Cybercrime
-
Operation Alice shuts down 373,000 fake CSAM dark web sites
Operation Alice, led by Germany, shut down more than 373,000 dark web sites selling fake CSAM packages. About 10,000 buyers paid roughly $400,000 and investigators seized 287 servers, including 105 in Germany.
-
Denver crosswalk audio units broadcast anti-Trump message after default credentials used
Two crosswalk audio units on East Colfax Avenue in Denver played an anti-Trump message in March 2026. Local reporting links the access to factory-default credentials. Passwords were changed and police are investigating.
-
Authorities disrupt command servers for IoT botnets behind record DDoS attacks
U.S. authorities disrupted command servers for multiple IoT botnets on Thursday, targeting networks that infected at least 3 million devices and launched DDoS attacks peaking near 30 terabits per second.
-
Navia discloses data breach affecting nearly 2.7 million people
A U.S. benefits administrator reported a breach exposing personal data for nearly 2.7 million people after systems were accessed between December 22, 2025 and January 15, 2026. Affected people are being offered free identity monitoring.
-
Speagle malware hijacks Cobra DocGuard to hide data exfiltration
A technical analysis reported a new infostealer named Speagle that hijacks Cobra DocGuard servers to hide data exfiltration. The 32-bit .NET malware targets only systems with Cobra DocGuard installed and remains unattributed.
-
Perseus Android banking malware enables device takeover and note theft
Perseus is a new Android banking trojan delivered through sideloaded IPTV apps that enables Accessibility based device takeover overlay attacks and extraction of notes and credentials, primarily targeting Turkey and Italy.
-
Aura confirms breach exposed nearly 900,000 marketing contacts
Aura confirmed a breach that exposed nearly 900,000 marketing contacts, including names and emails. The company says 35,000 were customers and that SSNs and financial data were not compromised.
-
Interlock ransomware exploited Cisco FMC zero-day CVE-2026-20131
Amazon Threat Intelligence links Interlock ransomware to exploitation of Cisco Secure FMC CVE-2026-20131. The flaw allowed unauthenticated root code execution and was used as a zero-day from January 26, 2026. Apply patches and assess systems.
-
EU sanctions three firms and two individuals over cyberattacks
The EU Council sanctioned three firms and two individuals for cyberattacks on critical infrastructure and devices. One Chinese firm enabled hacking of over 65,000 devices across six EU states and an Iranian firm ran influence operations.
-
LeakNet adopts ClickFix via compromised websites and runs Deno in memory
ReliaQuest’s technical report says LeakNet now uses ClickFix fake CAPTCHA pages on compromised sites to trick users and a Deno-based in-memory loader. Post-compromise steps include DLL side-loading, PsExec lateral movement and S3 exfiltration.
