dark web sites Source: Recorded Future)
In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake. BianLian is a financially motivated group that opportunistically targets multiple sectors and is believed to be operated by Russia-based threat actors. While this leak was likely financially driven, state collusion cannot be ruled out, as state-sponsored threat actors increasingly hide operations behind criminal activity.
Outlook
The US and its allies will almost certainly intensify efforts to reduce strategic dependence on China for critical minerals. This is because control of mineral supply chains will be a decisive factor in determining leadership in the Fourth Industrial Revolution.
Mining activity will almost certainly expand into new frontiers, including the deep sea, the Arctic, and Antarctica, permanently reshaping both economic competition and geopolitical risk.
Space will very likely emerge as the final frontier for resource extraction. The US and China will accelerate competition to secure access to lunar and asteroid-based minerals, extending terrestrial resource rivalries beyond Earth’s orbit.
State-sponsored cyber threat actors operating on behalf of industrialized nations will almost certainly increase their focus on targeting mining companies and governments operating in strategically significant mining regions.
Criminal cyber activity will very likely increasingly serve as a smokescreen or initial access vector for state-sponsored operations targeting critical mineral mining companies.
Know your exposure to changes in critical mineral supplies: Map the locations of critical minerals in your products and suppliers, and identify potential single points of failure. Resilience question:Are there any single points of failure in critical products or business lines if China were to restrict the supply of REEs?
Build a fallback plan: Put backup suppliers, alternate materials, and realistic inventory buffers in place for the highest-risk supplies your organization relies on. Resilience question:What is our Plan B for our top three critical electronic supplies, such as laptops?
Prepare for criminal and state-sponsored cyberattacks: If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage. Actively monitor the latest indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) associated with threat actors known to target the sector or government bodies responsible for nation-state mining interests. Use Recorded Future’s Threat Intelligence Module to monitor for dark web and closed-source mentions tied to mining targeting. Resilience question:If we’re hit with ransomware, how quickly can we restore operations? Do we have backup systems and data?
Map out your supply-chain risks: If your organization operates in or near the mining industry, you might have robust security measures — but your suppliers might not. Use Recorded Future’s Third-Party Intelligence Module to identify risks in your supply chain. Resilience question:Which supplier or contractor would cause us the most problems if they were hacked, and could they be easily hacked from what we can identify?
Monitor the new mining hotspots: Track developments in the Arctic, Greenland, Antarctica, deep-sea mining, and space, as rules and conflicts there can quickly affect supply and reputation. Use Recorded Future’s Geopolitical Intelligence Module to gain visibility into new mining contracts and potential geopolitical risks from new deals. Resilience question:What early warning signs are we monitoring that could disrupt our supply chain in the next 6–12 months?
The paradoxes of today’s digital world are well-known to anyone with a smartphone.
Over the last decade, connectivity has expanded, yet the world has become more fragmented. Our everyday lives are more digital, but we spend more time parsing text messages for scams or deliberating the authenticity of potential deepfakes. Technology is delivering great productivity gains to small businesses while making them a larger target for cybercriminals.
In this environment, exposure becomes the default: Access points are growing, control is hard and reacting to change stops working. AI intensifies these dynamics because it compresses time for everyone, including adversaries.
Today, trust has become the most critical tool to move all businesses forward. Without trust, even the best ideas stall. People hesitate, adoption slows and growth stagnates.
Trust used to be something businesses tried to repair after a breach. Now it must be the starting point, and something to nurture and continuously prove in a world that has fundamentally changed.
It would be impossible to eliminate the risk entirely. Some estimates project cybercrime could cost the world $15.6 trillion annually before 2030, surpassing all but two of the world’s largest economies. Instead, the goal must be to build the ability to see sooner, decide faster and limit impact when, not if, something breaks. Trust today is all about bringing together speed, intelligence and collaboration, and that’s exactly what we’re developing across our teams.
Getting this right isn’t just good business sense, but the only way to ensure new technologies are embraced and economies can keep growing.
The advantage is intelligence
Real advantage comes from understanding context and connecting signals across systems. That’s what turns data into better decisions. This kind of intelligence increases speed, reduces risk and enables proactive action. With the right intelligence, teams can hunt for threats continuously, test assumptions and act before harm occurs, not just triage alerts after the fact.
You can see this shift in how the payments industry is evolving, including the work we’re doing by bringing Recorded Future’s threat intelligence together with Mastercard’s security capabilities, payments infrastructure and partnership models. We’re helping organizations understand where risk concentrates, how it propagates, and how quick, collective action can reduce the cost of cybercrime.
Faster insights mean earlier action, which minimizes impact — and deepens trust.
Trust is built through collaboration
Security doesn’t scale through isolated heroics. It scales through ecosystems: shared signals, shared standards and partners who can move together as new threats arise, attack vectors shift and failures spread.
Resilience is strongest when public and private sectors plan, exercise and respond together, rather than in parallel. Different players have different sightlines in the digital ecosystem. Startups look at the edges of innovation. Enterprises understand the realities of operating in today’s environment. Governments see where systemic risk concentrates. When those visions combine, our shields strengthen and expand, pushing cybercriminals out of the frame.
During our time here in Miami for the eMerge Americas conference, we’ve had the opportunity to speak to enterprises, startups, investors and government leaders about the need to accelerate resilience in Latin America, where the digital economy is booming but security hasn’t always kept pace. The region has the world’s fastest-growing rate of disclosed cyber incidents — in 2025 alone, Recorded Future tracked 452 ransomware incidents — but only seven countries have developed cybersecurity plans protecting critical infrastructure, and only 20 have formal computer security incident response teams.
That gap is where trust breaks, and where more collaboration can become a growth necessity. We can’t build sustainable economic growth in Latin America without building digital trust and cyber resilience. That’s why we are deepening our footprint here, enhancing regional threat intelligence and resilience and paving the way for stronger public-private collaboration to address these complex risks.
Secure digital access unlocks economic opportunity — and insecurity shuts it down fast. For a first-time digital user, one fraud incident can be enough to opt out for good. For a small business, one account takeover can wipe out months of progress. That’s why trust is inextricably linked to financial health. People can’t build stability on top of systems they’re afraid to use. At Mastercard, we’ve committed to connecting and protecting 500 million people and small businesses by 2030, because secure participation is foundational, not optional.
The bar for digital innovation today is not what we can deliver, but what people will trust enough to use, depend upon and harness for their own financial health. Because in the end, trust is the superpower.
Chinese-language, Telegram-based “guarantee” marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025. Although these guarantee marketplaces operate similarly to Huione Guarantee, they differ in their focus on particular aspects of cybercrime and in their targeting of specific geographies. To better understand these Chinese-language guarantee marketplaces, Insikt Group observed and analyzed another increasingly popular guarantee marketplace, dubbed Dabai Guarantee (“大白担保”).
Given that guarantee marketplaces typically involve hundreds to thousands of public and private channels, this report outlines how Insikt Group analysts navigated through just one of the Telegram channels belonging to Dabai Guarantee’s large infrastructure. The channel is known as Dabai Guarantee Public Group 301 (@DBTM301), and its main objective is to conduct “sweeping” operations (using illicit techniques to make purchases of physical goods at retailers or to withdraw and transact at country-specific ATMs) in South Korea and Japan. This report also includes the visible organizational structure of Dabai Guarantee Public Group 301, key rules, staff, and customer service functions.
This report primarily serves as an introduction to understanding how Chinese-language, Telegram-based guarantee marketplaces work and how to navigate them. It also includes interpretations of multiple criminal terminologies used by Chinese-speaking criminals, which are pivotal to understanding how Chinese cybercrime evolves over time. The cyber and fraud campaigns being promoted and launched on Dabai Guarantee and other similar guarantee marketplaces can negatively impact retail, banking, contactless payment providers, insurance companies, and individuals vulnerable to scam-related campaigns.
Key Findings
Dabai Guarantee is a platform that enables multiple Chinese-speaking threat groups with strong presences across multiple countries to coordinate and launch global-scale fraud and cyber campaigns.
Chinese-speaking syndicates are using Dabai Guarantee as a platform to facilitate campaigns involving financial and retail fraud, such as ATM withdrawal and ghost-tapping.
Criminal groups participating in campaigns are often siloed, acting independently, and restricting the sharing of information, resources, and goals, thereby creating barriers to tracking their activities.
Unlike conventional ghost-tapping campaigns that mainly target luxury businesses, “sweeping teams” typically purchase goods that are less expensive but still considered valuable to criminal groups and are relatively easy to transport (such as women’s cosmetics and tobacco products), likely to avoid detection by law enforcement. The sweeping teams eventually resell them in other markets for cash.
Dabai Guarantee’s bot search function makes it easy for Chinese-speaking criminals to enter specific search terms and be matched with existing public groups running those campaigns.
Background
Chinese-language guarantee marketplaces first emerged around 2021 with the launch of Huione Guarantee, serving as reliable alternatives to traditional dark web marketplaces accessible via the Tor network. Owners of traditional dark web marketplaces, such as Exchange Market and Chang’An Sleepless Night, have close to full control over advertisements and transactions. These guarantee marketplaces seek to eliminate distrust stemming from criminal groups scamming one another, dark web marketplaces shutting down, potential exit scams, and parties failing to honor terms that were previously agreed upon. Furthermore, guarantee marketplaces operate on publicly accessible Telegram channels by design; these public channels are meant to be found and appeal to a wider Chinese-speaking audience that uses Telegram, noting that most Chinese criminals still use Telegram rather than Tor for communication.
Guarantee marketplaces are often different from typical peer-to-peer (P2P) transactions between threat actors. Guarantee marketplaces are one-stop shops that handle and facilitate all cryptocurrency transactions (typically Tether/USDT) and mediation services between parties, whereas P2P transactions typically take place directly between users or through a third-party escrow service. The preferred cryptocurrency of Chinese-speaking threat actors is USDT, a stablecoin pegged to the US dollar that maintains anonymity. Stablecoins are a type of cryptocurrency designed to maintain a stable value by pegging themselves to reserve assets, most commonly the US dollar, to mitigate the volatility of cryptocurrencies like Bitcoin. According to Chainalysis’s 2026 Crypto Crime Report, stablecoins have come to dominate the landscape of illicit transactions, accounting for 84% of all illicit transaction volume in 2025. Chinese cybercriminals prefer using stablecoins such as USDT due to their combination of price stability, ease of border transfer, and relative anonymity. USDT also helps Chinese cybercriminals bypass China’s strict capital controls and traditional banking scrutiny to move money across borders.
In January 2025, Insikt Group published a report on the Chinese-language guarantee marketplace Huione Guarantee, “Huione Guarantee Serves as a One-Stop Shop for Chinese-Speaking Cybercriminals.” The report described the activities facilitated by Huione Guarantee, which include investment fraud, money laundering, and various online scams. Despite Huione Guarantee’s shutdown on May 13, 2025, Insikt Group observed that other guarantee marketplaces, such as Tudou and Xinbi, stepped in to fill the void left by Huione Guarantee's closure. According to Elliptic, Tudou Guarantee also shut down its operations in January 2026, after processing $12 billion in transactions. Even though Xinbi Guarantee was previously reported to have shut down, it has since been rebuilt and maintains a presence on Telegram as of this writing. Other, but not widely reported, active Chinese-language guarantee marketplaces operating on Telegram (besides Dabai Guarantee) are Yinuo, BoChuang, and Ouyi.
Guarantee marketplaces can also facilitate new attack vectors such as ghost-tapping. In July 2025, Insikt Group published a report titled “Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem,” which details how Chinese-speaking cybercriminals and syndicates work together to conduct retail fraud using near-field communications (NFC) relay tactics. As of February 2026, Insikt Group observed that Dabai Guarantee has emerged as a major player in Chinese-language cybercrime, with its Telegram-based infrastructure resembling that of Huione Guarantee and offering malicious services similar to those advertised on Huione Guarantee, which is now defunct.
Dabai Guarantee Overview
Dabai Guarantee is a Telegram-based marketplace, consisting of thousands of public and private Chinese-language Telegram groups, that operates in a manner similar to Huione, Tudou, and Xinbi guarantees; many of these services cater to “small to medium-sized clients.” However, the operators of Dabai Guarantee do not maintain a clearnet website; they operate solely on Telegram, likely due to operational security (OPSEC) concerns. Operators of Dabai Guarantee likely chose not to have a clearnet website in light of Huione’s “bad OPSEC” practices — Huione Guarantee’s clearnet website made tracking much easier for law enforcement officials and researchers, which likely contributed to FinCEN sanctioning the organization in May 2025. The Dabai platform is populated with third-party vendors providing various services that facilitate cybercriminal and fraud activities, including money laundering methods and services, compromised social media and e-commerce accounts, SIM cards, personally identifiable information (PII), malware-as-a-service (MaaS), deepfake technology, know-your-customer (KYC) bypass services, and more.
Dabai Guarantee was likely founded in December 2024, based on its Telegram Channel’s creation date. There are currently six known official main Telegram channels:
“公群导航 @dabai” (@dabai_a): “Public Group for Navigation Purpose”, 15,372 subscribers, as of this writing
“大白担保大群” (@dabai_c): “Dabai Guarantee Big Group”, 19,225 members, as of this writing
“大白供需频道” (@dabaiyajing): “Dabai Supply and Demand Channel”, 17,085 subscribers, as of this writing
“大白担保规则” (@dabai_e): “Dabai Guarantee rules”, 428 subscribers, as of this writing
“大白担保客服人员名单” (@dabai_f): “Dabai customer service list”, 527 subscribers, as of this writing
Dabai Guarantee’s public navigation channel, 公群导航 @dabai, is used to direct threat actors to different private/public Telegram channels to coordinate and collaborate on campaigns targeting both Chinese-speaking and non-Chinese-speaking victims. Below is a list of the service categories offered on the public Telegram groups on Dabai Guarantee. Each category has subcategories for more specific services. Each public Telegram group has a unique group number, the amount of the deposit made to Dabai Guarantee in USDT, the handles of group administrators and customer service representatives, the transaction rules, and a dedicated cryptocurrency wallet. More information can be found in Figure 1. These specialized channels include the following:
“海外钓鱼类” (“Overseas Phishing”) — Coordinate phishing campaigns against individuals residing outside of China
“买卖类” (“Trading”) — Buy and sell gift cards, databases, SIM cards, social media burner accounts, IP addresses, and physical goods
“引流类” (“Traffic generation methods”) — Overseas SMS blasts, Baidu promotions, chat scripts, and other services
“承兑类” (“Acceptance methods”) — Payment methods accepted by merchants include Alipay, WeChat Pay, and cryptocurrencies
“通道合作类” (“Cooperation Channels”) — Motorcade teams to conduct overseas operations such as collecting or making payments via cash and cryptocurrencies, and logistic operations to move physical goods
“短视频类” (“Short Videos”) — Short Douyin videos for promotions
“合作类” (“Cooperation”) — ID Loans, Apple IDs, courier delivery services, and burner mobile phones
“卡商类” (“Carding Merchants”) — Money laundering through bank cards and contactless cash withdrawal without cards
“搭建类” (“Developers”) — Software and bot setup services, and Apple signing/server/VPN/domain setup services
“其他类” (“Others”) — Other miscellaneous fraud services, social escort services, police impersonation, artificial intelligence (AI), and search engine optimization (SEO)-related services
“游戏类公群” (“Gaming-related public groups”) — Online gambling and video games
Figure 1:Dabai Guarantee’s public navigation purpose Telegram channel “公群导航 @dabai”, with listed categories(Source: Telegram)
Dabai Guarantee’s Rules (@dabai_e)
Dabai Guarantee’s rules channel (@dabai_e) has posted rules to prevent impersonation of the marketplace and to prevent users from creating their own “public groups” that are not officially regulated by Dabai Guarantee’s administrators. Some of the rules also showcase Dabai Guarantee’s OPSEC measures to prevent scamming and impersonation. The original Chinese text is in Appendix B. The following are some key rules:
Members are not allowed to create their own public group channel without Dabai Guarantee`s approval.
Members are not allowed to have private dealings with other parties or platforms, as Dabai Guarantee only guarantees transactions conducted on its platform. Dabai Guarantee also does not provide assurances for transactions with the Public Group “boss” or any other administrator. This means that no individual should have any transactions with the boss directly and should instead use Dabai Guarantee’s funds transfer mechanism.
Individuals who initiate a chat session with you are 100% scammers; members are to block and refrain from chatting with them.
The cryptocurrency address belonging to Dabai Guarantee is unique, and anyone sending other deposit addresses is a scammer.
After members have staked their cryptocurrency as deposits, they are required to send Dabai Guarantee’s leadership screenshots of the deposit to @dabai for verification and confirmation. Any losses resulting from failure to contact @dabai will be the member’s responsibility.
Case Study: Public Group 301
Group Structure
For this report, we will use the Telegram channel “Public Group 301,” which belongs to Dabai Guarantee, as a case study. This is not meant to be a comprehensive analysis of Dabai Guarantee’s massive infrastructure and that of other Chinese-language guarantee marketplaces. It is difficult to accurately quantify how many “Public Group” channels and threat groups are on Dabai Guarantee, as the numbers tagged to Public Groups are not assigned in chronological order, resulting in a lack of visibility — unlike Huione Guarantee, which had a clearnet website that listed the Public Group channels to redirect threat actors. Although there are thousands of channels belonging to Dabai Guarantee alone, understanding Public Group 301’s structure can at least provide insight into how threat actors use Dabai Guarantee in their campaigns.
In guarantee marketplaces, threat actors looking to launch campaigns typically deposit USDT to start a public Telegram group approved by Dabai Guarantee. This model ensures that criminal syndicates do not have to deal with other threat actors directly, but have Dabai Guarantee as a mediator. In the case of Dabai Guarantee’s Public Group 301, affiliate threat groups do not have to engage directly with the group’s leader, @J0hnNo1, and instead receive payments from Dabai Guarantee after the completion of tasks required by @J0hnNo1. Guarantee marketplaces such as Huione, Tudou, Xinbi, and Dabai seek to eliminate the “lack of trust” among Chinese-speaking threat actors. These marketplaces are designed to become trusted platforms that foster coordination and cooperation between different Chinese-speaking criminal groups to achieve their objectives.
Insikt Group navigated through Public Group 301’s Telegram infrastructure in order to identify the redirection flow. As shown in Figure 1, each category contains a hyperlink that redirects to other channels. From Figure 1, selecting category 5, sub-category 2 (“海外扫货车队”, or “Overseas Goods Sweeping Team”) redirected to a pinned message as seen in Figure 2. This message lists four different public channels (“公群”) containing campaigns targeting the US, Canada, South Korea, and Japan.
Figure 2:Selecting “海外扫货车队” (Overseas Goods Sweeping Team) redirects users to four different Telegram groups, where threat actors are seen discussing and showing off their financial crime-related achievements in countries such as the US, Canada, South Korea, and Japan (Source: Telegram)
As seen in Figure 2, “公群” refers to unique Public Group channels for specific purposes or operations. Each public channel here contains a numerical group identifier and a “U” deposit amount, where “U” refers to USDT. For example, “公群935已押2000U” refers to Public Group Number 935, with 2,000 USDT already being deposited in Dabai Guarantee to start the campaign. The naming convention for these Public Groups is ”dbtmxxx”; in this case, Public Group Number 935 will have the Telegram channel @dbtm935. When selecting the second option, “公群301已押1000U韩国,日本扫货组”, which means Public Group Number 301, with 1,000 USDT already deposited to “sweep goods” in South Korea and Japan, the corresponding Telegram channel is @dbtm301.
Upon further investigation and analysis of the channel, Insikt Group assesses that “sweeping goods” refers to the use of illicit means, such as ghost-tapping, to purchase physical goods at physical retail stores (in this case, in South Korea and Japan). This activity also includes ATM cash withdrawals at Japanese or South Korean ATMs.
Key Personnel Involved in Public Group 301
The following terms are important for understanding the operations of criminals involved in Public Group 301, and the entire Dabai Guarantee infrastructure more broadly:
Boss (“群老板”): The main coordinator overseeing a group’s operations. These individuals are not directly related to Dabai Guarantee and operate more like customers, making use of Dabai Guarantee’s infrastructure to lay out tasks and promising payouts in USDT upon completion. The boss will typically start a campaign by placing significant deposits into Dabai Guarantee’s USDT cryptocurrency addresses (“上押地址”) in order to get Dabai Guarantee’s administrators to approve the creation of a Public Group channel. In Dabai Guarantee’s Public Group 301 (@dbtm301), @J0hnNo1 is the boss of the channel. We observed that this threat actor intends to conduct ghost-tapping and fraud campaigns in Japan and South Korea, with the key objective of obtaining physical goods, cash, and funds through unauthorized transactions. Once the boss confirms receipt of the items and is satisfied with the outcome, they can ask Dabai Guarantee to release the payment to the criminals who participated in the requested task.
Channel Administrators (“管理员”): Dabai Guarantee’s personnel who act as intermediaries between the boss and other Chinese syndicates, ensuring that the boss gets the items and physical cash, while the Chinese syndicates are paid in USDT. These are the people who will process the payments. Channel administrators will also inspect video evidence provided by sweeping and “goods-receiving” teams and wait for confirmation from the boss that everything is satisfactory before releasing payments to the various Chinese-speaking criminal groups.
Chinese Syndicates (“犯罪组织”): Teams in charge of providing the people (“mules”) to form sweeping and goods-receiving teams. These syndicates will coordinate with the boss and receive payment in USDT after completing the required jobs.
Sweeping Teams (“扫货队”): Personnel tasked by the boss or other administrators with obtaining physical goods or conducting ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud, and to eventually transfer the goods to “goods receiving” teams.
Goods Receiving Teams(“收货队”): Personnel tasked by either the boss or their respective Chinese syndicates with receiving goods from sweeping teams; the items will eventually have to reach the “goods inspection teams.”
Goods Inspection Teams(“检货队”): Personnel tasked with physically inspecting the goods and cash being delivered by the sweeping or goods-receiving teams, typically appointed by bosses. When the “goods receiving” team is appointed by the boss, it is also possible that the “goods receiving” and “goods inspection” teams are composed of the same personnel, each fulfilling multiple roles. These teams will inform the boss whether the physical goods are satisfactory, and the boss will proceed to ask Dabai Guarantee to release the payment to the sweeping and goods-receiving teams.
Insikt Group assesses that individuals in the sweeping, goods receiving, and goods inspection teams act as mules, and these teams likely consist of Chinese-speaking tourists who can amass large quantities of physical goods and cash and exit the targeted countries as soon as possible. It is also likely that Chinese-speaking groups have members who are long-term residents of the countries targeted by the operations, such as South Korea and Japan.
Figure 3:Simplified illustration of Dabai Guarantee Public Group 301’s structure (Source: Recorded Future Data)
Figure 3 is a simplified illustration of Dabai Guarantee’s Public Group 301’s organizational structure. The barrier to entry for participating in “sweeping operations” is low, as participants just need to have the legal right to enter Japan or South Korea, pose as tourists, and follow the instructions given by the boss and other administrators. We estimate that there are likely more than a dozen sweeping teams linked to Dabai Guarantee operating in Japan and South Korea alone. Sweeping teams are likely assigned to obtain certain goods and cash in very specific areas and do not coordinate with one another because they are being deployed by different Chinese syndicates. This model suggests that operations are siloed, where teams act as independent, isolated units that restrict the sharing of information, resources, and goals.
Figure 4 shows the Telegram structure of Public Group 301, where @J0hnNo1 is the channel's boss. The channel is also composed of multiple Dabai Guarantee customer service staff, who serve as administrators. The original creator of the channel is @dbwb22; the Telegram account is no longer active, and @dbwb22 is no longer listed as one of Dabai Guarantee’s official customer service agents.
Figure 4:List of key personnel in Dabai Guarantee’s Public Group 301 (@dbtm301); @J0hnNo1 is listed as this group’s public channel boss (Source: Telegram)
The distribution of these teams significantly complicates efforts by researchers and law enforcement agencies to track and deter such criminal activities. For example, if members of “Sweeping Team A” are arrested for retail or financial fraud, law enforcement agencies will still need to locate the members of the “Goods Receiving Teams” and “Goods Inspection Teams” before they can even get close to decoding the identity of the boss, who is most likely coordinating operations from a location outside Japan or South Korea’s jurisdiction, such as Cambodia or Myanmar. Additionally, these sweeping teams most likely consist of low-level mules who are considered “expendables” by their Chinese syndicate recruiters. The screenshots in Figures 6, 7, 8, 9, and 10 illustrate the siloed operations conducted by different sweeping teams.
Figure 5 shows Dabai Guarantee customer service personnel @dbtm9 helping to set up public Telegram channel 301 on March 21, 2025, and serving as the channel’s key administrator. This individual serves as a mediator to facilitate transactions and dealings between the boss and other threat actors. The total amount of USDT deposited on that date was 485 USDT; as of this writing, it has risen to 1,000 USDT. The purpose of this channel is to encourage other threat actors to cooperate by taking part in sweeping and goods-receiving operations in Japan and South Korea. In the conversation below, the boss stated that the deposit amount will increase in proportion to the transaction amount. Insikt Group assesses that this would mean the sum of deposit scales with the size of operations in Japan and South Korea.
Figure 5:Screenshot of Public Group 301’s (@dbtm301) administrator (@dbtm9) establishing a group for “sweeping goods” and “receiving goods” operations in South Korea and Japan
Figure 6 shows that the boss is looking to recruit sweeping teams to conduct operations in Seoul, South Korea. The main objective is to purchase cosmetics, and once the goods have been delivered, the rewards will be “high.” The final sentence uses the term “速度快”, which means that the boss welcomes any sweeping team that can conduct and complete these operations quickly.
Figure 6:Screenshot of Public Group 301 “boss” @J0hnNo1 recruiting sweeping teams to purchase cosmetics in Seoul, South Korea (Source: Telegram)
Figure 7 features a sweeping team involved in purchasing tobacco-related products from the Terea brand at a CU store, a South Korean convenience store chain in Seoul, South Korea. It is clear that the boss has goods from specific brands they wish to obtain, and such goods may be resold for cash in other foreign markets at a later date, likely at a lower price to obtain hard currency as soon as possible. Insikt Group assesses that the items are very likely purchased using the ghost-tapping attack vector or through stolen payment card information. This reflects a shift from targeting luxury retailers to smaller-sized businesses, likely to avoid arousing suspicion from law enforcement authorities
Figure 7:Public Group 301’s boss @J0hnNo1 showing a CU receipt of tobacco sticks belonging to the Terea brand totaling 288,000 won, worth approximately $196 on March 25, 2025 (Source: Telegram)
Figure 8 shows an Apple Store receipt listing unspecified Apple products totaling 499,600 yen (approximately $3,145.66, as of this writing). Public Group 301’s boss @J0hnNo1 also stated, “Who said there are no large transactions in Japan? Just a single receipt amounted to 500,000 Yen.” This is likely a post encouraging syndicates to send more sweeping teams to acquire as many Apple products as possible, while hinting that the rewards could be lucrative.
Figure 8:Public Group 301’s boss @J0hnNo1 showing an Apple store receipt of items totaling 499,600 yen, approximately $3,145.66 on December 28, 2025 (Source: Telegram)
Figure 9 provides some evidence that Vietnamese individuals are also involved in sweeping operations. In the top-left corner of the iPhone in the image, the Vietnamese phrase "Không có SIM" means "No SIM card." This indicates that the person holding the phone is very likely a Vietnamese-speaking individual conducting unauthorized banking transactions using burner iPhones. Every single burner phone appears to be tagged with a label, which is very similar to the tactics, techniques, and procedures (TTPs) we documented in our Insikt Group report on ghost-tapping. It is also likely that this individual understands Japanese in addition to Chinese, as they were observed interacting with a Japanese banking application that displayed processed transactions. The transactions shown in the screenshot are dated between July 30, 2025, and August 28, 2025. The ability to use Japanese banking applications is an indicator that this individual is legally residing in Japan. In general, most Japanese banks require foreigners to close their bank accounts before leaving permanently; these regulations are implemented by major Japanese banks such as Shinsei Bank.
Figure 9:Image posted by Public Group 301’s boss @J0hnNo1 involving multiple unauthorized banking transactions from July 30, 2025, to August 2025. Insikt Group assesses that this is indicative of a ghost-tapping campaign targeting Japanese retail businesses involving multiple Apple burner iPhones on August 28, 2025 (Source: Telegram)
Figure 10 shows what appears to be an ATM cash withdrawal or transfer attempt at a Japanese ATM at an unspecified bank. This screenshot is also likely shown as an example of what sweeping teams in charge of withdrawing and transferring cash are expected and required to do.
Figure 10:Public Group 301’s boss @J0hnNo1 posted an image of what Insikt Group assesses to be an ATM cash withdrawal/transfer using a Japanese ATM machine on April 23, 2025 (Source: Telegram)
Figure 11 shows a cryptocurrency transaction of 10,629 USDT via the Tron (TRX) network to a sweeping team for the successful completion of the “mission.” The boss @J0hnNo1 thanked the sweeping team coordinator without identifying them. The exact phrase used while posting the image was “感谢老板信任”, which translates from Chinese to “Thank you boss for trusting me.” Boss, in this context, refers to the Chinese syndicates that provide the sweeping teams for successful operations. In the entire Dabai Guarantee Public Group 301 channel, there were many screenshots of such cryptocurrency transactions being sent to teams that participated in sweeping operations. The boss redacts recipients' cryptocurrency wallet addresses to prevent law enforcement agencies from tracking them. The TRON wallet address used by Public Group 301 is TByDzGWCirpCABaUorkhz5eWhjyDdYWgSo, as shown in Figure 11; this wallet address has facilitated a total of 2,943 transactions as of this writing.
Figure 11:Multiple screenshots involving USDT transactions are posted on the channel, likely for transparency and to reassure the sweeping teams (Source: Telegram)
Dabai Guarantee’s Staff and Customer Service Functions (@dabai_f)
Dabai Guarantee maintains a list of its official staff and customer service agents on its Telegram channel @dabai_f to facilitate the creation of Public Group channels and transactions. This system also helps prevent impersonation and scamming. Members are to contact customer service agents directly for any queries or concerns. The staff and customer service teams usually provide the functions listed in Tables 1 and 2; the customer service agents are listed in Figure 12 by their functions and Telegram handles.
Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
大白公群
Main Dabai Public Group
Dabai Guarantee’s directory, to help threat actors navigate through different aspects of cybercrime
@dabai_a
供求信息
Supply and demand information
A channel where Dabai Guarantee’s administrators post advertisements on behalf of their customers (other threat actors)
@dabaiyajing
核心大群
Core group
A channel where other threat actors can post their own advertisements and URLs for their websites, as well as key contact information, such as Telegram monikers
@dabai_c
客服频道
Dabai Guarantee’s official customer service channel
A channel for individuals to reach out to customer service officers who cater to different categories of cybercrime
@dabai_f
人工客服 @dabai 咨询、拉群、广告
Human customer service agents for consultation, group chat, and advertising
A bot channel that redirects individuals to human customer service agents for consultation, group chat, and advertising
@dabai
人工客服 @dabai 会员、解封、投诉
Human customer service agents for membership queries, unblocking accounts, and complaints
A bot channel that redirects individuals to human customer service agents for membership queries, unblocking accounts, and complaints
@dabai
人工客服 @dabai 验群、丢失群恢复
Human customer service agents for group verification and lost group recovery
This is to prevent impersonation, such as threat actors starting their own Public Group that is not officially approved by Dabai Guarantee.
There may be instances where Telegram deletes public channels for violating the terms of service, and the customer service team offers a service to restore them (This happened to Huione and Xinbi Guarantee; many of their channels were deleted by Telegram).
@dabai
人工客服 @dabai 纠纷仲裁、资源对接
Human customer service agents for dispute arbitration and resource matching
Customer service agents will attempt to resolve disputes between criminal groups when an unsatisfactory outcome is reached for one or more parties. They can also moderate disputes on transactions between buyers and sellers.
Resource matching refers to customer service agents attempting to match criminal groups to certain existing groups that are already participating in specific campaigns. In addition, customer service agents can connect buyers with sellers of goods and services.
@dabai
24小时客服机器人
24-hour customer service bot
@dabai
公群报备机器人
Public Group reporting bot
A bot that assists members in reporting violations of the terms of service
@dbhwbb_BOT
公群记账机器人
Public Group accounting bot
A bot that can help to look up transactions, real-time USDT pricing in relation to Chinese Renminbi (RMB), and cryptocurrency wallet monitoring
@dbjz_bot
客服人员名单 (@dbtm0 - @dbtm10 )
所有号标配 +888 虚拟号 没有一律骗子
Customer service staff lists (@dbtm0 – @dbtm10)
All customer service numbers come with a +888 virtual number. Any number without this is a scam.
@dbtm0 – @dbtm10
Table 1:List of Dabai Guarantee’s official staff and functions (Source: Telegram, Recorded Future)
Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
业务号(大白)
Business account (Dabai)
A business account belonging to a person called Dabai, with no specific function stated
@dbtm1
业务号(萌萌)
Business account (“Mengmeng” — Admin’s moniker)
A business account belonging to a person called Mengmeng, with no specific function stated
@dbtm9
专群交易员
Specialist traders
A group of agents well-versed in certain types of trade to facilitate coordination and cooperation in the public channels
@dbtm0
@dbtm3
@dbtm4
公群交易员
Public Group traders
A group of agents who facilitate cryptocurrency transactions, receive deposits, and release payments to other criminal groups
@dbtm7
@dbtm8
@dbtm10
公群巡查号
Public Group patrol account
A group of agents who direct individuals to specific Public Group channels based on what they are looking for
@dbtm2
担保仲裁号
Guarantee arbitration number
A case reference number assigned by agents for any disputes between parties
@dbtm5
资源对接号
Resource docking number
A unique number is assigned to a case or transaction to track conversational and transaction records
@dbtm6
Table 2:List of Dabai Guarantee’s customer service agents (Source: Telegram, Recorded Future)
Figure 12:Dabai Guarantee customer service Telegram channel “大白担保客服人员名单” (@dabai_f) provides a list of customer service agents (Source: Telegram)
Automated Bot System Directs Chinese Syndicates to Relevant Public Groups for Existing Campaigns
Insikt Group analyzed the public administrator bot @dbdbqg_bot to observe how a Dabai Guarantee user would be routed by the platform to participate in cybercriminal activities. To use this functionality, individuals must enter search terms in Mandarin. We used the terms 远程 (remote) and 数据 (data), which returned three and ten public channels, respectively. When querying for the term “远程” (remote), which typically refers to ghost-tapping campaigns involving NFC relay methods, three Public Group channels appeared as relevant results. When querying for the term “数据” (data), which typically refers to databases, ten Public Group channels specializing in datasets appeared in the results. In addition, using a country as a search term, such as 美国 (US), will also return results that show fraud or cyber campaigns targeting the US. This bot function demonstrates how easy it is for criminal groups to search for relevant groups, determine which campaigns they wish to participate in, and identify the types of datasets they are interested in procuring. Table 3 shows the number of Public Group channels involved in fraud or cyber campaigns for the search terms; specific details are not listed due to certain global entities named in the Public Group channels belonging to Dabai Guarantee.
Figure 13:Dabai Guarantee’s public administrator bot @dbdbqg_bot has a search function that will return results relevant to the individual’s search (Source: Recorded Future Data)
Chinese Criminal Lingo and Corresponding English Meaning
@dbtm153 (64 members, 800 USDT deposit as of writing)
@dbtm439 (49 members, 777 USDT deposit as of writing)
@dbtm307 (268 members, 500 USDT deposit as of writing)
数据 (Data)
10
Threat actors buying and selling databases
@dbtm123 (519 members, 888 USDT deposit as of writing)
@dbtm99 (49 members, 500 USDT deposit as of writing)
@dbtm688 (151 members, 500 USDT deposit as of writing)
@dbtm369 (65 members, 500 USDT deposit as of writing)
@dbtm567 (80 members, 2,888 USDT deposit as of writing)
@dbtm449 (177 members, 500 USDT deposit as of writing)
@dbtm298 (145 members, 500 USDT deposit as of writing)
@dbtm327 (89 members, 500 USDT deposit as of writing)
@dbtm211 (836 members, 500 USDT deposit as of writing)
@dbtm816 (851 members, 500 USDT deposit as of writing)
美国 (US)
2
Fraud or cyber campaigns targeting US entities
@dbtm322 (338 members, 500 USDT deposit as of writing)
@dbtm932 (956 members, 500 USDT deposit as of writing)
钓鱼 (Phishing)
1
Phishing campaigns
@dbtm142 (234 members, 500 USDT deposit as of writing)
账号 (Account)
2
Burner accounts being used for fraud campaigns
@dbtm322 (338 members, 500 USDT deposit as of writing)
@dbtm425 (60 members, 500 USDT deposit as of writing)
银行 (Bank)
2
Fraud campaigns targeting or involving banks worldwide
@dbtm420 (117 members, 500 USDT deposit as of writing)
@dbtm138 (50 members, 1,000 USDT deposit as of writing)
Table 3:Search results of Dabai Guarantee’s Public Group channels using their bot function (Source: Telegram, Recorded Future)
Outlook
Even with guarantee marketplaces such as Huione Guarantee being shut down, many Chinese criminals are likely turning to these Telegram-based guarantee marketplaces to sell illicit goods and to offer their services. Guarantee marketplaces such as Dabai Guarantee have demonstrated their ability to coordinate operations in countries such as Japan, South Korea, Canada, and the US by using Chinese-speaking individuals who are traveling or residing in those geographies to conduct retail and financial fraud. Over time, Dabai Guarantee may be able to establish itself as a trusted escrow platform for Chinese syndicates to rely on, despite the growing competition from existing and new guarantee marketplaces. There is also a possibility that operators of other guarantee marketplaces could execute an exit scam, leading to a loss of trust in guarantee marketplaces as a whole among Chinese criminals.
Threat actors such as @J0hnNo1, the leader of Dabai Guarantee Public Group 301, seek to obtain physical goods and foreign currency through illegal means, giving specific instructions to different syndicates to complete their objectives. Such operations are scalable on demand and will become harder to track and disrupt over time due to the siloed nature of the sweeping and goods-receiving teams. This report showcases the activities and structure of a single group (Public Group 301), which is only one group among hundreds under Dabai Guarantee’s decentralized and growing infrastructure. Ghost-tapping and ATM withdrawals are commonly used by Chinese-speaking criminals for money laundering, and we will likely continue to see more threat actors facilitating such financial and retail-related crime on multiple guarantee marketplaces.
Insikt Group assesses that Chinese syndicates will continue to recruit and deploy non-Chinese individuals with specific language skills to participate in campaigns, as exemplified by the Vietnamese individual mentioned in Figure 9.
Insikt Group assesses that guarantee marketplaces have solidified themselves as a major alternative to traditional Chinese-language dark web marketplaces. This decentralized model is becoming increasingly popular among the global Chinese-speaking criminal diaspora, enabling criminals without sophisticated skillsets to coordinate with syndicates and participate in operations that require physical elements.
Appendix A: Glossary of Terms
Chinese
Direct Translation
Definition with Relevant Context
公群
Public Group
Public Telegram channel/group facilitates a specific campaign, usually ending with a number; for example, 公群 1025 means Public Group 1025
飞机
Plane
Cryptocurrency
退押
Backing down
Withdrawal of funds from a Public Group
交易所地址
Transaction address
Cryptocurrency transaction wallet address
上押地址
Betting/Staking Address
Unique cryptocurrency addresses owned by Dabai Guarantee are usually listed in Public Groups. Threat actors who wish to launch a specific campaign must stake enough cryptocurrency as a deposit to create a Public Group channel; they will become the channel's “boss.”
私下拉群做单
Privately soliciting orders
拉黑
Blackmail
When an individual blocks someone who contacts them directly (Dabai Guarantee’s staff will never initiate private chats with any individual)
拉群
Pull the crowd
Start a new public Telegram group and get people to join it so other criminal groups can participate in a new, specific campaign
扫货
Sweep goods
To obtain physical goods or conduct ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud
收货
Receive goods
To receive goods, typically obtained by sweeping teams via illegal means
群老板
Group boss
Main coordinator to coordinate with other Chinese-speaking criminal groups for cyber and/or fraud campaigns; individuals who staked USDT to get approval to start a Public Group channel on Dabai Guarantee
冒充
Impersonate
Some scammers may impersonate group bosses or create Telegram groups with the intention of scamming other Chinese syndicates.
钱包监听
Wallet monitoring
To monitor cryptocurrency transactions in real time
实时U价
Real-time USDT value in relation to the Chinese Renminbi
AI vulnerability research and discovery capabilities are improving, but they have not changed the fundamentals of vulnerability management. Instead, they are scaling up problems familiar to vulnerability managers: patch prioritization and remediation backlogs.
For defenders, the timeline for determining which vulnerabilities matter most and remediating them before exploitation begins is narrowing, even as the overall volume of vulnerabilities rises. Organizations that rely on manual prioritization, slow patch cycles, or legacy software will face growing operational and security risks.
Figure 1: Reality versus hype of automated vulnerability research
The Vulnerability to Exploit Ratio
Vulnerabilities are software flaws attackers can use to gain access, run malicious code, escalate privileges, or disrupt operations. However, not every bug becomes a real-world threat: many are hard to reach, difficult to weaponize, or simply not worth an attacker’s time.
The total number of disclosed vulnerabilities has increased sharply in recent years, rising from roughly 21,000 in 2021 to nearly 50,000 in 2025. Part of that increase likely reflects stronger disclosure practices and bug bounty activity, though software growth, a broader attack surface, and more systematic reporting also play a role. Nonetheless, in 2025, Recorded Future only identified 446 vulnerabilities that were actively exploited in the wild, a reminder that confirmed exploitations remain a small fraction of total disclosures.
Figure 2:Yearly comparison of disclosed CVEs against CVEs with public exploits and vulnerabilities assessed as actively exploited by the Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities (KEV) Catalog and Recorded Future, 2021-2025
This is because attackers do not exploit every bug they find. Instead, they focus on developing exploits for the small subset of vulnerabilities that offer the best combination of reach, reliability, and return on investment, such as flaws that can be exploited remotely or affect widely used software. In other words, a vulnerability still has to be validated, turned into a reliable exploit, matched to a target, and integrated into an attack path worth the effort.
When a flaw matches the criteria, however, exploitation can move quickly. VulnCheck found that nearly 29% of KEVs in 2025 were exploited on or before CVE publication, a slight increase from the previous year, indicating the continued prevalence of zero-days and n-days. Much as their legitimate counterparts use AI in software development, adversaries are already using AI to accelerate parts of the attack workflow, including vulnerability research, exploit-path analysis, and malware development, even if its precise effect on exploitation timelines is hard to quantify. Some trackers estimate the median time-to-exploit may now be measured in hours rather than days, demonstrating the shortening window of time to act on a high-impact vulnerability.
How AI Changes the Equation
Anthropic and OpenAI recently drew significant attention through their limited release of what they claimed were uniquely powerful cyber defense models. An independent evaluation of Anthropic’s Mythos found significant improvements in multi-step cyberattack simulations. However, AI-assisted vulnerability discovery and penetration testing predate these models, and most frontier models have already demonstrated the ability to identify vulnerabilities and assist with exploit development. At present, these tools are still most effective in the hands of capable operators rather than enabling frictionless, low-skill exploitation at scale. This matters, too, as even if these capabilities are used primarily by security researchers in the near term, the resulting increase in disclosures, proofs of concept, and validated findings still adds to the defensive burden.
This impacts vulnerability management in three important ways:
More credible vulnerability reports to triage: New agentic systems can do more than flag suspicious code; they can reason through program behavior, validate findings, and help identify which weaknesses appear most exploitable.
Less time to mitigate exploitable vulnerabilities: Large-language models (LLMs) are accelerating the speed and scale of weaponization, meaning the path from disclosure to exploit could go from hours to minutes.
Reduced the cost of exploit development: Emerging models appear more capable of producing proof-of-concept exploit code, testing attack paths, and helping skilled operators iterate toward weaponizable exploits faster than before.
Figure 3: The vulnerability equation: How automated capabilities will likely impact reporting, exploit development, and impact
More Reports, More Noise
Using AI agents for software code will almost certainly increase the number of reported vulnerabilities and developed proofs-of-concept. Microsoft’s April 2026 Patch Tuesday, which followed Anthropic’s Project Glasswing announcement, was the company’s second-largest on record. However, according to Microsoft, it “does not reflect a significant increase in AI‑driven discoveries, though [they] did credit one vulnerability to an Anthropic researcher using Claude.” The more important question is not whether more flaws will be found — because they will be — but whether defenders can process, validate, and prioritize them fast enough to act.
Vulnerability submissions are already overwhelming researchers’ ability to assess their overall risk, creating a backlog of vulnerability enrichment and scoring. If AI sharply increases the volume of plausible findings, defenders will face even more uncertainty around which vulnerabilities represent the next high-impact systemic event and which are background noise.
Less Time to Act
For the vulnerabilities that are actually a problem, defenders have even less time to respond. Automated exploit development will likely shorten the path from discovery to proof of concept and, in some cases, to weaponization for the subset of vulnerabilities worth pursuing. Adding to the triage problem, some medium-severity or otherwise “non-critical” vulnerabilities will need to be re-evaluated as possible components of exploit chains, even if they would not normally rank as urgent on their own.
Drowning out the Alarms
Even as defenders deal with more noise, a larger volume of reported, plausible findings is likely to increase the absolute number of high-impact exploits they need to address quickly. As a result, defenders face an even greater challenge in identifying the small subset of issues that matter most before attackers do.
This does not mean every newly disclosed flaw will be weaponized, or that high-impact, “internet-breaking” events will become commonplace; however, even a modest increase in exploited vulnerabilities puts more pressure on prioritization, patching speed, and compensating controls, especially for organizations already struggling with manual triage, slow patch cycles, or legacy software.
How to Use Automation for Good
For most organizations, the immediate risk is not that every vulnerability will suddenly be exploited, but that defenders will have less time to determine which findings matter most. Vulnerability discovery and exposure management should therefore be treated as related but distinct problems: AI may increase the number of findings, but defenders still need context to determine which exposures are actually reachable, high-impact, and worth urgent remediation.
In this environment, using AI-enabled vulnerability discovery, prioritization, and defensive remediation will be essential to keeping pace with attackers. The five actions listed in the following section can help organizations stay ahead of the threat.
1. Automate Vulnerability Prioritization and Response
Shift from CVSS-only scoring to real-time exploitability and exposure-based risk scoring to handle the surge in AI-assisted vulnerability discovery. Deploy automated scanning, validation, and threat hunting to identify exploitation activity quickly, especially in widely used software and internet-facing systems. Recorded Future’s Insikt Group regularly reports on new vulnerabilities and exploit trends and develops Nuclei templates to detect actively exploited vulnerabilities.
2. Accelerate Patching and Upgrade Cycles
As the time to exploit shifts from days to hours, the time to mitigate vulnerabilities will similarly shorten. Patch management will need to move faster, particularly for internet-facing systems, widely used software components, and critical dependencies. Automated remediation and automated compensating controls will likely become necessary to keep pace with AI-accelerated discovery. The Vulnerability Intelligence module in the Recorded Future Intelligence Operations Platform can help with prioritization based on the likelihood of exploitation. Ensure all automated actions are logged and regularly audited by a human, and require a human-in-the-loop for any actions on high-impact systems.
3. Reduce Dependence on Legacy and Unsupported Software
AI may make it easier for threat actors to identify and validate exploitable weaknesses in older, under-maintained codebases. Unsupported systems and aging software are likely to become increasingly difficult to justify unless they are strongly isolated and tightly controlled.
4. Shift Vulnerability Detection Earlier in the Software Lifecycle
Organizations should integrate automated security testing and AI-assisted vulnerability discovery into development pipelines. Early detection can help defenders fix vulnerabilities before production, reducing remediation burden later.
5. Get Ready for the Next High-Impact Event
Develop emergency response and mitigation playbooks specifically for high-impact, broadly applicable flaws, including scenarios where a patch is not immediately available. Preparation should include not just patching, but also containment measures such as segmentation, access restrictions, traffic filtering, and other compensating controls.
Agentic AI adoption is accelerating rapidly as enterprise software and applications increasingly incorporate task-specific AI agents, enabling autonomous execution of complex tasks at machine speed.
The autonomy and scale of AI agents introduce significant enterprise risk, as errors, misconfigurations, or malicious manipulation can propagate quickly across interconnected systems, amplifying the potential impact of incidents.
Agentic AI will exacerbate existing weaknesses in software supply chains, as vulnerable or malicious open-source components can be deployed faster and at scale.
Identity and access management risks will also expand dramatically, as agents require broad, cross-environment permissions; compromised credentials, SSO platforms, or agent identities could enable large-scale service disruption or data exfiltration.
Prompt engineering enables threat actors to manipulate agents into carrying out malicious actions, underscoring the importance of layered security controls, zero-trust principles, and human-in-the-loop checkpoints to mitigate agent-driven threats.
Figure 1: AI agents have the potential to improve efficiency, reduce costs, and improve decision-making. However, the same features that make them so powerful will bring new security risks, and scale up old ones, if not managed effectively. (Image source: Recorded Future)
Analysis
Agentic Artificial Intelligence Is Set to Expand Rapidly
“Agentic artificial intelligence” refers to AI systems that can do things with limited human intervention. For example, traditional AI can draft code for a user who wants to build a website; agentic AI not only writes the code, but registers the domain and sets up hosting to launch the site.
Gartner predicts that as many as 40% of enterprise applications will incorporate task-specific AI agents by the end of 2026. A Deloitte report anticipates that at least 75% of companies will use agentic AI to some extent by 2028. The benefits of AI agents are that they can carry out complex tasks independently and at machine speed, working individually or as part of a multi-agent system.
However, the same features that make these systems powerful also introduce significant security risks. To operate effectively, agents need to seamlessly interact with other agents, humans, and software. This requires high degrees of trust, which can be exploited by malicious actors. Security best practices, notably zero-trust principles, are specifically designed to slow down these interactions, creating an inherent tension between AI agent implementation and security.
Agents Amplify Systemic Cybersecurity Weaknesses
Software engineering teams account for nearly 50% of AI use, demonstrating that AI is already deeply integrated into software development processes. This suggests that AI agents will likely play a significant role in future software development, working alongside human developers to generate, test, and deploy code.
The introduction of agents will amplify software supply-chain security weaknesses, allowing threat actors to take advantage of vulnerable or intentionally manipulated code to embed exploits in enterprise software. While these issues have existed long before AI or AI agents, the introduction of agents will cause these mistakes to be carried out faster and at scale. Initial studies suggest that AI-generated code is less secure than human-generated code, though AI coding performance is improving rapidly. Ensuring transparency and documentation in agent coding workflows is critical to ensuring a rigorous, secure development operations (SecDevOps) process.
Identity and access are additional enterprise security issues that AI agents are likely to amplify. For AI agents to operate effectively, they will also need access to various cloud applications and environments. This increases the complexity of identity management, as identity and permissions will need to extend to virtual agents.
Currently, many AI tools that connect to external data or to other tools operate in a trust-by-default mode, creating significant vulnerabilities. If this is extended to agentic AI, the potential harms from exploitation could increase significantly, as agents are capable of acts such as sending emails, deleting files, or authorizing payments. Defenders will need to ensure access permissions are properly managed and tracked for agentic users in the same way they manage permissions for traditional software and human users.
Figure 2: How AI agents may amplify current security weaknesses
(Image source: Recorded Future)
Prompt Engineering Remains a Pervasive Threat to Agents
While AI agents will accelerate existing enterprise security problems, they also introduce risks unique to artificial intelligence. Threat actors can deliver malicious instructions to AI agents via prompt engineering, causing the agents to act in alignment with the threat actors rather than with their legitimate users. Prompts can be delivered directly (through a chat interface), encoded in malware, or hidden in emails or other innocuous communications.
With the increased adoption of AI agents, threat actors may move further away from traditional malware and prioritize manipulating agents to scale and enhance operational efficiency. Targeting agents directly enables threat actors to leverage the speed and scale of AI agents, causing greater harm with a lower chance of detection or mitigation.
Figure 3: Potential attack scenarios weaponizing AI agents (Image source: Recorded Future)
Completely securing agents against prompt engineering is likely impossible. The need for AI agents to be useful will likely prevent developers from imposing fully effective guardrails against prompt engineering. This risk is similar to the difficulty of making humans resilient to social engineering operations. While training and awareness may help mitigate the effectiveness of some scams, threat actors continually find new ways to use people’s incentives against them.
Defenders can make AI agents more resilient to prompt engineering attacks by implementing layered security. Building in checkpoints where a human or another agent can assess or approve an action will help detect misaligned behavior and limit the potential harm. This is similar to fraud prevention or mitigation for human employees, such as procedures requiring additional approvals for transferring large sums of money.
Multi-agent AI Increases Unpredictability
As AI agents become more common, they will increasingly interact independently with each other to complete tasks. Multiple agents are susceptible to both intentional and accidental manipulation, which can manifest in unpredictable ways. Researchers have categorized these outcomes as:
Miscoordination: Agents cannot align behaviors to achieve an objective
Collusion: Unwanted cooperation between AI agents
Conflict: AI agents act to enhance their position at the expense of others
These outcomes can occur accidentally due to misaligned incentives and safety guardrails, or they can be programmed or intentionally manipulated. Despite safety guardrails, agents have been observed engaging in behavior they would otherwise have avoided. For example, AI agents on MoltBook, a social media network for bots, were observed disclosing potentially sensitive information about their users, including names, hobbies, hardware, and software (in addition to serious security failures associated with the site itself). Unwanted or unanticipated outcomes can occur when agents have free will to decide how they will carry out an objective.
Outlook
The first agentic data breach will very likely be the result of overly permissive environments: When threat actors succeed in using AI agents to carry out a breach, it will very likely be the result of an enterprise environment that operated using default permission settings.
Identity security will very likely shift toward “agent identity governance”: Enterprises will very likely expand identity and access management (IAM) frameworks to treat AI agents as priority digital identities, requiring lifecycle management, least-privilege enforcement, behavioral monitoring, and dedicated audit controls similar to (or stricter than) those in place for human users.
Prompt injection will likely evolve into a mainstream enterprise attack technique: Threat actors will likely increasingly prioritize manipulating AI agents over deploying traditional malware, using prompt injection, poisoned data inputs, and agent swarms to scale financial scams, cyber-physical disruption, and market manipulation — driving demand for layered guardrails and human-in-the-loop validation controls.
AI will likely reshape cyber insurance risk modeling and pricing: As AI agents become embedded across enterprise environments, the cyber insurance industry will likely face greater uncertainty in modeling risk exposure. Insurers are likely to respond by tightening underwriting standards around AI governance, requiring demonstrable controls such as agent identity management, human-in-the-loop safeguards, and prompt injection resilience.
Enforce zero-trust for agent identities: Treat AI agents as privileged digital identities subject to least-privilege access controls. Use Recorded Future Identity Intelligence to monitor for data breaches that expose agentic identities as well as human identities.
Resilience Question:Do we have a strategy for onboarding virtual identities into our IAM solution?
Ensure visibility into agent behavior: Deploy continuous monitoring tailored to agent behavior, including logging agent decisions, prompts, and actions, and setting up detections for anomalous task execution patterns.
Resilience Question:Do we understand how and why agents are making decisions, and can we quickly detect misaligned actions?
Strengthen supply-chain and code governance: Extend SecDevOps controls to AI-generated and agent-modified code. Assess AI-generated code for vulnerabilities and monitor for hallucinated or typosquatted dependencies. Use Recorded Future’s Third-Party Risk to monitor for downstream vulnerabilities in third-party software.
Resilience Question:Have we adapted SecDevOps to account for agentic coding?
Harden against prompt injection and input manipulation: Treat all external inputs as untrusted. Increase layered defenses to include multiple validation points and guardrails to minimize the impact of actions due to malicious prompts or inadvertent misalignment.
Resilience Question:What detections are in place to monitor for suspicious prompts?
Integrate, don't replace. Recorded Future enriches your existing security tools by automatically layering in contextual threat intelligence, reducing manual effort and enabling faster, better-informed decisions.
Know where you stand. Assessing your organization's maturity across four stages — reactive, proactive, predictive, and autonomous — helps you identify which workflows to prioritize and where automation can have the most impact.
Start simple, then scale. Four core workflows (i.e., IOC enrichment, vulnerability prioritization, Autonomous Threat Operations, and watch list automation) offer a practical on-ramp, and many integrations can be activated in just a few clicks through Recorded Future's Integration Center.
Threat intelligence can elevate cybersecurity programs from reactive to autonomous, transforming workflows and delivering measurable improvements. In a recent webinar, we shared practical steps for integrating threat intelligence into existing security stacks, optimizing workflows, and accelerating organizational maturity in cybersecurity practices.
Read on for actionable insights, frameworks, and tools shared during the session.
Bridging the gap: threat intelligence integration
The key to effective threat intelligence is making your tools work together seamlessly. Recorded Future doesn’t aim to replace your existing cybersecurity tools, but rather to enrich and connect them.
When Recorded Future connects to the tools already in your stack, it automatically adds contextually relevant threat intelligence to whatever you're working on. This can mean less manual effort and faster, better-informed decisions.
Understanding your organization’s cyber maturity
A useful starting point is assessing where your organization currently stands across four stages of cybersecurity maturity: reactive, proactive, predictive, and autonomous:
Reactive organizations focus on responding to incidents as they occur.
Proactive organizations hunt for threats before they lead to incidents and align detection systems to adapt toward emerging risks.
Predictive programs extend threat intelligence beyond the security operations center (SOC) to other organizational stakeholders.
Autonomous programs leverage automation to identify and respond to threats in real time at machine speed.
Maturity doesn't have to be assessed at the program level alone. Individual use cases may be at different stages. Alert management, for instance, may already be highly automated, while other workflows remain more reactive.
A helpful way to identify where to focus is to ask a series of questions, including:
What does my current alert workflow look like?
What's my most time-consuming process?
What's my top priority for the next 12 months?
Your answers will enable you to identify areas for improvement and then prioritize your workflows as needed.
Three key integration workflows—and one bonus workflow
Next, we suggest integration workflows that are designed to help you optimize your security operations with Recorded Future threat intelligence:
1. Indicator of compromise (IOC) enrichment
Detection tools often generate alerts with limited context, leaving you asking why something was flagged and how risky it actually is.By integrating Recorded Future, you’ll find that those alerts can be automatically enriched with information such as malware families, exploited vulnerabilities, and threat actor connections—enabling better, faster decisions without additional manual research.
2. Vulnerability prioritization
Most organizations depend on CVSS scores or vendor-provided data to assess vulnerabilities, but that approach doesn't always reflect real-world risk. A more effective strategy is asking: Is this vulnerability being actively exploited in targeted campaigns? Are threat actors targeting my industry with it?
Recorded Future enhances vulnerability management primarily through threat intelligence context, with risk scoring that tells you why something is risky—specifically whether a CVE is being actively exploited in the wild, and whether it's targeting organizations in your industry.
3. Autonomous Threat Operations
The most advanced workflow involves automating threat detection and prevention from end to end. Recorded Future can identify emerging threats, initiate retroactive threat hunts, and automatically update detection and blocking lists in tools like EDR platforms—all without manual intervention. This will enable your security team to shift from reactive firefighting to real-time, autonomous threat prevention. Learn more about Autonomous Threat Operations, available in Recorded Future’s Professional and Elite pricing packages.
4. Bonus workflow: Watch list automation
Your existing vulnerability scanners like Tenable, Qualys, Wiz, and Rapid7 are already identifying vulnerabilities in your environment. A Watch List automation connector can link those tools directly into Recorded Future's Watch Lists, so the Platform automatically reflects your real threat footprint at all times. Instead of tracking a static list of top vulnerabilities, you get contextual intelligence tied to what's actually in your environment, and you're automatically alerted when vulnerabilities change in risk status.This shifts vulnerability management from a reactive posture to a predictive one, and makes prioritization effectively autonomous.
The role of Recorded Future’s Integration Center
The Integration Center makes it straightforward to connect with popular security tools including Splunk, ServiceNow, CrowdStrike, and SentinelOne. Many of these integrations are pre-built and can be activated in just a few clicks, meaning there may already be value waiting to be unlocked within your existing SIEM, SOAR, EDR, TIP, vulnerability management tools, GRC platforms, and more.
Driving business value with integrated threat intelligence
Beyond operational efficiency, well-integrated threat intelligence workflows build organizational trust and give security leaders a stronger, data-backed narrative about how their teams are operating. Automating enrichment and response creates the space to focus on strategic priorities—and makes it easier to demonstrate the program's value to leadership.
The path toward autonomous threat operations requires sophisticated technology, seamless integrations, smart prioritization, and strategic planning. The best approach is simply to start: Activate a workflow, see the value it delivers, and build from there.
If you need help getting started or have questions about your organization’s specific needs, book a custom demo.
Business impersonation is the hidden thread connecting old and new fraud. Discover how the same core tactic is fueling both a surge in commercial check fraud and an explosion of AI-powered online shopping scams targeting younger consumers.
Tools like Positive Pay and 3D Secure authentication, while effective against the fraud they were built to stop, have pushed threat actors to evolve their schemes in ways that render those controls irrelevant.
Ecosystem gaps are often the real vulnerability. Fraudsters exploit the chain of assumed trust between social media platforms, card networks, merchant onboarders, banks, and local business registries — turning each party's reliance on the last into an open door.
If you’re a millennial or Gen Z-er, then you probably haven’t used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.
Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.
On the face of it, these look like two ends of the fraud spectrum:
On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.
The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So what’s the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudster’s response to exploit both.
Commercial checks and copycat businesses across state lines
In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month period—a 161% increase from the prior year. Recorded Future’s Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.
Mapping stolen checks by zip code; courtesy of Recorded Future
Yet even among declining consumer check usage rates, businesses’ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.
In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. How’d they do it? You can’t just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.
Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name “The Bazooka Companies, LLC”, so culprits registered a fictitious company in New York under the name “The Bazooka Companies 1 Inc”. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.
Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence(PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.
As with most fraud, this scheme’s emergence is based on:
Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most states’ limited mandate to investigate business registrations, and we’re left with the first gap:
“As long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filing” (National Association of Secretaries of State, September 2025)
When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity — synthetic or otherwise — then the bank won’t have a clear reason to reject the application just because a business called John’s Toilet Supply, LLC exists in another state.
Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.
80% discount on shoes? How can you say no?
If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.
The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforce’s 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the “company shows its platforms’ users an estimated 15 billion ‘higher risk’ scam advertisements — those that show clear signs of being fraudulent — every day”. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.
Brand impersonation shopping scams impacting shoppers in January 2026; courtesy of Recorded Future
The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. What’s changed is that these are no longer just phishing websites. They’re functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.
This is creating problems throughout the ecosystem:
Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud aren’t present. The cardholder is authorizing the transaction, and there’s nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, it’s the cardholder doing the transacting under manipulation.)
The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)
But just like with the check fraud example, a big part of why online shopping scams have exploded — outside of generative AI making brand abuse content easier than ever to create at scale — is ecosystem gaps and fraudsters reacting to the defense:
Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.
Thinking towards the way out
On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.
Of course, in the Bazooka example of same-name business impersonation, this wouldn’t help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?
On the online shopping scam side, solutions are more complex and scattered across the ecosystem.
At the top of the funnel, there’s rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.
For card issuers on the frontline, it’s a more delicate dance. Card issuers aren’t on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuer’s problem.
The best solution aligns with the industry’s movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.
In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.
So, in the meantime, where does all this leave us? The same thing you’ve heard plenty of times: stop using checks if you can and don’t trust too-good-to-be-true offers from online ads.
How Recorded Future Helps
The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.
Payment Fraud Intelligence — tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
Digital Risk Protection — provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions — with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.
TeamPCP exploited a single stolen credential to gain write access to trusted software repositories, inject credential-harvesting malware, and cascade across five ecosystems in five days.
Stolen credentials can enable payroll redirection, freight rerouting, and extortion — active campaigns Insikt Group is tracking that show how a software supply chain breach can quickly become a business operations crisis.
Learn why an inventory of your software components isn't enough when malicious code is injected after the source commit, and what a truly effective defense — combining third-party due diligence. cryptographic signing, and AI-driven anomaly detection — actually requires.
In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository.
From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.
And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.
Identity Is the Perimeter (and the Attack Surface)
The throughline in the TeamPCP campaign is identity. Start to finish.
TeamPCP intelligence summary courtesy of Recorded Future.
No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.
Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.
Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.
This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works.
We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.
The Impact Is Not Just Ransomware
TeamPCPs’ Telegram channel references a ransomware victim’s site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.
CipherForce intelligence summary courtesy of Recorded Future.
But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?
The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.
Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called “Swiper,” run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.
Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running “double brokering scams,” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the broker’s name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.
These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.
In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).
The tendency is to categorize supply chain attacks as a “security tool problem” or a “developer problem.” It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.
Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.
But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.
The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.
So What. Now What.
TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.
For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.
But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.
The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone else’s payday.
How Recorded Future Helps
The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:
Identity Intelligence — monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response — including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
Insikt Group — elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
Third-Party Risk — continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.
The Iran situation remains volatile and uncertain, with material impacts for organizations.
Leaders should plan for multiple future scenarios, prioritizing resilience and effective decision-making
Current State (April 10)
Severe tensions persist despite a two-week ceasefire: The agreement remains fragile and conditional on reopening the Strait of Hormuz; each side has already accused Iran War: Future Scenarios and Business Implications the other of violations.
Maritime flows partially resume but remain uncertain: Disruptions and elevated security risks persist. President Trump has signaled readiness to resume strikes on Iranian infrastructure if ceasefire conditions are not met.
Economic conditions remain unstable: Energy markets remain volatile, with continued pressure on supply chains. Shipping, insurance, and aviation activity are only partially restored. Inside Iran, infrastructure damage is driving power shortages and industrial disruption.
Cyber activity has intensified: Operations targeting energy and critical infrastructure are increasing, reinforcing systemic risk across key sectors.
Figure 1: An explosion in Tehran, February 28, 2026 (Source:PBS)
Figure 2:Cone of Plausibility Overview: Iran Conflict(Source: Recorded Future)
Framework Overview
To assess how the Iran conflict could evolve over the next 6–12 months, Insikt Group analyzed regional and global dynamics using the PESTLE-M framework, covering Political, Economic, Social, Technological, Legal, Environmental, and Military domains, with a focus on Iran, the United States, Israel, and Gulf States.
Figure 3: PESTLE-M Framework (Source: Recorded Future)
This analysis informed a scenario generation exercise using a Cone of Plausibility (CoP) method. The objective was not to predict a single outcome, but to explore a range of alternative futures based on observed signals and emerging trends.
Wildcard
Plausible
Baseline
Plausible
Figure 4: Cone of Plausibility Framework (Source: Recorded Future)
Methodology
For each PESTLE-M category, we identified key drivers that could increase or decrease the likelihood of escalation, de-escalation, or sustained instability, and assessed how these dynamics may evolve under different assumptions. These were combined to develop six scenarios: one baseline, two plausible (best and worst case), and three wildcard scenarios, enabling organizations to evaluate how the conflict may unfold and the potential impacts on their operating environment.
Within the CoP framework:
Drivers are signals and trends that could shape future developments
Assumptions reflect how those drivers may evolve over time
Scenarios describe how these dynamics could combine to produce distinct future states
We define scenarios as follows:
Baseline: A forward projection of current trends and conditions
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Baseline Scenario: Fragile Ceasefire with Sustained Economic Disruption
Infrastructure targeting -> Energy disruption continues
Figure 5: Brent oil prices and projections (Source: Oxford Economics)
Figure 6:Iran is also threatening maritime traffic through the Bab al-Mandab, another key route (Source:Times of India)
Baseline: A forward projection of current trends and conditions
Ceasefire holds, but conflict shifts into sustained economic warfare.
A fragile ceasefire reduces the pace of direct military exchanges strikes, but the drivers of conflict remain unresolved. Iran lacks the capacity for decisive escalation but retains asymmetric leverage, while the US prioritizes energy market stability and conflict containment. The Strait of Hormuz reopens only intermittently, with recurring disruptions, inspections, and security incidents, keeping shipping, insurance, and energy markets under sustained pressure. Gulf financial, logistics, and technology sectors operate intermittently, airlines maintain some route suspensions, and cyber activity remains elevated against regional infrastructure and Western-linked organizations. The conflict evolves into economic coercion as a primary tool, driving elevated oil and gas prices, persistent market volatility, and tighter financing conditions. Supply chains gradually reconfigure away from high-risk routes, increasing costs and reducing efficiency. Russia benefits from sustained high energy prices and reduced Western focus, strengthening its position in Ukraine. China capitalizes on fragmentation by expanding alternative trade and financial networks, reinforcing a more bifurcated global system.
Likelihood
Most likely if ceasefire holds without resolution: Conflict remains below full-scale war, but economic disruption persists as the dominant mode of competition.
Business Implications
Priority Actions (0-90 days)
Operational: Intermittent shipping, route, and supplier disruption increases cost and complexity
Stress-test exposure to Hormuz-related shipping and energy disruption
Financial: Elevated energy prices and volatility sustain margin pressure and tighter financing
Harden resilience for energy, logistics, and cyber-dependent operations
Competitive: Firms with diversified routing and lower energy exposure gain advantage
Review sanctions, insurance, and counterparty risk across key jurisdictions
Legal: Evolving sanctions and emergency measures raise compliance burden and enforcement risk
Reputational: Scrutiny over pricing, shortages, and regional exposure increases brand risk
Plausible Scenario (Best Case): Managed Stalemate
Key Drivers and Assumptions
US threats and military strikes fail to coerce Iran into concession -> Limited appetite for sustained conflict
Significant economic disruption -> Economic costs drive political decisions
US military footprint in region -> Potential for re-escalation
Figure 7: US President Trump delivers a warning to Iran at a White House Easter event (Source: PBS News)
Figure 8: Iran has used maritime traffic through the Strait of Hormuz as leverage in the conflict (Source: CNBC)
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
The US portrays its leadership decapitation campaign as successfully facilitating “regime change,” creating space for diplomatic engagement with “new” leadership. Iran maintains increased level of oversight over the Strait of Hormuz, while internally the IRGC plays a greater role in strategic decision-making.
Domestic economic and political pressure leads to the US to scale back military operations without clear resolution of key regional security issues, including Iran’s right to nuclear enrichment, ballistic missile program, and support to regional proxies. Maritime traffic slowly returns to pre-war levels, with a new protocol for vessel traffic under an internationally accepted mandate. Iran retains an increased level of oversight over the Strait of Hormuz passages and profits from the traffic. This relieves some economic strain, though lingering supply chain effects remain. Cyber attacks persist as a means of asymmetric coercion. The US lifts some sanctions against the “new” regime, but other sanctions remain in place, complicating the regulatory environment. Interest in renewable energy increases as companies seek to mitigate against future disruption, though oil demand returns to pre-conflict norms. Israel continues limited, highly targeted strikes, while the US retains its military presence in the region, keeping the possibility for re-escalation open.
Likelihood
Less likely as conflict continues: This scenario assumes the US’s limited appetite for full-scale war, but the opportunities for de-escalation diminish as the conflict persists.
Business Implications
Priority Actions (0-90 days)
Operational: Recurring disruption risk for regional transport corridors, ports, and cross-border trade
Keep sanctions, export-control, and third-party due diligence on heightened alert
Financial: Long-term effects of recovery
Build redundancy into critical suppliers
Competitive: Competitors with diversified sourcing, redundancy, and mature sanctions controls are best positioned to withstand ongoing shocks
Maintain an elevated cyber posture
Legal: Continued tensions mean sanctions and export controls may tighten again with little notice
Tighten executive decision rights and trigger points for regional exposure
Reputational: Price increases tied to lingering supply-chain effects may trigger accusations of profiteering
Accelerate resilience investments with strategic upside, especially energy efficiency, renewable sourcing, and inventory visibility
Plausible Scenario (Worst Case): Regional Conflict with Gulf Involvement
Figure 9: The Saudi crown prince reportedly urged President Trump to continue war (Source: NYT)
Figure 10: The UAE has been proactive in the conflict, taking nonmilitary measures against Iran (Source: South China Post)
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
Ceasefire collapses, triggering multi-state regional war.
A temporary ceasefire breaks down following renewed strikes and failure to secure maritime access. Iran escalates missile and proxy attacks, including targeting Gulf energy infrastructure. With critical thresholds crossed, Saudi Arabia, the UAE, and Bahrain enter the conflict directly to protect economic and political stability. The Strait of Hormuz and Bab al-Mandab become sustained conflict zones, with repeated attacks, mining, and vessel seizures. Shipping and insurance markets withdraw at scale, severely constraining global energy flows. Energy prices surge, driving inflation and recession risk globally. Fuel shortages emerge in import-dependent economies, triggering industrial slowdowns, reduced mobility, and rolling outages. Cyber operations escalate into coordinated campaigns targeting energy, logistics, and financial systems. Legal fragmentation accelerates, with overlapping sanctions regimes, asset controls, and enforcement actions constraining cross-border operations. Russia exploits elevated energy revenues and reduced Western focus to press its advantage in Ukraine. China remains indirect but leverages Western overstretch to increase pressure on Taiwan.
Likelihood
More likely if ceasefire collapses and Gulf assets are targeted: Escalation becomes self-reinforcing once regional actors are drawn into direct conflict.
Business Implications
Priority Actions (0-90 days)
Operational: Supplier and production relocation, increased redundancy, and higher cost and complexity
Harden critical infrastructure dependences (energy, logistics, third parties)
Financial: Energy costs and inflation drive margin pressure, while financing becomes tighter and more expensive
Test business continuity under outage scenarios
Competitive: Resilient, energy-secure firms gain advantage; exposed firms lose share
Segment and isolate high-value systems; prioritize offline backups and rapid recovery
Legal: Fragmented, fast-changing sanctions increase compliance burden and legal risk
Review third-party and regional concentration risk, particularly for Middle
Reputational: Scrutiny over pricing, shortages, and exposure drives brand and trust risk
Establish crisis governance and decision cadence
Wildcard Scenario 1: Lasting Peace Agreement
Key Drivers and Assumptions
Severe degradation of Iranian infrastructure -> Iran compelled to concede
Global economic disruption → International support for peace process
Sustained disruption to Hormuz and energy markets → Mutual incentive to stabilize
Figure 11:Pakistan has offered to host talks to broker peace between US, Iran (Source:Time)
Figure 12:Traffic through the Strait of Hormuz dropped significantly since conflict began (Source:Lloyd's List)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Negotiated settlement reached between the US and Iran, allowing for longterm drawdown of conflict. Significant degradation of Iran’s energy, military, and industrial infrastructure, combined with mounting economic strain, power shortages, and reduced capacity to sustain conflict, compels Tehran to reassess its position and signal willingness to accept concessions. In parallel, the United States faces rising economic costs from prolonged energy disruption, inflation, and market instability, increasing pressure to stabilize conditions. A negotiated settlement emerges through indirect talks, mediated by Oman, with Iran accepting concessions on maritime security and nuclear constraints in exchange for phased sanctions relief and assurances against further strikes. Iran seeks a revised Strait of Hormuz security framework and limited economic concessions, though broader demands such as reparations are only partially addressed. The Strait of Hormuz fully reopens under agreed security mechanisms, restoring stable shipping and energy flows. Sanctions ease gradually, enabling reintegration of Iranian energy exports and limited foreign investment. Military activity declines sharply, cyber operations reduce, and global energy markets stabilise, easing inflationary pressures and improving financial conditions.
Likelihood
Low probability: Requires significant concessions from one side under sustained pressure.
Business Implications
Priority Actions (0-90 days)
Operational: Supply chains stabilize, enabling efficiency gains and reduced redundancy
Monitor stabilization signals and time market re-entry strategically
Financial: Lower energy prices ease margin pressure and improve access to capital
Secure long-term energy and supply contracts at favorable prices
Competitive: Early movers capture growth opportunities in recovering markets
Re-optimize supply chains and reduce excess redundancy
Legal: Sanctions easing reduces compliance burden and enables cross-border activity
Reassess sanctions exposure and compliance frameworks
Reputational: Stabilization and reinvestment strengthen stakeholder trust
Align growth and investment strategy to recovering regional markets
Wildcard Scenario 2: Iranian Regime Collapses
Key Drivers and Assumptions
Decades of political repression -> No viable alternative to Iranian regime
Sectarian and political unrest -> Protracted internal conflict
Targeting of leadership -> Regime instability and eventual collapse
Figure 13: Mass protests against the regime in December 2025 were brutally repressed (Source: Le Monde)
Figure 14: Displaced Syrians have lived in refugee camps for ten years, demonstrating the long-term impacts of internal conflict (Source: UNHCR)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
The Islamic Republic collapses, plunging the country into a civil war and complex humanitarian crisis.
The US and Israel’s persistent “decapitation strategy” weakens the regime to the point where it is no longer able to assert internal control. With no viable alternative, the country falls into a multiparty civil war made up of pro-regime, pro-democracy, and assorted regional and ideological militias. Food and fuel shortages are severe in certain regions. Refugee camps are built in Iraq while Europe’s asylum system faces overwhelming demands. The US claims Kharg Island in the chaos and asserts control over the Strait of Hormuz, mitigating international economic damage. However, the political instability gives pro-regime and other ideological groups a base for asymmetric operations, leading to persistent regional disruption. Cyber capabilities degrade amid internal fighting, though some hacktivist operations persist against a wider variety of ideological enemies. Damage to water and energy facilities sustained during the conflict exacerbates humanitarian crisis and slows recovery. Russia supplies military support to pro-regime factions, but not enough to significantly tilt the balance of power.
Likelihood
Long-term resilience of regime and viability of alternatives is unknown, making it difficult to assess likelihood with confidence.
Business Implications
Priority Actions (0-90 days)
Operational: Reduced reliability of just-in-time inventory models, especially for firms dependent on Gulf maritime corridors
Segment critical operations
Financial: Long-term increase in operational and energy costs
Harden sanctions and third-party controls
Competitive: Larger firms use stronger government relationships or balance sheets to secure logistics
Require an immediate review of regional dependencies, with backup routing and alternate sourcing plans for critical business lines
Ensure employee protection measures are ready across the region
Reputational: Activist or online campaigns tying the firm to foreign intervention or opportunism
Create a 90-day resilience plan including decision triggers for escalation or market withdrawal
Wildcard Scenario 3: Nuclear Crisis
Key Drivers and Assumptions
Protracted high-intensity conflict -> Increased likelihood of miscalculation
Location of facility -> Risks of radiological contamination spread by air and water
Diplomatic failures -> Inability to coordinate on response
Figure 15:Bushehr has not yet been a direct target, though missiles have landed near it (Source:Development Aid)
Figure 16:Weather patterns following the Chernobyl nuclear disaster spread radiological material affecting up to 6 million people (Source:UNSCEAR)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Missile strikes hitting a nuclear facility lead to a radiological incident, causing immediate global shock and rapid escalation.
A missile strike causes extensive damage to Iran’s Bushehr civilian nuclear power facility, causing radiological release with cross-border contamination. This occurs due to escalation, miscalculation, or degraded command and control. Immediate impacts include evacuation zones and disruption to regional energy supply. Emergency response efforts are delayed by ongoing conflict, limiting containment and extending environmental and economic damage. As a result, southern Iran and Gulf States experience long-term harm to drinking water supply and maritime food sources. The conflict also prevents long-term monitoring in Iran, which extends the long-term health and environmental damage from inadvertent exposure. Contamination further restricts maritime trade routes in the Gulf, while energy markets react sharply to both supply disruption and elevated systemic risk. Cyber and information operations amplify panic and misinformation.
Likelihood
Low probability, high impact: Risk of intentional or unintended strike increases under sustained conflict.
Business Implications
Priority Actions (0-90 days)
Operational: Disruption to regional operations and supply chains; site closures
Activate crisis management and continuity protocols
Financial: Extreme market volatility and energy price spikes
Protect personnel and account for regional workforce exposure
Competitive: Firms with geographic diversification gain advantage
Secure critical systems and prepare for sustained disruption
Legal: Emergency regulations, sanctions, and liability exposure increase
Identify alternative routes and supply chain contingencies
Reputational: Heightened scrutiny around safety, workforce protection, and response
Manage disinformation through strong crisis communications process
Recorded Future is now offering four solutions covering cyber operations, digital risk protection, third-party risk, and payment fraud.
Three tiered packages (Core, Professional, Elite) bundle these solutions to scale with an organization's security program.
Packages include unlimited users and integrations so intelligence reaches everyone who needs it.
The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Group® 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.
Consider what Insikt Group® tracked last year:
State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.
The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.
The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.
Re-Imagining How Intelligence Is Delivered And Operationalized
Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.
Today’s threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, they’re asking for a fundamentally different way to consume and operationalize intelligence.
Customers are asking us to provide:
Complete capabilities to support use cases aligned with core risk domains.
Democratized access to intelligence across teams, workflows and systems.
A simplified and predictable way to purchase for ease of budgeting and adoption.
In response, we’ve re-imagined Recorded Future is delivered:
“Four Solutions. Three Packages. One Intelligence Foundation.”
A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.
Four Solutions for Four Critical Risk Domains
Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. We’ve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.
Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.
Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.
Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.
Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.
Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graph®, a signal detected in one domain immediately enriches context across the others.
Three Packages That Scale With Your Program
Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.
Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teams—from CTI to SOC to Risk—driving smarter and faster risk-enabled decision making and response.
Across all packages, customers get full access to the Intelligence Graph®, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.
Built for Everyone Who Needs Intelligence, Not Just Analysts
Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.
For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.
Every package also includes unlimited integrations from Recorded Future’s hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.
One Intelligence Foundation Across Every Domain
What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graph®, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.
A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.
That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.
The Path Forward
Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.
Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.
We built this for the threats you're facing right now, and the ones coming next.
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation, 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.
In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.
Quick Reference: March 2026 Vulnerability Table
All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
Table 1:List of vulnerabilities that were actively exploited in March based on Recorded Future data.
Key Trends: March 2026
Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.
Exploitation Analysis
This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group®. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.
Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)
On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Cisco’s Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.
The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.
They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.
Changes the machine’s desktop wallpaper that displays a pornographic image
Delays execution using the Sleep API function for evasion
Detects debuggers using the GetTickCount API function to compare timing
Figure 1:Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)
There's a category of employee credentials where standard monitoring often falls short: executives, finance leaders, IT administrators, and those with privileged access have a large target on their back.
VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.
The Challenge with Protecting Your Most Targeted People
According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.
What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords — they capture the authorization URLs where those credentials were entered. According to Recorded Future’s 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.
Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)
That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.
The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.
The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.
Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.
That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.
Monitoring Built for High-Value Targets
VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.
From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.
Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.
The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.
When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual — all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.
A Complete Picture of Identity Exposure
VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.
For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.
This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.
Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.
For years, the cybersecurity industry has treated third-party risk management as a compliance exercise. Assess your vendors. Assign a score. File the report. Move on. That model was built for a different era. One where supply chains were smaller, threat actors were less sophisticated, and a quarterly questionnaire could reasonably approximate a vendor's security posture. That era is over.
Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.
Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.
Recognized in the 2026 Forrester Wave™
Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchasehere).
We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward.
We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.
The Gap Between Hygiene and Intelligence
Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.
But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?
They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed.
From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.
Third-Party Risk Management Is an Intelligence Operation
If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.
That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.
We've brought together two distinct capabilities that, until now, existed in separate worlds.
RiskRecon — built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation — often before the affected vendor is even aware.
Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.
What This Looks Like in Practice
The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.
When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours — not the days or weeks it takes for vendor self-disclosure.
When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.
Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed — turning what used to be a reactive scramble into a controlled, proactive response.
These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.
Where We're Going
We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.
Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.
The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.
Join the Shift to Intelligence-Driven Third-Party Risk
Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.
The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.
That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.
Venezuelan Acting President Delcy Rodríguezʼs policy decisions will affect economic and political stability in Venezuela in the coming months. Her approach will likely be shaped by a deep familiarity with the state security apparatus, her revolutionary identity, a demonstrated willingness to break from orthodoxy and seek coordination with Washington, an interest in restoring support for the ruling United Socialist Party of Venezuela PSUV, and a long memory for perceived slights. These principles, paired with changing local power dynamics after the January 3, 2026, United States US special operation to capture former Venezuelan President Nicolás Maduro and his wife, Cilia Flores, suggest Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning. At the same time, she will likely find ways to cooperate with the US in ways designed to preserve the rule of PSUV and her credibility with other members of the ruling coalition. Rodríguezʼs core objectives are very likely to preserve PSUV rule and resist an opposition-led transfer of power, while maximizing the economic benefits of reengagement with Washington, including sanctions relief, investment, and a possible economic recovery. This will likely contribute to Rodríguez governing in a manner that avoids high-risk moves that could fracture her coalition or trigger instability that undermines her utility to the White House. In this approach, the biggest internal threat she faces in the short term is very likely PSUV rivals, including Interior Minister Diosdado Cabello, and other military and economic elites who perceive US engagement as a direct threat to their interests. While it is impossible to predict every move the Venezuelan government may take, public and private organizations can better anticipate risks to stability and investments — such as resistance to US-supported reforms or evidence of internal divisions in the regime — by systematically monitoring the rhetoric and actions of Delcy Rodríguez, Diosdado Cabello, and other senior officials using the Recorded Future® Intelligence Operations Platform
Key Findings
The January 3, 2026, US operation provoked panic among Venezuelan elites and fueled deep uncertainty regarding the plan to succeed Maduro, which was only resolved when US signaling prompted Venezuelan institutions to confirm that Rodríguez would assume presidential duties.
Rodríguezʼs hold on power is threatened internally by rival PSUV figures, chief among them Interior Minister Diosdado Cabello and his network of allies across Venezuelaʼs security apparatus and among pro-government armed groups.
Externally, the main threats to Rodríguezʼs power stem from US leverage over Caracas, including US geopolitical aims to bring Venezuela further under Washingtonʼs influence as well as US officialsʼ stated pursuit of a transition and support for the opposition faction led by María Corina Machado.
To avoid a destabilizing rupture that could trigger US backlash, Delcy Rodríguez will very likely prioritize internal governability and economic stabilization, cooperating with Washington enough to see sustained sanctions relief while seeking to manage rather than expel hardline rivals from her coalition.
To preserve her own credibility and influence in Venezuela, Rodríguez is likely to pair compliance with Washingtonʼs demands with “face-savingˮ gestures that assert Venezuelan sovereignty, and to resist genuinely competitive elections unless economic gains materially improve the PSUVʼs electoral odds.
Assessing Current Dynamics in Venezuela
Over the past 25 years, US-Venezuela relations have worsened as Venezuela’s government actively sought to oppose US interests in the Western Hemisphere, deepened relations with US rivals around the globe, and became increasingly authoritarian. This began under the deceased former president Hugo Chávez, whose movement, known as “Chavismo,” has governed the country since 1999. After Nicolás Maduro took power in Venezuela following Chávez’s death in 2013, he accelerated the consolidation of power and the erosion of democratic institutions begun by his predecessor. The US responded by imposing financial and oil sanctions meant to limit Venezuela’s ability to profit from its vast oil reserves and sanctioning over 200 members of the Venezuelan elite. The US pressure campaign on Venezuela accelerated in late 2025 under President Donald Trump, who deployed a historic number of naval assets to the Caribbean.
This military campaign culminated at around 02:00 Venezuelan Standard Time (VET) on January 3, 2026, when US special forces carried out airstrikes and a surgical intervention into Venezuela as part of an operation to capture and extract Maduro and his wife, Cilia Flores, to face drug trafficking and terrorism charges in New York. These events were the most significant US military operation in Latin America since the 1989 invasion of Panama, and ratified a new US doctrine that emphasizes primacy and willingness to use all available tools (economic, diplomatic, and military) to advance US interests in the Western Hemisphere, as laid out in the 2025 National Security Strategy. In Venezuela, the events of January 3 precipitated the most impactful shakeup of the country’s political order in decades.
While Acting President Delcy Rodríguez has signaled an openness to working with US priorities, this cooperation is affected by active tensions among the ruling elite and longstanding mistrust between Washington and Caracas. Understanding the events of January 3, 2026, and the immediate aftermath is crucial to evaluating the state of play on the ground and in the bilateral relationship.
Uncertainty in the Immediate Aftermath of the US Operation
In the immediate aftermath of the January 3 operation, there was widespread uncertainty in Venezuela regarding the future of PSUV rule. While the constitutional line of succession makes clear that the vice president should assume power in the president’s absence, initial messages from Venezuelan officials emphasized solidarity with Maduro and Flores rather than offering clarity on the future of PSUV governance. There was no official public reaction to the operation from the Venezuelan government until 04:14 VET, when former Defense Minister Vladimir Padrino López published a video on social media condemning the attack. He stated that Venezuela’s military — the Bolivarian Armed Forces (FANB) — was declaring a national emergency and deploying at strategic points around the country and called for unity against “imperialist threats.” Statements from Venezuelan officials since then confirmed the raid but did not clarify the makeup of the Venezuelan government.
Figure 1:Venezuelan state TV broadcast showing Rodríguez presiding over a meeting of the
The first clarity on Venezuela’s future leadership came from Washington. At roughly 11:50 EST (12:50 VET), US president Donald Trump gave a public address in which he explicitly stated that Washington would work with Rodríguez as it assumed a more direct role in overseeing the country’s energy and security policies. Trump also said that María Corina Machado, the most popular opposition figure in the country (who had been outside the country since December 2025 and is currently in Washington) did not “have the support within or the respect within the country” to rule. While Trump claimed that Rodríguez had been "sworn in," Rodríguez’s hold on power was not publicly ratified until 15:20 VET. At that time, state television aired footage of the Council of National Defense, a body made up of the main institutional leaders of the country, featuring Rodríguez chairing the meeting and Cabello, López, and National Assembly President Jorge Rodríguez (Delcy Rodríguez’s brother) present. It was not until roughly 22:00 VET that state media began circulating a decision from the Constitutional Chamber of the Venezuelan Supreme Tribunal of Justice (TSJ) that made clear that Rodríguez would assume the duties of the president. In its ruling, the TSJ invoked a Chávez-era precedent to overrule constitutional language that would otherwise require her to schedule an early election, effectively indicating that Rodríguez is very likely seeking a mandate until Maduro’s term ends in January 2031. Neither Rodríguez nor any other official has yet made this claim explicit, and US officials have suggested that new elections should be held before then. On January 5, she was officially sworn into office in a televised ceremony held in the National Assembly in the presence of key figures in the regime and diplomats from China, Iran, Russia, and Cuba.
US-Venezuela Relations Since January 3
Since January 3, the US has generally signaled support for a working relationship with Delcy Rodríguez, while making clear that Washington expects full cooperation with its energy and security priorities. In the immediate aftermath of the operation, President Trump told reporters that he might consider a second strike if Rodríguez did not cooperate, but then, on January 9, announced on Truth Social that he had “cancelled the previously expected second Wave of Attacks” in response to the Venezuelan government releasing a number of political prisoners. Since this announcement, Trump has sought to 1 convey that he and Rodríguez work closely together. On March 5, 2026, Trump posted on social media that Rodríguez is “doing a great job, and working with US Representatives very well.”
US Secretary of State Marco Rubio has also expressed a willingness to work with Rodríguez’s interim government, but provided more explicit emphasis on a transition as the ultimate end goal of US policy. Speaking to reporters on January 7, Rubio described the US approach as consisting of three main phases: stabilization, recovery, and transition. Stabilization, he stated, is needed to prevent Venezuela from “descending into chaos,” which would be avoided by US control over oil-sale proceeds. Rubio clarified that the “recovery” phase would be aimed at reopening the oil sector to US and other Western firms, and it would ultimately be followed by a “process of transition” that would include reconciliation among Venezuelans. This three-phase framing has been echoed by other US officials, although to date, no fixed timeframe for a transition has been made public. US officials have also said that severing Venezuela’s ties to Russia, China, Cuba, and other US geopolitical adversaries is a top priority in the relationship.
US-Venezuela coordination on energy policy appears to be advancing rapidly. On January 29, Venezuela’s PSUV-controlled National Assembly passed a reform to the country’s Organic Hydrocarbons Law, aimed at increasing autonomy for private companies involved in the country’s oil and gas industry. While the revised law continues to assert state ownership over hydrocarbon reserves, it broadens the mechanisms through which private companies can participate in upstream activity, including allowing private operators — via contracts with state-owned energy company Petróleos de Venezuela S.A. (PDVSA) or joint ventures — to assume operational control while retaining a share of production. The reform also introduces a much more flexible framework for royalties and taxes, which can be set on a case-by-case basis by the Ministry of Energy, with royalties of up to 30% and taxes of up to 15%. Previous windfall taxes have been eliminated in this reform.
US support for revitalized energy cooperation with Venezuela has been enthusiastic, and President Trump has actively encouraged US and other Western oil companies to invest as much as $100 billion in Venezuela. Two days after the passage of the Organic Hydrocarbons Law reforms, the US sent Chargé d’Affaires Laura Dogu, who leads the Venezuela Affairs Unit out of the US Embassy in Colombia, to Caracas, where she is tasked with overseeing the restoration of diplomatic ties with Venezuela. While Dogu has conveyed US support for closer relations, she has reiterated US support for an eventual transition. On February 2, she met with Rodríguez, and afterward posted on X that in the meeting she reiterated “the three phases that Secretary Rubio has outlined for Venezuela: stabilization, economic recovery and reconciliation, and transition.”
In the wake of the Organic Hydrocarbons Law reform, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a series of general licenses allowing US and other Western companies to produce, refine, transport, and sell oil without seeking individual exemptions, effectively lifting sanctions that had previously restricted these activities (see Appendix A). These OFAC licenses mandate that any authorized transactions with Venezuela's government or state energy company PDVSA must follow US laws (with disputes being resolved in the US), and that payments to the Venezuelan government or any other Venezuelan sanctioned entity be made into a US-overseen fund. US support for energy investment in Venezuela was emphasized from February 11 to 12, when US Energy Secretary Chris Wright led a delegation to Caracas to meet with Rodríguez, becoming the highest-ranking US official to visit Venezuela in years.
Figure 2:US Energy Secretary Chris Wright examining crude oil at a PDVSA project site with Rodríguez (Source:Social Media)
Internal and External Threats Confronting Acting President Rodríguez
Since Acting President Rodríguez took over from Maduro in the immediate aftermath of the US operation on January 3, she has voiced support for cooperation with Washington — but her incentives to cooperate fully are very likely limited. Rodríguez is aware of Washington’s “three point plan” for Venezuela and is likely supportive of US plans to stabilize the country, lift sanctions, and promote investment. However, she is almost certainly seeking to preserve her rule and a government led by the PSUV, and will very likely resist any attempt to preside over a transition of power to an opposition-led government. Her ability to do so will very likely depend on her ability to consolidate power and manage potential spoilers within her own coalition, as well as her ability to deepen cooperation with US interests and demonstrate utility to the White House. In doing so, she faces a number of internal and external threats to her rule, which include challenges by rivals inside the ruling PSUV over the next six to twelve months, and pressure by Washington to hold new elections over the next twelve to twenty-four months.
Internal Threats to Rodríguez’s Rule
The main internal threat to Rodríguez’s power in the short term is other members of the ruling elite. She has steadily worked to consolidate power and secure the support of the military and intelligence services, but her support among the country’s political and economic sectors is far from settled. There are almost certainly key figures in the security forces, the business community, and in the ruling party who view Rodríguez, and her relationship with the US, as a challenge to the previous status quo and its associated privileges, economic arrangements, and patronage schemes. They may be concerned about their future influence, immunity
As Rodríguez continues to establish her rule, some of these individuals may seek to oppose her, either by seeking to derail or sabotage her rapprochement with Washington or by openly rebelling against her. In this context, an attempted palace coup cannot be ruled out. Her primary rivals include the following figures and networks, each of whom has a distinct power base and incentive to view Rodríguez as an adversary or rival:
Diosdado Cabello, Minister of Interior, Justice and Peace. Cabello is a senior power broker within the ruling party and has been the PSUV’s Secretary General since 2011. He has deep connections to the security services and hardline enforcement networks, including to pro-government armed paramilitary organizations known as “colectivos” (see Figure 3). State media has sought to downplay reported tensions between Cabello and Rodríguez, but Cabello’s incentives to undermine her are straightforward: Her consolidation of power threatens his influence over the party, the security apparatus, and his networks. He is also the only current cabinet member who was named in the unsealed drug trafficking indictment US prosecutors issued to capture Maduro, and he likely suspects that Rodríguez may eventually hand him over to the US.
General Vladimir Padrino López, former Minister of Defense. Padrino’s Lopez’s likely core incentive is to preserve the influence he accumulated after over a decade as the institutional head of the FANB, and to preserve the patronage networks he developed as the country’s longest-serving defense minister. He also likely seeks to protect himself and senior officers loyal to him from eventual prosecution for corrupt activities or involvement in repression, and therefore very likely views Rodríguez’s government as a challenge to longstanding FANB impunity. While there is no public evidence of any cracks between Padrino López and Rodríguez, it is very likely that he will resist meaningful reforms inside the armed forces
Major General Alexis Rodríguez Cabello, Director of the Servicio Bolivariano de Inteligencia Nacional (SEBIN). Cabello is a cousin of Diosdado Cabello and is believed to be close to him. As head of the primary intelligence service, Rodríguez Cabello has strong incentives to resist reforms that would expose him or his network to prosecution, and to preempt any purge that might impact him or his network.
Major General Iván Rafael Hernández Dala, former director of the General Directorate of Military Counterintelligence (DGCIM). Hernández Dala, a close confidant of Maduro, was head of DGCIM until replaced by Rodríguez in January 2026. He is also believed to be a longstanding opponent of both Rodríguez and Cabello, and of their respective factions in the PSUV. Even if sidelined from formal command, Hernández Dala likely retains networks inside the intelligence and security apparatus. He likely has incentives to undermine Rodríguez if he anticipates facing prosecution for past abuses, loss of status, or exclusion from any protection or economic deals between Washington and Caracas.
Business and Political Elites Tied to Maduro. Maduro and Flores dominated Venezuelan politics for nearly thirteen years. During that time, they cultivated a vast network of well-connected economic, military, and political elites that helped them sustain power. Many of them are not overtly tied to the Rodríguez siblings, and instead may be willing to ally themselves with rival factions to advance their own interests. Possible figures in this category include:
Tarek William Saab, Acting Ombudsman. Until his resignation in February 2026, Saab served as attorney general since 2017 and held significant influence over how the repressive apparatus was deployed, overseeing detentions and prisoner releases. Saab’s resignation was very likely forced, and he has clear incentives to resist any reform process that reduces his discretion or creates a credible path to independent investigations into past repression or corruption.
Nicolas Maduro Guerra, also known as “Nicolasito.” A member of the National Assembly and son of Maduro and Flores, Maduro Guerra is not one of the top PSUV powerbrokers in his own right but has played a crucial role in securing continuity by appearing publicly with Rodríguez and claiming she has his parents’ full support. Given lingering questions over internal Chavista involvement in the January 3 operation, he has leverage to complicate Rodríguez’s narrative and may seek to use it if he feels that his interests are threatened by the Rodríguez administration.
Alex Saab. Saab played a crucial role in facilitating sanctions evasion networks until his arrest by US law enforcement in 2020. Saab was later returned to Venezuela in a 2023 prisoner swap, and Maduro rewarded him by making him Minister of Industry and National Production. Rodríguez replaced him in January 2026, likely understanding that Saab was not palatable for US business interests, but Saab likely retains enough social capital within Venezuela’s private sector to pose a challenge to Rodríguez. This is the likely reason why Saab was reportedly detained by Venezuelan intelligence in February 2026, although his lawyer has maintained that he is not under arrest.
Figure 3:Illustration of key internal rivals of Venezuelan Acting President Delcy Rodríguez (Source: Recorded Future)
External Threats to Rodríguez’s Rule
US Pressure to Box Out Geopolitical Adversaries
In the short term, the most significant external threat that Rodríguez faces is a reversal of United States policy — either via renewed military or intelligence operations intended to force her removal, or through a more indirect pressure campaign meant to trigger a domestic fracture. A second US special forces operation to depose her outright is unlikely, but it remains a scenario Rodríguez and her circle will have to treat seriously, given the direct and disproportionate leverage that Washington currently holds over Caracas. More likely than further military action is the prospect of renewed pressure: the US can calibrate sanctions relief, revoke OFAC licences, and facilitate or block diplomatic recognition in ways that shape incentives and perceptions of the regime’s survivability among Venezuelan elites. Recent reporting suggests Washington is simultaneously pursuing deepened energy engagement while remaining skeptical about whether Rodríguez will fully align with US strategic demands, which increases the possibility of an abrupt shift away from Rodríguez if she does not deliver on US priorities.
A major fault line in the US-Venezuela relationship is Venezuela’s ongoing relationships with US geopolitical adversaries, namely China, Russia, Iran, and Cuba, even as the US has increasingly sought to box them out of Venezuela. US officials publicly demanded that Venezuela cut ties with adversary nations and have actively moved to push them out. The US has successfully pressured Venezuela to end fuel shipments to Cuba, and OFAC general licenses intended to facilitate Venezuelan oil and gas activity explicitly do not authorize transactions involving Russian, Chinese, or Iranian entities. In spite of this, Rodríguez has sought to publicly demonstrate an interest in retaining these partnerships.
Opposition Efforts to Limit US-Venezuela Engagement
Another short-term external threat to Rodríguez is opposition figure María Corina Machado. While she remains the most popular opposition figure in Venezuela, and her faction has a demonstrated capacity to organize protests on the ground, these have so far not presented a significant threat to stability or to PSUV governance. Her presence in Washington since December 2025, however, has provided her with a major platform to directly shape the US foreign policy debate over Venezuela. With Machado and close advisors operating from Washington, she has advanced a narrative publicly supportive of the US agenda while privately calling on allies in Congress and in the international community to press for a clearer timetable for new elections and the ouster of the PSUV. She has also used her platform to promise she will return soon, and to highlight perceived inconsistencies between Rodríguez’s actions and her rhetoric, noting, for instance, the gap between the government’s claimed political prisoner release numbers and the figures cited by independent rights organizations.
Figure 4:Photo of Venezuelan opposition leader Maria Corina Machado at a rally ahead of the 2024 presidential election (Source:Reuters)
Machado has received strong support from bipartisan lawmakers in the US House and Senate, who have questioned US engagement with Rodríguez. While Machado’s efforts to raise the political cost of engagement with the Rodríguez government have earned her support from some allies in Washington, the White House has reportedly expressed frustration with her criticism, with officials claiming it undermines US policy. These efforts very likely represent a lesser threat to Rodríguez’s hold on power, given White House insistence on working with Rodríguez, but introduce persistent uncertainty into the sustainability of US support for her.
Calls for a Competitive Election
Beyond these immediate pressures, the most important mid-term threat to Rodríguez and to future PSUV rule is the election timeline reportedly being promoted by the Trump administration. While the US has refrained from presenting a specific timetable, officials ranging from Chargé d’Affaires Dogu to Secretaries Rubio and Wright have increasingly signaled publicly that the US expects to see new elections in the next eighteen to twenty-four months. The specifics of these elections, like whether they would be only presidential or include broader general elections (to replace the PSUV-dominated National Assembly), have not been disclosed, but the US insistence on elections in some form very likely forces Rodríguez to reconcile her approach to coalition management with a desire to seek electoral legitimacy on a compressed timeline.
At the moment, Rodríguez, her inner circle, and PSUV elites almost certainly view a competitive presidential election as an existential threat. Polls have repeatedly demonstrated that the PSUV is unpopular. While Rodríguez is the most popular figure in the PSUV, she would very likely lose a presidential race with Machado by a two-to-one margin, and Machado would very likely defeat any PSUV candidate absent a significant shift in public opinion. Maduro’s removal has not automatically revived grassroots loyalty to the ruling party, with local PSUV leaders describing fractures, demobilization, and severe drops in participation inside local party structures since January 2026.
Given the PSUV’s lack of legitimacy, US support for elections will likely become a flash point in the relationship with Rodriguez. These tensions will also very likely be exacerbated by opposition mobilization inside the country and Machado’s efforts to marshal support in Washington. While US authorities have not yet demanded that Machado be allowed to return to Venezuela (and has reportedly asked her to delay any plans to this effect), her return is almost certain to occur well in advance of an election as she has openly said she will run. The temporary re-arrest of opposition figure Juan Pablo Guanipa in February after he began organizing anti-government rallies suggests the ruling party will likely seek to use the repressive apparatus to restrict Machado’s campaigning efforts, elevating the likelihood of pre-election instability. Even if a competitive election is held under the PSUV, the experience of the July 2024 election suggests that the ruling party is unlikely to recognize the results if the opposition wins, raising the likelihood of post-election instability, protests, and violence.
Delcy Rodríguez’s Origins and Principles of Her Approach to Decisionmaking
Before her emergence in recent years as the face of relative economic pragmatism in Chavismo, Delcy Rodríguez’s background was not well-known internationally. But her rise to power reveals a number of factors that likely inform her approach to governance and likely impact the prospect for political and economic stability moving forward. These include:
Familiarity with Venezuela’s Intelligence and Repressive Apparatus: In addition to her reputation as an economic reformer, Rodríguez likely has a deep familiarity with intelligence work that, according to state media, goes back to the Chávez years. In 2002-2003, she reportedly worked with the SEBIN’s predecessor agency, the Dirección General Sectorial de los Servicios de Inteligencia y Prevención (DISIP), on undisclosed counterintelligence work involving “geopolitical reports” with former DISIP head Eliezer Otaiza. From the time she rose to the office of Executive Vice President in 2018 until 2021, the SEBIN technically fell under her office. While there is no publicly available evidence that she explicitly directed SEBIN-led repression of dissidents, her role likely afforded her a deep familiarity with the main Venezuelan intelligence agency’s response during the government’s crackdown on the post-2018 election protests and the 2019 protest wave led by opposition figure Juan Guaidó. It is likely that she was, at a minimum, aware of acts of torture, extrajudicial executions, arbitrary detentions, and other alleged human rights violations and crimes against humanity since 2014 that have been credibly documented by the Independent International Fact-Finding Mission on Venezuela created by the United Nations (UN) Human Rights Council.
Identity Shaped by Revolutionary Politics: Rodríguez was born in Caracas in 1969 and grew up in a politically active left-wing family. Her father, Jorge Antonio Rodríguez, founded an armed urban guerrilla group and was killed in police custody in 1976, allegedly under interrogation. His death made him a martyr among the Venezuelan left, which cemented the revolutionary identities of Rodríguez and her older brother Jorge from an early age. Rodríguez has framed her decision to study law as an effort to “do justice for her father’s case,” and both she and her brother routinely cite his death as a justification for their support for Hugo Chávez and the movement he founded. In public, Rodríguez has repeatedly expressed strong support for the ruling party’s socialist ideology. In a September 2019 address to the United Nations General Assembly, she criticized “capitalist supremacism” and ended with a call to “save the world from capitalist violence.”
Willingness to Break from Ideological Purity: In practice, Rodríguez’s rise demonstrates that she is open to abandoning ideological purity in order to accomplish her objectives. Unlike Maduro and other ruling party figures who developed close personal ties to Chávez, she had a notoriously poor relationship with the former leader and spent significant time outside Venezuela in her formative years. Rodríguez studied law at the Central University of Venezuela, but later pursued postgraduate studies abroad in labor law in London and Paris, and reportedly spent time in the United States. She speaks English and French. Rodríguez returned to Venezuela after an opposition-led failed coup attempt against Chávez in 2002, and first worked as an advisor in the Foreign Ministry, and then as Deputy Minister for European Affairs before ending up as Chávez’s Minister for Presidential Affairs. She did not last long in this position, however, and was abruptly dismissed after she reportedly argued with and insulted him during a presidential visit to Moscow. Rodríguez then adopted a lower profile in Venezuelan political life until Maduro took power, who made her his foreign minister in 2014. As foreign minister (2014-2017), president of the pro-government National Constituent Assembly (2017-2018), and then as executive vice president (2018-2026), she developed a reputation as a shrewd political operator and staunch Maduro ally.
Interest in Addressing PSUV’s Declining Popularity: Although Rodríguez was and arguably remains a Maduro ally, she has demonstrated a clear awareness of how the PSUV’s economic mismanagement has led to its declining popularity and has shown an interest in reversing it. Ahead of the 2018 presidential election, she briefly led a satellite party of the PSUV called the Movimiento Somos Venezuela (“We Are Venezuela Movement”) and served as its leader in a likely attempt to “rebrand” Chavismo and connect with a younger generation of Venezuelans. She was officially reincorporated into the PSUV’s leadership in late 2018 after her party failed to account for more than six percent of Maduro’s reelection vote. When Maduro made Rodríguez his Minister of Economy in 2020, she began to advance an agenda of relative economic liberalization, and brought on a team of Ecuadorean advisors to impose tighter fiscal discipline and stabilize the exchange rate, eventually promoting the de facto dollarization of the economy. The success of the policies contributed to a modest but important economic rebound and led Maduro to appoint her in 2024 as Energy Minister as well, a post she technically still occupies. In overseeing this economic agenda, she began to cultivate a reputation for herself as less of an ideologue and more of a pragmatist, and began to pursue closer relationships with major energy companies and other investors. This reputation almost certainly contributed to the US decision to engage with her government after removing Maduro.
Calculating Operator with Sense of Persecution: Rodríguez has a history of keeping track of past instances where she has been slighted, even referring to her support of Chavismo and of its revolution as her and her brother’s “personal revenge” for the death of their father. Rodríguez herself has alluded to this trait on state media. In a 2024 appearance on the Con Maduro Podcast, she recalled running into former Argentine President Mauricio Macri, a vocal critic of the Venezuelan government, at the 2022 World Cup in Qatar. Macri had recently been made the Executive Chairman of the FIFA Foundation, and, according to Rodríguez, she shook his hand and told him: "Did you see where you are now, and where we are? We're with the Venezuelan people. And you? You're here picking up balls.” Rodríguez is also a savvy operator, and her rise to prominence reflects not only her ability to deliver on economic policy objectives but also her ability to outmaneuver rivals. The best-known instance of this is her leadership of an anti-corruption campaign in 2024, which resulted in the imprisonment of former vice president, oil minister, and longtime rival Tareck El Aissami.
Openness to Dialogue with Washington: Even before the current rapprochement between Washington and Caracas, Rodríguez was known for consistently favoring a deeper diplomatic relationship with Washington — albeit one built on mutual respect. During the 2022 phase of exploratory talks in which the two countries negotiated sanctions relief in exchange for holding presidential elections in 2024, Rodríguez publicly maintained that the relationship “cannot be conditioned,” saying that Venezuela’s doors were open to any country that arrived “with respect” and treated it as an equal under international law. During this period, she specifically centered the importance of discussing US oil and gas interests in bilateral diplomacy, saying that Venezuela was willing to pursue “energy dialogue” with US firms, indicating a view of energy cooperation as a channel for de-escalating tensions.
A Framework for Anticipating Delcy Rodríguez’s Policy Decisions
When Delcy Rodríguez faces policy decisions that impact economic and political stability in Venezuela in the coming months, her approach is likely informed by the pillars described above: her revolutionary identity, tactical pragmatism, openness to US engagement, an interest in restoring popular support for the PSUV, a long memory for slights, and familiarity with the security apparatus, as well as the internal and external short- and mid-term threats to her rule. Given these factors, Insikt Group assesses that she is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while likely cooperating with the US in ways that preserve her credibility inside the ruling coalition. This matters for prospective investors because it suggests the Venezuelan government is likely to seek to maintain a pragmatic economic policy environment focused on short-term macroeconomic stability. At the same time, companies seeking to invest will almost certainly continue to face elevated sanctions compliance risks and potential policy reversals depending on the evolving Washington-Caracas relationship, making it critical to closely monitor Rodríguez’s evolving policy decisions and internal relationships.
Coalition Management over Open Confrontation with Rivals
Rodríguez will likely prioritize maintaining and reconfiguring her coalition over seeking conflict with internal rivals, because the external pressure she faces makes internal rupture more risky than compromise. Her main rival, Diosdado Cabello, has significant sway over the repressive apparatus and over pro-government armed “colectivos” loyal to him, and his removal could therefore provoke unrest and destabilizing violence. This is precisely the kind of chaos Washington has sought to avoid, and very likely why it opted to keep Rodríguez in place as interim president in the first place. She therefore likely assesses that purging, detaining, or otherwise sidelining Cabello or other top PSUV rivals could risk calling into question her ability to maintain order, and would undermine her position with Washington as a lynchpin of relative calm and continuity.
This is likely the reason that Rodríguez has sought to balance the ruling coalition since taking power rather than immediately shaping it to align with her preferences. Although she elevated her allies to higher positions in her government early in her tenure — such as appointing Calixto Ortega as Vice President of Economy — she has largely kept the ruling apparatus in place. Not only has she left a number of other figures close to Cabello in their positions, but she has also promoted figures in Cabello’s network. Just three days after Maduro’s capture, she named Gustavo González López, believed to be a Cabello ally, to lead both the Presidential Honor Guard and the Directorate General of Military Counterintelligence (DGCIM). On March 18, she also named González López to be her Defense Minister, replacing Padrino López. She also appointed Cabello’s daughter, Daniella Cabello, to be Minister of Tourism — a significant post that will afford her a direct role in reopening Venezuela to international commercial activity. These moves were likely taken out of a desire to effectively secure Cabello’s support for her economic normalization agenda.
Face-Saving Cooperation with Washington
Rodríguez will likely continue to cooperate with Washington’s energy priorities, but she will very likely pair this compliance with visible signaling aimed at saving face with PSUV loyalists. This is likely why, even as she has received high-level US officials in Caracas and even spoken with Trump over the phone, she has publicly demonstrated support for retaining partnerships with US adversaries. On January 8, for instance, Cuban Foreign Minister Bruno Rodríguez traveled to Caracas and accompanied the interim president to speak at a commemoration event at Venezuela’s Military Academy for the Cuban and Venezuelan casualties from the January 3 US operation to capture Maduro. This was Rodríguez’s first event in which she officially presided over a military ceremony as commander in chief of the armed forces. On the same day, state-run media reported that Rodríguez held a meeting with Chinese Ambassador to Venezuela Lan Hu, in which she thanked China for its support for Venezuelan sovereignty and described the encounter as “cordial.” The ambassadors of China, Russia, and Iran were given front row seats to Rodríguez’s January 5 swearing-in ceremony, and state TV broadcast images of the Venezuelan leader greeting them affectionately.
Figure 5:Screenshot of Venezuelan state TV broadcast showing Chinese ambassador Lan Hu, Russian ambassador Sergey Mélik-Bagdasárov, and Iranian ambassador Ali Chegueni were prominently seated at Venezuelan Acting President Delcy Rodríguez’s January 5, 2025, swearing-in ceremony (Source:Telesur)
Such gestures will very likely continue as they offer Rodríguez a way to preserve credibility among PSUV elites and everyday party faithful. She can claim that her rapidly evolving relationship with Washington is a sovereign decision that improves stability and living conditions, rather than a relationship that is shaped by a drastically uneven playing field. As part of presenting an image of mixed compliance with Washington’s demands for Venezuelan audiences, she will almost certainly continue insisting that Maduro remains the legitimate president and demand his return, even as she works to consolidate her own power.
Leveraging Hardliners to Justify Non-Compliance
The internal rivalries identified above represent significant threats to Rodríguez’s legitimacy inside the PSUV and her claim to power, and attempting to balance her coalition while consolidating her control will almost certainly be a major challenge for Rodríguez. However, it is likely that Rodríguez will, over time, point to alleged hardliners to justify selective non-compliance with US aims, credibly or otherwise. Ultimately, it may be useful for Rodríguez to be able to point to ongoing tensions in her coalition or the prospect of instability as a way of warding off US pressure for an eventual transition or for competitive elections to be held. This justification is likely to lose credibility over time if she continues to consolidate administrative control and accumulate legitimacy, especially if she presides over significant economic gains amid US sanctions relief. Ultimately, the very steps that allow her to consolidate her rule may eventually be used by Washington to justify accelerating the end of it.
Resistance to Elections if Seen as an Existential Threat
Rodríguez’s past political experience and the PSUV’s record across more than 25 years of governing suggest the Venezuelan government will very likely seek to maximize political gain from any economic growth resulting from US sanctions relief and economic normalization. And while US officials have routinely conveyed that they expect elections to be held in the next two years, the Venezuelan government is almost certain to resist or sabotage elections unless it perceives that economic improvement has boosted the PSUV’s chances of winning a competitive election. Even then, the PSUV will very likely seek to use its control of government to activate patronage networks, divert public resources to politicized social programs, and attempt to present legal obstacles to opposition campaigning — just as it did in the lead-up to the 2024 presidential election.
Ultimately, this logic is consistent with how Chavista elites have historically conceptualized elections: In multiple instances of US-backed talks meant to offer sanctions relief in exchange for competitive elections, Venezuelan government negotiators routinely argued that elections can be considered “fair” only if voters can judge the government without the distorting economic effects of sanctions. If economic growth does not translate into a boost in popular support for the ruling party, Rodríguez will likely come under increasing pressure from rivals to resist a US-backed transition. It is therefore likely that democratization in Venezuela will be phased and gradual, not immediate, and will likely depend in large part on whether elements of the ruling elite see a viable future for themselves in the country as a possible outcome after alternating power.
Outlook
Over the coming months, Delcy Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while still finding ways to cooperate with the United States that preserve her rule and credibility inside the ruling PSUV coalition. In the short- to mid-term, the main challenge she faces is the threat posed by internal rivals who may feel threatened by her reforms. This makes her cabinet changes, and evidence of backlash among political and economic elites, crucial variables to watch. In confronting internal threats to her rule, she will likely pursue a strategy of coalition management over one of open confrontation. Even as Rodríguez continues to consolidate power and tries to keep hardline rivals contained, she will likely avoid high-risk moves that could fracture elite support and risk threatening her relationship with Washington.
In the short and mid terms, the main flashpoints will be US pressure to end Caracas’s relationships with Moscow, Beijing, and other US adversaries, as well as US pressure to hold competitive elections in the next two years and eventually to advance a political transition. Rodríguez and PSUV elites likely view a genuinely competitive presidential vote as an existential threat. As a result, the government is almost certain to resist or sabotage competitive elections unless economic improvement significantly boosts the PSUV’s electoral odds. Even then, it would likely use patronage, politicized social programs, and legal obstacles to constrain opposition campaigning and preserve an institutional advantage. This raises the prospect of instability both in the lead-up and in the aftermath of any elections, given the likelihood of opposition protests and an associated crackdown. Given these dynamics, any transition is more likely to be phased and gradual than immediate, with stability hinging on whether Rodríguez is able to consolidate support among the ruling elite and whether the broader Chavista coalition can see a viable future for itself under any eventual alternation of power.
Appendix A: 2026 OFAC Licenses Issued for Venezuela
Authorizes US persons to export/reexport/sell/supply US-origin diluents to Venezuela even when transactions involve the Government of Venezuela, PDVSA, or PDVSA-majority entities, as long as contracts are governed by US law and disputes are resolved in the US
Authorizes “established US entities” to engage in transactions that are ordinarily incident and necessary to the lifting, export/reexport, sale/resale, supply, storage, marketing, purchase, delivery, transportation, and refining of Venezuelan-origin oil, including related logistics, even when the activity involves the Government of Venezuela, PDVSA, or PDVSA-majority entities
Authorizes OFAC to permit the provision from the US of goods, technology, software, and services needed for oil and gas exploration, development, production, and maintenance in Venezuela, even when transactions involve the Government of Venezuela and PDVSA
Authorizes transactions otherwise that are “related to the negotiation of and entry into” contingent contracts with the Government of Venezuela, PDVSA, or PDVSA-majority-owned entities — so long as the contract’s performance is expressly contingent on separate OFAC authorization
Authorizes transactions related to oil or gas sector operations in Venezuela conducted by specified companies and their subsidiaries, provided contracts are governed by US law (with disputes resolved in the US) and most payments to blocked persons (including taxes/royalties) are routed to specified US-directed deposit funds
Table 1:A list of OFAC general licenses issued since the passage of the Venezuela hydrocarbons law(source: US Office of Foreign Assets Control)
Recorded Future is the World’s Largest Intelligence Company. Our team works to build products that customers love. In this video, Kyle Kohler interviewed with VentureFizz about his day-to-day as a Senior Product Manager for Integrations. He describes the job as truly multifaceted, encompassing starting new strategic initiatives, turning customers feedback into improvements, and enabling other team members to do the same. Full video and transcript available below.
I’m Kyle Kohler. I’m a product manager over the integration strategy at Recorded Future.
Recorded Future is the world’s largest threat intelligence provider. We are covering all sorts of domains of intelligence. It’s geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.
As a product manager, it’s funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, you’re starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, you’ve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, you’re very strategically figuring out what to stamp out, what to stoke. And as an educator, you’re also teaching others how to start fires and put out fires. So, you’re constantly going from one thing to the next and keeping all of these moving pieces going. There’s no one project that you just shepherd along and that’s the only thing you work on. You’re constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.
At Recorded Future, we’re a global organization and I’m based on the west coast of California. So I wake up in the morning and the first thing I’ve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and they’ve got some questions that maybe I can answer or they’re looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and I’m answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and that’s the whole day is you’re really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.
Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organization’s current mission. So I really was attracted by the fact that we are helping organizations secure the world. We’re able to do that by securing the world with intelligence, but it’s so multi-domain that you’re just never going to get bored. There’s always something new. There’s always something to track. There’s always some new threat. There’s always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with what’s next in the market, what’s next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.
This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable.
Key Findings
Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region.
Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions.
In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year.
Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials.
Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2.
Background
In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today.
According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their country’s preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce and the resources to sustainably harden their environments. Many LAC government networks hold large amounts of sensitive data but are deficient in their security best practices, leaving their systems vulnerable to cyberattacks. Large breaches are routinely circulated, recycled, and resold on dark web marketplaces, enabling identity theft, synthetic identity fraud, SIM swaps, and account takeovers, among other types of cybercriminality to flourish at a larger scale.
Although the LAC region has made significant technological advancements, particularly in the financial services sector, innovations are creating new challenges. The financial technology industry has introduced mobile banking applications, digital wallets, and instant payment systems. LAC countries face rising levels of cyber-enabled fraud in the financial sector because real-time payment rails have weaker identity verification controls, rendering social engineering attempts more effective. Instant payment systems, such as Brazil’s PIX and similar mobile banking platforms, have often been targeted by threat actors. With faster transaction speeds at higher volumes, detection and recovery efforts have become increasingly complex, making scams significantly more profitable and scalable.
The LAC region has the world's fastest-growing rate of disclosed cyber incidents, though many remain unreported. Only seven LAC countries have plans to protect their critical infrastructure from cyberattacks, and only twenty have Computer Security Incident Response Teams (CSIRTs). Despite 31 LAC countries having some form of legislation addressing cybercrime, many face skills shortages, creating barriers to enforcement. Limited law enforcement resources and unreliable interstate cooperation further delay investigation and prosecution, enabling threat actors to operate across jurisdictions with relative ease. A cultural perception that cybercrime carries low risk and offers high reward undermines the deterrent effect that reliable law enforcement action would otherwise have. This incentive structure, coupled with reduced stigma, encourages repeat offenses and recruitment, as reflected in the cybercriminal trends observed by Insikt Group in 2025.
Cybercriminal Activities in LAC
Throughout 2025, Insikt Group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. Cybercriminals routinely leveraged phishing for initial access, and among the most common methods seen was the search and collection of sensitive information directly from a compromised host's file system or databases. This technique is often a critical pre-exfiltration step used to obtain financial records, passwords, and other forms of personally identifiable information (PII), likely to conduct account takeovers or fraud. Insikt Group research found that cybercriminals have also begun evolving their TTPs to exploit near-field communications (NFC) to commit financial fraud and are using malware to target cryptocurrency wallets. Insikt Group intelligence indicates that cybercriminals are primarily interested in selling compromised databases and access methods, as well as participating in hacktivist collectives. In some instances, advanced persistent threats (APTs) have also begun to overlap their activities with cybercrime when targeting the region.
Cybercriminal Sources
Threat actors operating in or targeting the LAC region continued to rely on the infrastructure of established English- and Russian-speaking forums throughout 2025 (see Appendix A). Insikt Group identified Spanish- and Portuguese-language postings on several established dark web and special-access forums. Even though these sources are predominantly English- and Russian-speaking, these posts likely indicate a preference among threat actors targeting LAC to seek more established, traditional platforms for conducting business. Research showed that low to moderate-tier forums are most commonly used by threat actors based in or targeting LAC countries, possibly suggesting lower levels of sophistication, as higher-tier forums often require vouching, payment, demonstration of knowledge or technical abilities, and sometimes private invitation to gain access.
Insikt Group assesses that most communications between threat actors likely occur on encrypted messaging platforms such as Telegram, WhatsApp, and Signal due to speed, ease of access, and higher levels of trust among group members. Given the privacy-enhancing features of many of these platforms, collection efforts can become significantly more constrained. Telegram is predominantly used because it offers larger channel and group capacities, account creation is simple, it enables threat actors to leverage bot automation and support for their malicious activities, and content moderation is typically less stringent than on other platforms. By offering a path of least resistance, threat actors enjoy the added privacy that end-to-end encrypted messaging platforms provide without delaying their operations.
Financially motivated threat actors often advertise a variety of data types, including PII, financial data, login credentials, system access credentials, exploits and vulnerabilities, malware, ransomware, and hacking tutorials. In some instances, Insikt Group observed threat actors selling customer relationship management (CRM) access, virtual private network (VPN) access with domain user privileges and local administrator rights on a database server, and command-and-control (C2) access to LAC-based entities in 2025. Leveraging this access to information, cybercriminals may facilitate further crimes, including but not limited to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. Insikt Group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively low levels of sophistication, and are sought after by other cybercriminals.
Threat actors often target government systems because they contain highly sensitive data that can be profitable for scams, identity theft, or extortion. For instance, shortly after a tense general election, Ecuador’s legislature, the National Assembly, reported it had suffered two cyberattacks aimed at accessing confidential data and disrupting the availability of information services. In another example, threat actors exposed sensitive data on millions of Paraguayan citizens on the dark web; among the alleged exfiltrated data are national ID numbers, dates of birth, physical addresses, and health service records.
DarkForums was the primary dark web and special-access forum where Insikt Group recorded the most posts relating to cybercrime-related events in Spanish and Portuguese in 2025. This forum is an English-language, low-tier forum operated by English-speaking administrators, launched in March 2023, and is accessible via a clearnet domain. Additionally, DarkForums was observed hosting leaked databases and data breaches involving Spanish-speaking countries, with posts describing the compromise of thousands of records and credentials. Other forums, such as XSS, Exploit, RehubcomPro, Cracked, BreachForums 2, ProCrd, and CrdPro, were also among the top forums to contain posts in Spanish and Portuguese. Appendix A presents a sample of Spanish and Portuguese forum threads from these sources.
Cybercriminal Tactics and Attack Vectors
The LAC region has a long history of financially motivated cybercrime; as a result, Insikt Group observed in this analysis that threat actors continue to heavily target the financial sector. Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments. Threat actors deliver lures via malicious links that redirect to fake login pages and contain malicious attachments with embedded links. Many of these techniques are effective when targeting entities in the LAC region due to an overwhelming reliance on email and messaging applications for business, as well as a general strong trust in branded communications. Artificial intelligence (AI) has introduced more sophisticated methods into the cybercriminal ecosystem in LAC, lowering the barrier to entry for threat actors and significantly increasing the scalability of attacks through automation. AI helps threat actors create more effective phishing messages that could be generated in native Spanish or Portuguese, rendering them more convincing to the local target audience. The advent of agentic AI also presents new opportunities and attack vectors for cybercriminal groups to exploit and greatly facilitates cybercrime-as-a-service. Organized criminal groups have integrated AI into their operations to assist with drug smuggling, money laundering, cyber-enabled fraud, and malware development.
Throughout 2025, Insikt Group observed threat actors targeting the LAC region by compromising remote desktop protocol (RDP), VPNs, and web admin panels, and obtaining credentials from prior infostealer infections, password reuse, brute-force attacks, and other initial access points. Based on data within the Recorded Future Intelligence Operations Platform, there are approximately 29,000 references to exposed LAC-related credentials on Russian Market. These exposed credentials are from domains belonging to the top organizations (by revenue) in the healthcare, government, and financial sectors across the five largest economies in LAC. Russian Market is one of the leading dark web marketplaces for the sale and distribution of infostealer logs. Most of these logs were from LummaC2 and then Acreed Stealer, consistent with what Insikt Group observed in its review of additional infostealer logs. It should be noted that many of the 29,000 exposed credentials are likely customers of these organizations and not necessarily employees, as Recorded Future does not have access to internal-facing employee domain addresses to search for exposed credentials; however, those can be added by an end user. Insikt Group assesses that these attack vectors were likely effective for infiltrating the systems of targets in the LAC region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. Insikt Group observed threat actors advertising carding tools, bulk SMS/Email blasting, SIM swapping, hacking assistance, and other similar services on Telegram channels.
In 2025, Insikt Group observed a rise in novel types of malware that actively leverage and exploit NFC. First identified by Threat Fabric, PhantomCard is an Android trojan, notably a variant of China-origin NFC relay malware-as-a-service (MaaS), primarily targeting banking customers in Brazil. PhantomCard enables relay attacks by obtaining NFC data from a victim's banking card and transmitting it to a threat actor's device to perform transactions at point-of-sale (POS) systems or ATMs. PhantomCard is distributed via malicious webpages that impersonate legitimate applications, prompting victims to tap their cards and enter their personal identification numbers (PINs) for authentication. Once credentials are fraudulently obtained, they are relayed to attackers. Similarly, in late 2025, threat actors deployed RelayNFC, a mobile malware that targets contactless payment cards, in a phishing campaign targeting Brazilian users. This evolution in TTPs parallels the shift by threat actors from skimming magnetic stripe data to “shimming” Europay, Mastercard, and Visa (EMV) chip data in the payment fraud ecosystem, since unique cybercriminal solutions typically follow new security innovations.
Per the 2025 Cybercriminal Cryptocurrency Annual Activity Report, Insikt Group consistently observed activity in which cryptocurrency wallets were targeted by various forms of malware, such as drainers, clippers, and miners, to steal funds. Given the persistent lag in cybersecurity measures in LAC and the rapid growth of the cryptocurrency market in the LAC region, its users may become attractive targets for cybercriminals. The top five countries in the LAC region that dominate the cryptocurrency ecosystem are Brazil, Argentina, Mexico, Venezuela, and Colombia. However, Brazil is the clear leader, accounting for a third of overall cryptocurrency activity. Insikt Group assesses that, as the mainstream adoption of cryptocurrency continues, threat actors will likely seek targets in these countries, as knowledge and security practices among the user base in these regions will likely be lacking. Additionally, as with threat actors in other regions of the world, those targeting LAC will almost certainly leverage this medium of exchange to transact and launder illicit funds. As countries continue to adopt new regulations and introduce new forms of cryptocurrency, we expect threat actors to identify new vectors for exploitation. As of 2025, Argentina, Brazil, Colombia, Ecuador, Paraguay, Trinidad and Tobago, Uruguay, and Venezuela are participating in INTERPOL’s inaugural pilot phase for the new Silver Notice, which will be published to “help trace and recover criminal assets, combat transnational organized crime and enhance international police cooperation,” likely including cryptocurrency assets if linked to criminal proceeds.
Advanced Persistent Threats (APTs) and Cybercrime
Throughout 2025, Insikt Group observed a rise in APT activity targeting the LAC region using traditional cybercriminal methods, such as phishing and ransomware. This suggests some APT groups may also have financial motivations extending beyond seeking strategic geopolitical influence. Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing. TAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs) in campaigns blending espionage and financial motives.
Insikt Group assesses that some Chinese state-sponsored activity is likely aimed at protecting economic investments in the region, such as the Belt and Road Initiative (BRI), sovereign loans, and widespread commercial interests. In addition to the above APT groups, Chinese state-sponsored groups are also targeting entities in LAC countries. TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile. Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions. This activity may signal that China is seeking to retain influence in the LAC region through cybercriminal means or is interested in financial gain.
Hacktivism
The LAC region has repeatedly experienced periods of complex political and social unrest fueled by debates regarding economic reforms, corruption, and inequality. Unlike financially motivated cybercrime, hacktivism tends to be political or ideological, and these tense conditions can create an environment where hacktivism spikes. In late 2025, Insikt Group noticed increased activity from Chronus Team, a hacktivist group known for defacement attacks and data leaks aimed at exposing security vulnerabilities, primarily targeting organizations in Mexico. The threat group leverages Telegram channels for communication and propaganda. It has loosely aligned with other hacktivist and cybercriminals groups, such as Elite 6-27 and Sociedad Privada 157, to gain attention and increase its reputation. Insikt Group observed another trend where several hacktivist groups began transitioning to ransomware-as-a-service (RaaS) for financial gain. One such hacktivist group, “FiveFamilies”, functions as a collective of several groups; some of their targeted entities included those located in Cuba and Brazil.
Figure 1: Chronus Team hack and web defacement of the website for the budget transparency for the municipality of Hermosillo, Sonora, Mexico (Source: Social Media)
Malware Trends
In 2025, Insikt Group observed elevated ransomware activity targeting organizations in the LAC region. Additionally, banking trojans also remained a prominent issue affecting LAC countries, with Insikt Group noting an uptick in campaigns specifically leveraging WhatsApp for delivery. Infostealers remained a popular initial access enabler in the LAC region. Botnets have grown in the region largely due to small office/home office (SOHO) devices, such as routers and other internet-of-things (IoT) appliances with weak security, outdated firmware, and a reliance on default credentials. Botnet activity can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential IP addresses, and the enabling of distributed denial-of-service (DDoS) attacks. Insikt Group also observed threat actors targeting payment terminals in 2025 with ATM and POS malware.
Ransomware
In 2025, Recorded Future’s Global Ransomware Landscape Dashboard recorded 452 ransomware incidents impacting the LAC region out of 7,346 total globally, based on all publicly known ransomware victims listed on associated ransomware blogs. Attacks on entities in the LAC region constituted just over 6% of all global ransomware attacks in 2025. The top five industries most impacted by ransomware in the LAC region in 2025 were Healthcare (36 attacks), Manufacturing (49 attacks), Government (28 attacks), Information Technology (21 attacks), and Education (20 attacks), as demonstrated in Figure 3. Insikt Group research on ransomware in the LAC region covers 27 of the 33 constituent countries. Insikt Group did not obtain ransomware data from Antigua and Barbuda, Belize, Cuba, Saint Kitts and Nevis, Saint Lucia, or Suriname in 2025.
Figure 2: Global Ransomware Landscape Dashboard view of attack metrics for the top five ransomware groups impacting LAC in 2025 (Source: Recorded Future)
Figure 3: Global Ransomware Landscape Dashboard view of attack metrics for the top five most impacted industries in LAC in 2025 (Source: Recorded Future)
Insikt Group observed an increase in ransomware activity across all major industries in LAC compared to the prior year. Insikt Group specifically examined ransomware attacks against financial, government, and healthcare entities across the LAC region and identified the following: 16 attacks targeting the finance sector, 28 attacks targeting the government sector, and 36 attacks targeting the healthcare sector. Appendix C highlights a sample of these ransomware attacks.
Regarding LAC countries, the top five countries most impacted by ransomware in the LAC region in 2025 were Brazil (128 attacks), Mexico (78 attacks), Argentina (63 attacks), Colombia (51 attacks), and Peru (27 attacks). These countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. Insikt Group found that the majority of ransomware groups leverage double extortion. This extortion technique involves encrypting a victim’s data, exfiltrating the data, and then threatening to publicly leak the data on the ransomware group’s name-and-shame blog if a ransom is not paid. Recorded Future assesses countries by network intrusion and ransomware targeting risk every quarter to provide awareness and help organizations assess risk exposure. Takeaways from the top five impacted countries based on metrics and analysis from Recorded Future include:
Brazil’s network intrusion risk score increased from Medium to Very High, and Brazil’s ransomware targeting risk score remained Medium by the end of 2025. Brazil was the most targeted country in LAC and among the top ten countries worldwide impacted by ransomware in 2025, with a total of 130 victims.
Mexico’s network intrusion risk score increased from Very Low to Low, and Mexico’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Notably, data was leaked relating to a Mexican government entity on the dark web name-and-shame extortion website, Tekir Apt Data Leak Site.
Argentina’s network intrusion risk score increased from Very Low to Low, and Argentina’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Insikt Group observed that Argentina was targeted by a new rust-based ransomware “RALord”.
Colombia’s network intrusion risk score increased from Low to High, and Colombia’s ransomware targeting risk score remained low with no observed changes at the end of 2025. Colombia’s financial sector was impacted by the ransomware group Crypto24, which posted victims' names on its blog.
Peru’s network intrusion risk score increased from Very Low to Low, and Peru’s ransomware targeting risk score was low with no observed changes at the end of 2025. A pharmaceutical company headquartered in Peru was named as a victim on the Dire Wolf Blog.
Figure 4:Global Ransomware Landscape Dashboard view of the most affected countries in LAC in 2025 (Source: Recorded Future)
Banking Trojans
According to the Global System for Mobile Communications Association (GSMA), in 2024, approximately 64% of the LAC population used mobile internet; it is projected that this will increase to nearly three-quarters by 2030. Increasing internet penetration and high cell phone subscription rates in LAC signify a rising reliance on mobile devices, likely making them more appealing targets for threat actors. Android remains the predominant operating system (OS) of mobile devices in South America with an 84.59% market share. Android devices may support more sideloaded applications (links and Android application packages [APKs] from social media or third-party stores) than Apple iOS, which typically has tighter ecosystem controls, and Android users may be running older OS versions, thereby making Android devices attractive targets for cybercriminals. The Android ecosystem grants developers more freedom to list apps within the Google Play Store, and the vetting and verification process is less stringent, allowing malicious APK domain mirrors to go undetected. In LAC, users may rely on mobile phones as their primary or only computing device, making them desirable initial access points for threat actors to deploy Android-based malware. According to the World Bank's Global Findex 2025 report, 37% of adults in the LAC region had a mobile money account as of 2024. Mobile banking, digital wallets, and QR payments are commonplace in the area. Based on the World Bank’s findings, Insikt Group assesses that persistent mobile banking malware targeting LAC is likely driven by rapid digital banking integration that has outpaced security controls and the expansion of MaaS ecosystems. Sophisticated localized social engineering attacks and disproportionate regional enforcement capacity are further accelerating this trend within LAC’s ever-evolving mobile financial landscape.
Insikt Group research reflected an increase in banking trojans targeting the WhatsApp platform in 2025. Brazilian authorities have, in recent years, focused their attention on disrupting banking trojans. A significant amount of crimeware in LAC consists of mobile banking trojans, though similar in many ways, they are not a monolith and differ in unique ways. Insikt Group analysis from 2025 reflects that, despite some law enforcement disruptions, banking trojans are still a prominent issue in the LAC region and will likely continue to be in 2026. Appendix D highlights the most active banking trojans across the LAC region in 2025.
Infostealers
Infostealers pose a persistent threat worldwide, and the LAC region is no exception. Insikt Group analyzed a small sample of the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors across the top five largest economies in LAC. Analysis showed that the most prominent infostealer threats observed in 2025 were LummaC2, Vidar, Rhadamanthys, RedLine, and Nexus. This is despite multiple law enforcement operations under Operation Endgame conducting takedowns impacting Rhadamanthys and LummaC2.
Figure 5:Infostealers infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
LummaC2 was undoubtedly the most active infostealer targeting entities in the LAC region despite being targeted by law enforcement. LummaC2 has been discussed in several news sources and Telegram chatter as targeting users in Argentina, Paraguay, and Mexico. Cybercriminals deploy LummaC2 to obtain victim credentials to carry out financial fraud and cryptocurrency theft. Insikt Group conducted research into LummaC2 affiliates and identified a likely Mexico-based threat actor operating under multiple aliases linked to Lumma build ID “re0gvc”. In mid-2025, law enforcement took measures to disrupt LummaC2; the operation effectively led to the takedown of approximately 2,300 malicious domains integral to LummaC2’s infrastructure, Lumma’s central command, and associated criminal marketplaces. Shortly after this operation, it appears LummaC2 still had infected victims in several countries, including Brazil and Colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. More complete remediation would require patching and malware removal on affected systems, which is challenging to implement at scale when infected devices are spread across the world. However, Insikt Group observed a significant decrease in credentials exposed by LummaC2 in the second half of 2025, likely due to the success of the joint Microsoft and law enforcement operation, as well as the main threat actor being banned from Exploit.
Figure 6:LummaC2 infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
In the wake of the LummaC2 operation, Recorded Future detected an increase in Vidar infections during the latter half of 2025. This increase highlights threat actors’ ability to migrate between infostealers to facilitate their criminality despite disruptions.
Figure 7:VidarInfection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
Botnets
Botnet activity has grown steadily in the LAC region, enabling financial fraud, spam distribution, credential harvesting, initial access for ransomware and large-scale DDoS attacks targeting financial and government institutions. Botnets remained a priority for international law enforcement in 2025. For example, the ongoing Operation Endgame aims to hinder threat actors' remote-control capabilities by dismantling ransomware and other malware infrastructure. Emerging in late 2025, Kimwolf, also known as AISURU, is a botnet that targets compromised streaming devices. News reporting and dark web chatter indicate many of the devices infected with Kimwolf are based in Brazil, India, the US, and Argentina. Additional reporting suggests a threat actor involved with the AISURU botnet is likely based in Brazil. Horabot is a malware family and type of botnet first identified in June 2023, targeting Spanish-speaking users in six LAC countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. Horabot uses invoice-themed phishing emails to gain initial access to victims' systems.
Payment Terminal Malware
Threat actors also continued to target payment infrastructure for financial gain. ATM malware activity has continued to rise in LAC, with some experts noting ATM malware attacks have spiked by 46% across LAC in 2025. For instance, Ploutus is a sophisticated malware family first detected in Mexico in 2013, which compromises ATMs by issuing unauthorized commands to their cash dispensing modules. In December 2025, the US Department of Justice indicted 54 individuals associated with the Venezuelan gang Tren de Aragua (TDA) for participation in a massive ATM jackpotting scheme that exploited Ploutus malware. Moreover, the POS malware MajikPOS, designed to infiltrate systems connected to POS terminals and extract magnetic stripe payment data from bank cards, remained an active threat to companies operating in Brazil.
Mitigations
Use Recorded Future’s Global Ransomware Landscape Dashboard: Recorded Future customers can proactively mitigate this threat by operationalizing the Recorded Future Global Ransomware Landscape Dashboard and leveraging the victimology tab to filter based on ransomware group, country, and industry of interest. Recorded Future customers can customize their own ransomware risk profile and establish alerts that align with their risk priorities.
Use Recorded Future’s Threat and Third-Party Risk Monitoring: Configure alerts in the Recorded Future Intelligence Cloud to track activity across Telegram channels, darkweb forums, and other platforms for proactive awareness. Use the Third-Party Intelligence module to assess risk exposure for current and future partnerships.
Update Legacy Systems: Threat actors, whether opportunistic or financially motivated, or both, often seek to exploit vulnerable systems. Organizations that rely on outdated technology stacks leave themselves exposed to preventable cyber threats and attacks.
Engage in Public-Private Information Sharing: To bolster regional collaboration and establish standardized best practices, coordinate with law enforcement, and create intelligence-sharing channels to enhance investigations and decrease incident response times.
Generate Awareness through Education: Advocating for digital literacy through university partnerships and scholarship in the LAC region will encourage good cyber hygiene and prepare for a stronger, more competent workforce. Enterprises can implement mandatory cybersecurity training during new hire onboarding and establish routine drills to ensure protocols are followed.
Outlook
Insikt Group has highlighted the most salient cybercriminal trends and methods observed throughout the LAC region in 2025. Threat actors conducted phishing and credential theft to gain and sell initial access to LAC organizations while often relying on dark web forums and end-to-end encrypted messaging platforms to communicate and monetize compromised data and access methods. Cybercriminals carried out elevated ransomware attacks against the healthcare, government, finance, and other critical sectors. Banking trojan and infostealer activity persisted throughout LAC despite law enforcement disruption attempts. Cybercriminals have proven to be adaptive and resilient, often capitalizing on immature or emerging businesses that lack the skills, tools, and personnel to prevent attacks. Small and medium-sized enterprises (SMEs) constitute over 95% of all businesses in LAC. SMEs are desirable targets for cybercriminals because they typically have limited resources and expertise, lack robust infrastructure, and have a high overreliance on third-party platforms. Insikt Group trend analysis supports these findings.
Absent regional harmonization of cybersecurity policies and best practices, LAC countries will likely continue to use fragmented incident response approaches, complicating cross-border cooperation and collaboration. For effective and sustainable protection of systems and information against cyber threats, LAC countries should focus on working together to establish standardized risk assessments and reporting mechanisms, protocols for information sharing to bolster timely remediation, and implement proactive “secure by design” principles. Possible approaches to accomplishing this may include increased investment in workforce development, participation in public-private partnerships, and the establishment of centralized cybersecurity management systems. Despite the lack of prominent Spanish- and Portuguese-language forums, it is likely that threat actors will continue to leverage traditional platforms and methods similar to those used by the English- and Russian-speaking cybercriminal underground. Based on current and historical data, we anticipate these trends will continue, and LAC will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026.
Appendix A: Sample Listing of Posts Targeting Entities in LAC Countries on Dark Web and Special Access Forums
Alleged Access or Leak
Source
LAC Country and Sector Impacted
Access to a Brazilian banking entity
XSS Forum
Brazil/Finance
VPN access to a Colombian bank
Exploit Forum
Colombia/Finance
Access to a leaked government database
DarkForums
Mexico/Government
Database access to the official government portal
Exploit Forum
Argentina/Government
Web shell access with root privileges for a healthcare provider
XSS Forum
Chile/Healthcare
Global VPN access to a healthcare network
RehubcomPro Forum
Brazil/Healthcare
(Source: Recorded Future)
Appendix B: Sample Metrics of the Top Five Ransomware Groups Impacting LAC in 2025
Group Name
Total Attacks (All Sectors)
Healthcare
Manufacturing
Government
IT
Education
Qilin (Agenda)
54
4
6
0
2
2
LockBit Gang (BITWISE SPIDER, DEV-0396, Flighty Scorpius)
29
2
3
1
1
4
Safepay
27
2
4
0
0
0
The Gentlemen
22
3
1
0
0
1
Kazu
21
0
0
17
0
2
(Source: Recorded Future)
Appendix C: Sample Data of Ransomware Incidents Impacting Healthcare, Government, and Financial Sectors in LAC Countries in 2025
Ransomware Group
Country
Sector
Safepay
Argentina
Healthcare
The Gentlemen
Brazil
Healthcare
Kazu
Colombia
Government
Kazu
Mexico
Government
Qilin (Agenda)
Ecuador
Finance
Qilin (Agenda)
Argentina
Finance
(Source: Recorded Future)
Appendix D: Trends from the Most Active Banking Trojans in LAC in 2025
Banking Trojan
Attributes
Activity in 2026
Grandoreiro
Spreads through phishing emails with seemingly legitimate documents, such as PDFs. Once on a device, it performs anti-sandbox checks, logs keystrokes, and communicates with C2 servers to exfiltrate sensitive banking credentials
New variants emerged with advanced evasion techniques, rendering them more effective at bypassing modern security measures
Crocodilus
Employs sophisticated tactics such as remote control capabilities, keylogging, overlay attacks to capture user credentials, and the ability to harvest cryptocurrency wallet seed phrases
Expanded operational reach by targeting users in Poland, Spain, Brazil, Argentina, Indonesia, the US, and India
Mispadu (URSA)
Employs sophisticated infection methods, including spam emails containing malicious PDFs that trigger multi-stage download processes that deploy the Mispadu payload after performing anti-sandbox and anti-virtual machine checks
Insikt Group created a YARA rule to detect Mispadu after analysis indicated the trojan had targeted several LAC banks
Astaroth (Guildma)
Distribution methods include spearphishing attacks and the use of compromised cloud infrastructure for hosting malicious content. Insikt Group conducted technical static analysis and detection using sigma rules
Resurfaced with a multi-stage campaign, “STAC3150”, involving WhatsApp session hijacking, credential theft, and persistence on compromised systems
SORVEPOTEL
Targeted Brazil in several campaigns; Insikt Group assesses that at least some SORVEPOTEL operators are likely Portuguese-speaking, based on language artifacts in the panels analyzed and consistent targeting of Brazilian victims; analysis of a notable campaign dubbed “Water Saci” indicates WhatsApp Web was used for distribution
Analysis of the new infrastructure tied to the SORVEPOTEL loader demonstrates that it has distributed Coyote and Maverick
Casabaneiro (“Mekotio” and “Metamorfo”)
Primarily targets financial institutions in LAC, leverages phishing emails that typically contain malicious URLs, which lead to ZIP archives or ISO files with payloads that execute PowerShell scripts designed for obfuscation and evading detection
Water Saci campaign targeting Brazilian financial platforms via WhatsApp propagation linked to Casbaneiro malware family
BBTok
Distribution methods that trigger infections via LNK files and exhibit advanced capabilities for credential theft and data exfiltration, leveraging techniques such as dynamic-link library (DLL) embedding within downloaded files and the use of legitimate Windows utility commands for evasion
A new tactic emerged where the primary delivery method was WhatsApp
Coyote
Primarily targets Brazilian users, capable of executing keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials; Coyote’s infrastructure is dynamic and hosted on various platforms, indicating robust evasion techniques by its operators
Coyote remained active in 2025 and was observed in a WhatsApp-based worm campaign that used self-propagating messages containing malicious ZIP archives that further distributed the malware
Herodotus
Distributed through smishing messages that lure victims into downloading malicious APKs; Herodotus has been observed primarily targeting users in countries like Brazil and Italy
Insikt Group analyzed a sample, where Herodotus impersonated a security application named “Modulo Seguranca Stone” in a campaign in Brazil
Este informe brinda un resumen de las tendencias y los desarrollos en el ecosistema cibercriminal de América Latina y el Caribe (LAC) en 2025. Insikt Group identificó que los actores maliciosos que operan en la región de LAC o que la tienen como objetivo utilizan principalmente aplicaciones cliente-servidor y plataformas de mensajería con cifrado de extremo a extremo como Telegram, así como foros de la dark web y de acceso especial en inglés o ruso, para comunicarse y llevar a cabo sus actividades. Los actores maliciosos demuestran una mayor sofisticación en sus operaciones, ya que adaptan sus tácticas, técnicas y procedimientos (TTP) con el tiempo, pero siguen apoyándose principalmente en métodos tradicionales como el phishing y la ingeniería social, la distribución de malware, y el ransomware. A partir de nuestros análisis, determinamos que Brasil, México y Argentina son los países más atacados por cibercriminales financieros, probablemente porque son las economías más grandes de la región de LAC. Además, a partir de esta investigación, Insikt Group determinó que los actores maliciosos a menudo atacan industrias críticas, como las de salud, finanzas y gobierno, porque poseen datos de alto valor, afrontan urgencias operativas y, a veces, utilizan sistemas antiguos que pueden ser vulnerables.
Principales hallazgos
Insikt Group estima que el foro criminal DarkForums y la plataforma de mensajería Telegram son los principales medios de acceso especial utilizados por los actores maliciosos que operan en la región LAC o que la tienen como objetivo.
Los actores maliciosos que operan en la región LAC o que la tienen como objetivo suelen estar impulsados por motivos financieros y, a menudo, utilizan la ingeniería social, el ransomware y diferentes formas de malware móvil para obtener acceso inicial a las instituciones gubernamentales, de salud o financieras.
En 2025, Insikt Group registró 452 incidentes de ransomware que afectaron la región de LAC. Las cinco principales industrias afectadas fueron las de salud, fabricación, gobierno, tecnología de la información y educación; todas ellas observaron un aumento notable en los ataques en comparación con el año anterior.
Insikt Group identificó que los actores maliciosos usan troyanos bancarios, especialmente las variantes más establecidas. En particular, estos actores usaron troyanos bancarios en campañas de smishing dirigidas a usuarios de WhatsApp con el objetivo de acceder a datos financieros y robar credenciales.
Insikt Group identificó a LummaC2 como el ladrón de información (infostealer) más prolífico que afectó a organizaciones de la región LAC en el primer semestre de 2025, y a Vidar en el segundo semestre, tras la intervención de las fuerzas del orden contra LummaC2
Este relatório apresenta uma visão geral das tendências e desenvolvimentos no ecossistema do cibercrime na América Latina e Caribe (LAC) em 2025. O Insikt Group descobriu que os agentes de ameaças que operam na região da América Latina e Caribe (LAC) ou que a têm como alvo usam predominantemente aplicações cliente-servidor e plataformas de mensagens criptografadas de ponta a ponta, como o Telegram, bem como a dark web estabelecida em inglês ou russo e fóruns de acesso restrito, para se comunicarem e realizarem atividades. Os agentes de ameaças demonstram crescente sofisticação nas operações, adaptando táticas, técnicas e procedimentos (TTPs) ao longo do tempo, embora ainda dependam principalmente de métodos tradicionais, como phishing e engenharia social, distribuição de malware e ransomware. Com base na nossa análise, determinamos que Brasil, México e Argentina foram os países mais visados por cibercriminosos com motivação financeira, provavelmente por serem as maiores economias da América Latina e Caribe. Além disso, com base nesta pesquisa, o Insikt Group descobriu que os agentes de ameaças frequentemente visavam a setores críticos, como saúde, finanças e governo, pois esses setores detêm dados valiosos, enfrentam urgências operacionais e, às vezes, dependem de sistemas legados que podem ser vulneráveis.
Principais descobertas
O Insikt Group avalia que o fórum criminoso DarkForums e a plataforma de mensagens Telegram são os principais fóruns de acesso restrito e plataformas de comunicação usados por agentes maliciosos que operam na região da América Latina e Caribe ou que têm essa região como alvo.
Os agentes de ameaça que operam na América Latina e Caribe (LAC) ou que têm como alvo a região são geralmente motivados por interesses financeiros e frequentemente adotam engenharia social, ransomware e várias formas de malware em aparelhos móveis, a fim de terem acesso inicial a instituições governamentais, financeiras e de saúde.
Em 2025, o Insikt Group registrou 452 incidentes de ransomware que afetaram a região da América Latina e Caribe. Os cinco setores mais afetados foram saúde, manufatura, governo, tecnologia da informação e educação, que registraram um aumento considerável nos ataques em comparação ao ano anterior.
O Insikt Group continuou a identificar trojans bancários sendo usados por agentes de ameaças; os mais usados são as variantes já estabelecidas. Especificamente, os agentes maliciosos usaram trojans bancários em campanhas de smishing direcionadas a usuários do WhatsApp para terem acesso a dados financeiros e roubarem credenciais.
O Insikt Group identificou o LummaC2 como o ladrão de informações (infostealer) mais prolífico, afetando organizações na América Latina e Caribe no primeiro semestre de 2025; e o Vidar no segundo semestre, após a desarticulação das atividades do LummaC2 pelas autoridades policiais.
Payment fraud no longer operates as a collection of discrete schemes run by individual threat actors.
It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.
According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical advances and increasingly professionalized support services.
The Magecart e-skimmer supply chain is the clearest example. Full-stack e-skimmer kits and Malware-as-a-Service (MaaS) offerings have made large-scale compromise of ecommerce websites accessible to less technically capable threat actors.
The "Sniffer by Fleras" kit, responsible for 26% of all e-skimmer infections observed in 2025, includes a web-based portal for generating malicious scripts and a management server for stolen data. The result was more than 10,500 unique Magecart infections active at some point during the year, likely compromising more than 23 million transactions.
Additionally, the "AcceptCar" e-skimmer, discovered in H2 2025, illustrates how far the service model has matured. Operators handle installation and operation on compromised e-commerce sites; in return, threat actors pay 50% of proceeds from card data sales or 70% of raw data intake. Using services like AcceptCar, fraud threat actors can participate in large-scale compromise operations without owning or managing any underlying infrastructure.
Figure 1: Line graph showing Magecart e-skimmer infections in 2025, by different groups, kits, and techniques. (Source: Recorded Future)
Recurring patterns in merchant registration data indicate that scam operators have standardized their merchant acquisition workflows, standing up fraudulent payment infrastructure at scale through repeatable, low-friction processes.
Card testing operates on the same service-economy logic. Telegram-based card testing services validated at least 27 million card records in 2025 through public-facing card generation and testing channels that any threat actor can access.
Among dark web checker services, over 1,350 legitimate merchant accounts were abused for card testing, with 94% not observed prior to 2025, suggesting systematic rotation to stay ahead of detection.
Figure 2: Graphic illustrating the purchase scam attack chain. (Source: Recorded Future)
The Ecosystem Is Concentrated Upstream
Notably, each of these industrialized attack vectors sits upstream of the fraudulent transaction. E-skimmer infections and scam merchants compromise card data during online purchases. Card testing validates that stolen data before it’s monetized.
Fraud outcomes are visible, but the pathways that enable them are often not.
"Fraud outcomes are visible, but the pathways that enable them are often not."
This industrialized scale across these attack vectors requires standardization, and standardization produces detectable patterns.
When 26% of e-skimmer infections trace back to a single kit, when scam operators reuse merchant registration patterns across hundreds of acquirers, when card testers rotate through predictable BIN attack workflows, the convergence that makes fraud scalable also makes it mappable. As that standardization deepens, a single indicator of compromise reaches further across the threat landscape.
That standardization creates something concrete: a window.
Magecart infections are active and identifiable before stolen card data is harvested. Scam merchants often display detectable signals, including recent domain registration, merchant rotation, and merchant category code mismatches.
Card testing activity reveals when a monetization attempt is likely to occur.
Each stage represents an opportunity to act before fraud registers as a financial loss.
Transaction Monitoring Looks at the Wrong End of the Lifecycle
Transaction monitoring and behavioral fraud models are built to detect anomalies at the point of payment, like unusual spend patterns, velocity, and geographic inconsistencies. They do what they were designed to, but provide no visibility into the increasingly industrialized, pre-monetization stages that were built to avoid detection by these traditional processes.
Purchase scams are explicitly designed to circumvent transaction-based controls by manipulating cardholders into authorizing the fraudulent transaction themselves, making the payment appear legitimate by design.
Card testers cycle through new merchants specifically because historical tester merchants get flagged (94% of tester merchants identified in 2025 were not previously observed). A detection approach built around transaction signals will always be working with information that arrives after the upstream infrastructure has already done its job.
As the upstream ecosystem industrializes, the volume of activity that transaction monitoring cannot see has grown. With purchase scam detections more than quadrupling year-over-year and Magecart infections having likely compromised more than 23 million transactions in 2025 alone, the cost of that blind spot compounds.
Maintaining an effective fraud posture will increasingly require financial institutions to complement reactive account monitoring with proactive, intelligence-informed defenses.
How Recorded Future Payment Fraud Intelligence Addresses This
With daily monitoring of Magecart-infected sites and enriched merchant data that integrates with transaction monitoring, Payment Fraud Intelligence can enable detection of high-risk merchants months before stolen card data appears for sale.
Additionally, the Scam Merchants dataset can identify fraudulent merchant accounts and their associated domains before customers are defrauded and before downstream card data reaches criminal markets.
Tester merchant monitoring surfaces card testing activity as an early signal of which portfolios are being targeted ahead of any monetization attempt.
Because Payment Fraud Intelligence monitors the sources, kits, and infrastructure that threat actors have increasingly standardized around, a single identified indicator can surface exposure across a portfolio at scale.
According to Recorded Future data, 75% of compromised cards are identified before fraud occurs, and 90% of compromised card assets are identified within hours of a breach.
The pre-monetization window will not narrow as the fraud ecosystem matures — if anything, the report's data suggests it will widen as standardization deepens. Financial institutions with visibility into that window can act before losses occur. Those without it will continue to respond after the fact.
The expanding conflict around Iran signals a deeper shift. We have entered an era of quantum geopolitics, where the old rules of the international order no longer apply. What began as a regional confrontation is already reshaping global markets, supply chains, and corporate security planning. Leaders must adapt how they think, spend, and communicate in a system where uncertainty is not a risk to manage—it is the operating environment itself.
What is Quantum Geopolitics?
A useful analogy comes from physics.
Classical systems produce predictable outcomes. Quantum systems behave probabilistically, where interactions in one place can produce distant effects.
International politics increasingly resembles the latter.
The assumptions that shaped corporate strategy for decades—durable alliances, expanding globalization, and broadly coherent regulation—are weakening. Geopolitical shocks now move rapidly through tightly interconnected systems.
Four dynamics define how this system now behaves.
🌓 Superposition: Friends, Rivals, and Everything in Between
Countries can no longer be neatly categorised “ally” or “adversary.” They exist in overlapping states, with true alignment revealed only in moments of crisis.
States balance security partnerships with the West while maintaining economic ties with rivals. Turkey supports Ukraine diplomatically while sustaining trade flows that benefit Russia. India deepens defence ties with the United States even as it increases purchases of Russian oil.
Public statements offer limited guidance. Trade flows, enforcement patterns, and technology controls are more reliable indicators of intent.
For multinational firms, geopolitical positioning is no longer fixed. It is fluid.
🌀 The End of Guarantees: Promises Now Come with Caveats
Security commitments, trade access, and regulatory stability have shifted from certainties to probabilities.
Export controls can reroute supply chains within months. Sanctions regimes expand or unwind quickly. Even long-standing alliances depend on political will at the moment they are tested.
For businesses, this means long-term investments now carry elevated policy risk.
Leaders must plan for variance.
🧬 Quantum Entanglement: Local Conflicts Are Not Local
Global systems—financial, technological, logistical—are tightly coupled. Regional conflicts now generate immediate global effects.
Threats to Gulf commercial hubs disrupt international banking. Instability in the Strait of Hormuz drives energy price volatility and strains global shipping insurance. Cyber campaigns tied to the conflict target companies far beyond the region.
Disruption is rarely contained. Risk can no longer be managed by geography or function alone.
🔬 The Observer Effect: Whoever Sets the Rules First Wins
Influence increasingly derives from shaping rules rather than operating within them.
States that move early to establish standards in artificial intelligence, semiconductors, digital infrastructure, and financial regulation compel others to adapt.
Waiting for clarity can therefore be a strategic liability in itself. If you do not shape the agenda, you become subject to it.
Why This Moment Feels Different
These dynamics are most visible in cyberspace, where geopolitical competition unfolds continuously below the threshold of open conflict.
State-sponsored actors operate inside corporate networks without triggering overt confrontation. Criminal groups, proxies, and intelligence services overlap, complicating attribution and response.
The boundary between geopolitical conflict and corporate exposure is now thin. A single breach can trigger regulatory scrutiny, customer loss, market volatility, and diplomatic tension at once.
Cybersecurity is no longer a technical function. It is a core enterprise risk.
How Security Leaders Should Respond
In a system governed by probabilities rather than predictability, security leaders must adapt how they think, allocate resources, and position their organizations.
1. Mindset Shift: Scenarios, Not Forecasts
Replace long planning horizons and static risk assessments with continuous scenario planning. Tools such as the Cone of Plausibility can stress-test responses to sanctions escalation, maritime disruption, regulatory fragmentation, or supply chain shocks.
Evaluate decision speed, cross-functional coordination, and response thresholds under pressure. Adaptability matters more than accuracy.
2. Spending Shift: Invest in Resilience, Not Just Efficiency
Systems optimized solely for efficiency often lack resilience.
Diversifying suppliers, strengthening sanctions compliance, improving cybersecurity, and increasing visibility into third-party exposure can reduce vulnerability to geopolitical shocks.
Resilience is not a defensive expense; it is operational insurance.
3. Communication Shift: From Reporting to Action
Security leaders must translate geopolitical developments into clear decision frameworks before crises materialize.
This requires close coordination across legal, finance, and operations, as well as proactive engagement with regulators and industry partners.
Speed and clarity determine whether the organization shapes outcomes or reacts to them.
Final Thoughts
The Iran conflict offers a preview of what comes next. Alliances are conditional. Economic pressure, cyber activity, and regulatory responses unfold simultaneously.
Quantum geopolitics does not eliminate strategy. It demands a different kind—one built on scenario readiness, structural resilience, and faster decision cycles.
Leaders who wait for clarity will move too late.
Those who organize for uncertainty will operate ahead of it.
To access the latest InsiktGroup®researchclick here.
Insikt Group®helps Recorded Future secure our world with threat intelligence. With deep experience in government, law enforcement, military, and intelligence agencies, we power the Recorded Future Platform with analyst-validated data, analytics, along with cyber and geopolitical intelligence. This enables our customers to reduce risk and prevent disruption.