The e-commerce platform eBay, a giant in online auctions and fixed-price listings, faced widespread disruptions beginning late Sunday, April 26, 2026, extending into Monday, as users across the globe reported severe technical issues. The eBay outage, which has crippled essential features of the site, particularly the API, has left many buyers and sellers frustrated, struggling to access critical functions, including search features, listings, and checkout processes.  As users faced slow page loads, failed transactions, and difficulty completing sales, a series of unverified reports surfaced suggesting that the hacktivist group 313 Team was behind the massive denial-of-service (DDoS) attack, claiming responsibility for the outage. While the true cause remains unconfirmed by eBay, the timing and scale of the disruption have fueled speculation that a cyberattack was involved. 

The Scope of the eBay Outage 

The eBay outage first began to affect eBay users on the afternoon of April 26, when they began reporting issues with the platform’s functionality. According to Downdetector, a popular service that tracks online outages, the spike in complaints reached around 3:30 PM ET, with the situation worsening the evening. As of 10:30 PM ET, more than 1,300 outage reports were logged, although the number eventually decreased to about 600 by 11:50 PM ET.  Users complained that essential functions like search were malfunctioning, and pages were loading extremely slowly. "I can't even search for anything or complete a purchase," one frustrated user posted on social media. Others echoed similar concerns, noting that critical transactions were unable to be completed, with error messages preventing them from checking out.  Sellers also voiced their frustrations, noting that they could not access the API, which is crucial for the functioning of third-party tools used to manage listings, inventory, and sales. "It’s been nearly 6 hours since the API went down, and we have no word from support," one seller wrote, emphasizing the financial impact of the outage. 

Social Media Users Complain About the Outage

While eBay has not officially confirmed the cause of the outage, rumors quickly began circulating on social media that the hacktivist group 313 Team was responsible for a DDoS attack targeting the platform. DDoS attacks, which flood a website with traffic to overwhelm its servers and take it offline, have become a frequent tactic for hacktivist groups in recent years. The group, which has previously targeted high-profile organizations, allegedly posted a claim on various forums, taking credit for the disruption. However, this attribution has not been independently verified, and eBay has not provided details about the nature of the attack. The company’s official status page displayed no alerts of a cyberattack, showing only minor updates on the system’s functionality.  Despite these official updates, the community’s response has been vocal, with many users continuing to report issues well into the night. One individual posted, "It’s not just down for me, it’s down for everyone. Is this part of a bigger attack targeting e-commerce sites?"  With eBay’s customer support channels largely silent or offering only generic responses, users took to social media to express their frustration. The company’s Instagram account, where many users had previously reached out for help, quickly became a forum for complaints. One commenter wrote, “Brooo you’re down—come on, get up! I need to pay for an auction.” Others left similar messages, questioning the reliability of the platform and demanding answers. 

In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.  

The Cyber Express Weekly Roundup 

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures 

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more... 

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets 

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more... 

Ofcom Investigates Telegram and Teen Platforms 

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more... 

Personal Data Exposed in Breach of France’s ANTS Portal 

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more... 

Bluesky Faces Coordinated DDoS Attack 

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more... 

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown 

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more... 

Weekly Takeaway 

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

A newly issued cybersecurity advisory highlights an evolution in the tactics, techniques and procedures (TTPs) employed by China-Nexus threat actors. The report, released with support from the UK Cyber League and coordinated by the National Cyber Security Centre (NCSC-UK) alongside international partners, sheds light on how Chinese threat actors are relying on large-scale covert networks of compromised devices to conduct malicious cyber operations.

A Strategic Shift in China-Nexus TTPs 

In recent years, cybersecurity experts have observed a clear transition in China-Nexus TTPs. Rather than relying on dedicated, individually controlled infrastructure, Chinese threat actors are now leveraging expansive networks of compromised devices, commonly referred to as covert networks or botnets. These networks are primarily composed of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware. According to the advisory, the majority of China-Nexus actors are believed to be using such covert networks, with multiple networks operating simultaneously and often shared among different groups. These networks are continuously updated, making them highly adaptable and difficult to track. Any organization targeted by Chinese threat actors could be affected. For example, the group known as Volt Typhoon has used these covert networks to pre-position cyber capabilities within critical infrastructure, while Flax Typhoon leveraged similar methods for espionage operations.

How Covert Networks Operate 

Although botnets are not new, China-Nexus actors are now deploying them at an unprecedented scale and with strategic intent. These covert networks allow attackers to mask their identity, route malicious traffic through multiple nodes, and reduce the risk of attribution. Typically, an attacker accesses the network via an entry point, or “on-ramp,” and routes activity through numerous compromised devices—called traversal nodes—before exiting near the target. This multi-hop approach obscures the origin of the attack. These networks support every stage of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also used for general browsing, enabling threat actors to research vulnerabilities and refine TTPs without revealing their identity. The presence of legitimate users on some networks further complicates attribution. 

Real-World Examples and Scale 

Evidence suggests that some covert networks used by China-Nexus actors are developed and maintained by Chinese cybersecurity firms. One notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. It was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon. Another example includes the KV Botnet used by Volt Typhoon, which primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable because they had reached “end-of-life” status, meaning they no longer received security updates. The scale and adaptability of these networks present a major challenge. As Paul Chichester, NCSC Director of Operations, stated: “Botnet operations represent a significant hreat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.”

Challenges for Network Defenders 

Cybersecurity researchers have long been aware of such threats, but the evolving nature of China-Nexus TTPs introduces new difficulties. A key issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming less effective because attackers can operate from vast, constantly changing pools of devices.  As compromised nodes are patched or removed, new ones are quickly added, making these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies. 

Defensive Measures and Best Practices 

The advisory outlines several steps organizations can take to defend against China-Nexus covert networks: 

For all organizations: 

• Maintain a clear inventory of network edge devices. 

• Establish baselines for normal network activity, particularly VPN access. 

• Monitor for unusual connections, including those from consumer broadband ranges. 

• Use dynamic threat intelligence feeds. 

• Implement multi-factor authentication for remote access. 

For higher-risk organizations: 

• Use IP allow lists instead of blocklists for VPN access. 

• Apply geographic and behavioral profiling of incoming connections. 

• Adopt zero-trust security models. 

• Enforce SSL machine certificates. 

• Reduce exposure of internet-facing systems. 

• Explore machine learning tools to detect anomalies. 

For the most at-risk entities: 

• Treat China-Nexus covert networks as advanced persistent threats (APTs). 

• Conduct active threat hunting for suspicious IP activity. 

• Map and monitor known covert networks using threat intelligence. 

Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company's networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai's compromise. Rauch said that the "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables." Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg - or not.

Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained

Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks

In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company's logs uncovered two additional findings.

"First, we have identified a small number of additional accounts that were compromised as part of this incident," the company noted.

But the main concern is the next finding: "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods." 

The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: "In both cases, we have notified the affected customers."

Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.

The 2026 threat landscape continued to intensify in March, with ransomware attacks, expanding data breach activity, and a growing underground market for compromised access shaping the global cybersecurity environment. According to analysis from CRIL (Cyble Research & Intelligence Labs), organizations worldwide faced a highly active and coordinated threat ecosystem throughout the month.  CRIL’s findings point to a cybercriminal landscape driven by financial extortion, credential theft, and operational disruption. Attackers consistently targeted industries that rely heavily on uptime or store large volumes of sensitive data, reinforcing the urgency for stronger defensive strategies. 

Ransomware Attacks Dominate the 2026 Threat Landscape 

One of the most defining aspects of the March 2026 threat landscape was the scale of ransomware attacks. CRIL recorded 702 ransomware incidents globally, underscoring the continued dominance of ransomware as a primary attack vector.  Among the most active threat groups were Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom. Collectively, these actors were responsible for over 56% of all observed ransomware activity, reflecting their operational maturity and extensive affiliate networks.  Industries most affected by ransomware attacks included: 

• Construction  
• Professional Services  
• Manufacturing  
• Healthcare  
• Energy & Utilities  

Attackers frequently employed double-extortion tactics, combining data theft with system disruption to increase pressure on victims. Geographically, the United States remained the primary target, influenced in part by ongoing geopolitical tensions, including those involving Iran. 

Rise of Access Brokers in the CRIL Threat Analysis 

Another notable trend in the 2026 threat landscape, as identified by CRIL, was the continued growth of the compromised access market. During March, 20 separate incidents involving the sale of unauthorized network access were tracked across cybercrime forums.  The most targeted sectors for access sales were: 

• Professional Services (25%)  
• Retail (20%)  
• IT & ITES  
• Manufacturing  

A small group of threat actors, vexin, holyduxy, and algoyim, dominated this space, accounting for more than 55% of observed listings. These access brokers play a critical upstream role, enabling ransomware attacks, espionage campaigns, and financial fraud operations. 

Data Breaches and Leak Markets Stay Active 

CRIL also documented 54 significant data breach and leak incidents in March, further highlighting the scale of data exposure risks in the current 2026 threat landscape.  The most targeted sectors for data breaches included: 

• Government & Law Enforcement  
• Retail  
• Technology  

Several incidents stood out: 

• A threat actor known as “nightly” claimed to have stolen over 5TB of data from Hospitality Holdings, including biometric data, CCTV footage, and financial records. 
• Another actor, XP95, advertised 3.8TB of allegedly stolen South African government data for sale.  
• A separate breach exposed more than 95,000 travel-related records, including passport and payment information.  

Exploitation of Critical Vulnerabilities Accelerates 

The 2026 threat landscape also saw increased exploitation of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.  Key vulnerabilities targeted included: 

• CVE-2026-20131 (Cisco Secure Firewall Management Center)  
• CVE-2025-53521 (F5 BIG-IP APM)  
• CVE-2026-20963 (Microsoft SharePoint Server)  
• CVE-2026-33017 (Langflow AI)  
• CVE-2021-22681 (Rockwell Automation ICS)  

CRIL observed attackers exploiting both newly disclosed zero-day vulnerabilities and older, unpatched flaws. This trend reflects persistent gaps in patch management and exposure mitigation across organizations. 

Emerging Threat Developments in March 2026 

Beyond ransomware attacks and data breaches, CRIL identified several strategic developments shaping the 2026 threat landscape: 

• AI-Driven Attacks: Threat actors reportedly leveraged an open-source framework called CyberStrikeAI to target Fortinet FortiGate devices across 55 countries, compromising more than 600 systems. 
• Supply Chain Risks: North Korean-linked actors were associated with 26 malicious npm packages distributing remote access trojans (RATs) via infrastructure hosted on Pastebin and Vercel. 
• Geopolitical Cyber Activity: Iran-linked cyber operations are expected to increase, with potential ransomware attacks and hacktivist campaigns targeting organizations in the Middle East. 

The dark web is often misunderstood, but it plays an important role in both privacy technology and cybercrime activity. In this episode, Tom Eston speaks with cybersecurity researcher and educator John Hammond about what the dark web actually is and how it has evolved in recent years. The discussion covers underground marketplaces, ransomware leak sites, […]

The post The Dark Web Explained with John Hammond appeared first on Shared Security Podcast.

The post The Dark Web Explained with John Hammond appeared first on Security Boulevard.

💾

The message Drift Protocol posted to X on April 1, opened with an unusual disclaimer: "This is not an April Fools joke." Within hours, the reason became clear. A $285 million exploit had wiped out more than half of the Solana-based decentralized perpetual futures exchange's total value locked — and the attack had been in preparation for six months. A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. The incident, which took place on April 1, was confirmed as a highly sophisticated operation involving multi-week preparation and staged execution. Drift is the largest decentralized perpetual futures exchange on Solana, a blockchain network. It allows users to trade leveraged financial positions without a centralized intermediary. The protocol held approximately $550 million in user assets before the attack. According to TRM Labs, the drain took roughly 12 minutes, making this the largest DeFi hack of 2026 and the second-largest exploit in Solana's history, behind only the $326 million Wormhole bridge hack in 2022.

A Six-Month Long-Con Operation

A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing the exploit. The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault. They then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals. On-chain staging began on March 11, nearly three weeks before the April 1 execution, with a 10 ETH withdrawal from Tornado Cash. The funds began moving at around 12:00 AM GMT on March 12 — approximately 9:00 AM Pyongyang time — and shortly after funded the deployment of CarbonVote Token (CVT), the fictitious asset used to manipulate Drift's price oracles.

The Fake Token That Fooled an Oracle

A key element of the attack was entirely manufactured. The attacker created CarbonVote Token (CVT), minting around 750 million units, seeded a small liquidity pool of approximately $500 on the Raydium decentralized exchange, and used wash trading — artificial back-and-forth trades between attacker-controlled wallets — to build a price history near $1. Over time, this artificial price was picked up by oracles, making the token appear legitimate. An oracle, in the context of blockchain protocols, is a system that feeds real-world price data into smart contracts so that a protocol knows the value of the assets it holds. By manufacturing a fake price history for a worthless token, the attackers tricked Drift's oracles into treating CVT as legitimate collateral worth hundreds of millions of dollars.

Durable Nonces: The Governance Weapon

The attack's most novel element exploited a legitimate Solana feature called durable nonces. By securing two misleading approvals from Drift's five-member Security Council multisig, the attacker pre-signed transactions that remained valid for more than a week, then used them to seize protocol-level control in minutes. A multisig — short for multi-signature — is a governance structure where multiple people must approve any administrative action, so compromising one person is insufficient. Durable nonces allow transactions on Solana to be pre-signed and executed later, a feature designed for operational convenience. In this attack, the attackers obtained two of the five required signatures through social engineering — presenting the signers with what appeared to be routine transactions — and held those approvals dormant until execution day. When Drift executed a legitimate Security Council migration on March 27, the attacker adapted. By March 30, new nonce activity appeared tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration. On April 1, two transactions, four slots apart on the Solana blockchain, created and approved a malicious admin transfer, then executed it. Within minutes, the attacker had full control of Drift's protocol-level permissions and used it to introduce a fraudulent withdrawal mechanism and drain the vaults.

DPRK Attribution and Laundering

Investigators attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas. Stolen assets were consolidated and swapped into USDC and SOL, then partially bridged to Ethereum using Circle's Cross-Chain Transfer Protocol. On Ethereum, portions were converted into ETH while some funds moved through centralized exchanges. On-chain investigator ZachXBT publicly criticized Circle for failing to freeze the stolen USDC despite it crossing during U.S. business hours, contrasting that inaction with Circle's recent decision to freeze unrelated corporate wallets in a civil case. If confirmed, the Drift incident would represent the eighteenth DPRK-linked crypto theft Elliptic has tracked in 2026, with over $300 million stolen to date. DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years, with proceeds linked to funding North Korea's weapons programs. The Drift exploit did not occur in isolation. It landed on the same day multiple security vendors attributed the Axios npm supply chain attack to North Korean group UNC1069 — a simultaneous two-front operation against the software development ecosystem and the crypto finance layer that funds Pyongyang's strategic programs.

Read: North Korea’s Lazarus Group Behind the Axios npm Supply Chain Attack

Drift has frozen all protocol functions, removed the compromised wallet from the multisig, and is coordinating with security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets. A detailed postmortem is expected. The DRIFT token fell more than 20% following news of the exploit.

On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

The global surge in energy sector ransomware attacks intensified throughout 2025, exposing deep vulnerabilities in critical infrastructure. As organizations prepare for what’s coming next, the lessons are becoming harder to ignore. The systems that power homes, fuel industries, and sustain modern life are under siege, not by isolated hackers, but by highly organized ransomware groups operating at scale.  In 2025 alone, the energy and utilities sector recorded 187 confirmed ransomware attacks. These were not mere attempts, but successful breaches involving system encryption, data theft, and ransom demands.  

When Energy Sector Ransomware Disrupts Real Life 

Unlike typical cyber incidents, energy sector ransomware attacks have immediate and widespread consequences. According to the Cyble Energy & Utilities Threat Landscape Report 2025, Halliburton suffered a ransomware attack in August 2025; the company reported losses totaling $35 million. In another case, attackers deploying FrostyGoop malware targeted a municipal energy provider in Ukraine, cutting off heating in Lviv during freezing temperatures.  Several ransomware groups dominated the threat landscape in 2025. RansomHub led with 24 attacks (12.8%), followed by Akira with 20 incidents (10.7%) and Play with 18 attacks (9.6%). Alongside Qilin and Hunters/Lynx, these groups accounted for nearly half of all recorded ransomware activity in the sector.  

Why the Energy Sector Remains Vulnerable 

The continued rise of energy sector ransomware attacks can be traced to structural weaknesses unique to the industry. 

• Legacy Infrastructure: Many facilities still rely on decades-old operational technology (OT), including industrial control systems using outdated protocols like Modbus and DNP3. These systems were designed for reliability, not cybersecurity, leaving them exposed to modern threats. 
• IT-OT Convergence: As companies digitize operations, previously isolated OT environments are now connected to corporate IT networks. This convergence allows attackers to move laterally, from a phishing email on an employee device to critical systems like SCADA controls. 
• Distributed Systems: Energy infrastructure is geographically dispersed, spanning solar farms, substations, pipelines, and wind installations. Each site represents a potential entry point, making comprehensive security management extremely difficult. 

A Multi-Layered Threat Landscape 

Between July 2024 and June 2025, the energy sector faced a broad spectrum of cyber threats: 

• 37 instances of compromised network access being sold on underground forums
• 57 data breaches exposing sensitive operational information
• 187 ransomware attacks involving encryption and data exfiltration
• Over 39,000 hacktivist posts targeting energy infrastructure

Regionally, North America accounted for more than one-third of ransomware incidents, with Asia and Europe also heavily targeted. This distribution confirms that ransomware groups are not geographically selective; they exploit vulnerabilities wherever they find them. 

The Rise of Access Brokers 

A key driver behind the increase in energy sector ransomware attacks is the growing role of initial access brokers. These actors specialize in obtaining and selling network credentials.  During the reporting period, groups like Zerosevengroup, mommy, and Miyako were responsible for approximately 27% of observed access sales targeting the energy sector. The remaining activity was spread across numerous smaller sellers, indicating a low barrier to entry for cybercriminals.  In March 2025, Zerosevengroup reportedly offered admin-level access to a UAE-based power and water company, claiming control over 5,000 network hosts. Other listings included access to an Indonesian power plant subsidiary and a French wastewater treatment system.  

Hacktivism Meets Operational Technology

Beyond financially motivated ransomware groups, hacktivist activity also intensified. Some groups went beyond website defacement and data leaks, claiming direct access to operational systems.  For example, a pro-Russian group known as Sector 16 reportedly demonstrated access to U.S. oil and gas control systems, including shutdown interfaces and valve controls. Similarly, the Golden Falcon Team claimed access to a French wastewater platform, including controls over pH levels and water distribution. 

Persistent Vulnerabilities and Delayed Patching 

Throughout 2025, attackers exploited known vulnerabilities in widely used systems, including: 

• ABB ASPECT systems  
• Siemens SENTRON PAC3200 meters  
• Solar inverter platforms  
• Schneider Electric Jira systems  
• VMware, Ivanti, and Fortinet products  

Despite available patches, the average remediation time exceeded 21 days, while attackers often weaponized vulnerabilities within 72 hours. This gap creates a critical exposure window that ransomware groups repeatedly exploit. 

Strengthening Defenses Against Ransomware Groups 

To counter the growing threat of energy sector ransomware, organizations are adopting several defensive strategies: 

• Network Segmentation: Separating IT and OT environments reduces the risk of attackers moving between systems. Where connections are necessary, strict access controls and monitoring are essential. 
• Monitoring Criminal Markets: Tracking underground forums can help organizations detect whether their credentials are being sold, enabling faster responses before an attack occurs. 
• Faster Patch Management: Reducing patching timelines is critical. While updating OT systems is complex, delays significantly increase risk. 
• Incident Preparedness: Organizations must prepare for worst-case scenarios. This includes maintaining offline backups, isolating compromised systems, and ensuring the ability to operate manually if necessary. 

Seventeen months after international law enforcement dismantled one of the world's most damaging infostealing malware networks, a second defendant has arrived in a U.S. federal courtroom — this time extradited from Armenia — as the prosecution of the RedLine infostealer operation continues to work through the criminal network that built and sustained it. Hambardzum Minasyan, an Armenian national, appeared in an Austin federal court after being extradited to the United States to face charges related to his alleged role in the RedLine infostealer scheme. The Justice Department's Office of International Affairs secured Minasyan's arrest and extradition on March 23, 2026, with significant assistance from Eurojust's ICHIP attorney adviser based at The Hague. Minasyan faces three counts: conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison on the access device fraud charge and up to 20 years each on the remaining two counts. An infostealer is malware designed to silently harvest credentials, browser cookies, saved passwords, financial data, and cryptocurrency wallet information from an infected device, then transmit that data to attackers — often in seconds, without any visible sign of compromise. The indictment alleges that Minasyan and his co-conspirators maintained digital infrastructure, including command-and-control servers and administrative panels, to deploy the malware and collected payments from affiliates using RedLine against victims. Minasyan specifically registered two virtual private servers and two internet domains to support the RedLine scheme, created repositories on an online file-sharing site to distribute RedLine to affiliates, and registered a cryptocurrency account in November 2021 to receive payments. RedLine operated on a Malware-as-a-Service model. It is a criminal franchise structure where the core developers build and maintain the malware platform, then license it to affiliates who run their own infection campaigns in exchange for a fee. Affiliates distributed RedLine to victims using malvertising, phishing emails, fraudulent software downloads, and malicious software sideloading, with various ruses — including COVID-19 and Windows update lures — used to trick victims into downloading the malware. RedLine and its derivative Meta infostealer could also enable cybercriminals to bypass multifactor authentication through the theft of authentication cookies and session tokens. Multifactor authentication is a security layer requiring users to verify their identity through a second method beyond a password; stealing session cookies allows attackers to impersonate an already-authenticated user and render that protection useless. The Lapsus$ threat group used RedLine to obtain passwords and cookies from an employee account at a major technology company and subsequently used that access to obtain and leak limited source code. RedLine also infected hundreds of systems belonging to U.S. Department of Defense personnel, and authorities have described its victim count in the millions globally. Minasyan's extradition represents the second defendant charged in connection with Operation Magnus, the joint international takedown announced in October 2024.

Read: Law Enforcement Puts a Damning Dent in RedLine and Meta Infostealer Operations

Operation Magnus — a Joint Cybercrime Action Taskforce operation supported by Europol — resulted in Dutch authorities seizing three servers running the malware, Belgian authorities seizing communication channels and Telegram accounts used by the operators, and the recovery of a database of thousands of RedLine and Meta clients. That client database gave investigators a roadmap for follow-on prosecutions that continues to generate results. The first defendant charged, Russian national Maxim Rudometov, was identified as a developer and administrator of RedLine and unsealed in the Western District of Texas in October 2024. Rudometov, believed to reside in Krasnodar, Russia, is not expected to face extradition given his location.

Read: U.S. Charges Man Behind RedLine Infostealer that Infected U.S. DoD Personnel Systems

Minasyan's extradition from Armenia, by contrast, demonstrates the value of maintaining extradition treaty relationships and Eurojust cooperation frameworks that can reach defendants outside of jurisdictions beyond U.S. reach. The investigation is a joint effort by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and the Army Criminal Investigation Division. The case demonstrates a sustained prosecution strategy, where rather than treating Operation Magnus as a one-time disruption event, the DOJ has continued converting the intelligence gained from seized infrastructure and client databases into individual criminal referrals across multiple jurisdictions.

A federal court in Detroit sentenced Russian national Illya Angelov, on Tuesday, for running a botnet operation that infected thousands of computers daily, sold backdoor access to ransomware groups and victimized 72 companies across 31 U.S. states.

The extortion scheme involving Angelov and his criminal organization, known by the FBI as "Mario Kart," ran from 2017 to 2021. Prosecutors said Angelov and co-conspirators built a network of compromised computers that distributed malware-infected files attached to spam emails.

Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers to other criminal groups, who typically engaged in ransomware extortion schemes — locking victims out of their computer networks and demanding extortion payments to restore access.

A botnet is a network of devices secretly infected with malware and controlled remotely by an attacker without the device owners' knowledge. The court records describe a scheme that was lucrative and prolific, sending 700,000 emails a day to computers around the world and infecting approximately 3,000 computers daily.

The Mario Kart malware provided a backdoor through which software could be uploaded to victims' computers. Instead of directly exploiting this access, the Mario Kart group sold it to customers, that is, other cybercriminal groups. These customers typically used the backdoor access to distribute ransomware, encrypting victims' data and demanding extortion payments to decrypt it.

Angelov's group included software coders who developed programs to distribute spam emails and malware so advanced it could evade virus-detection software. The operation sold backdoor access at scale, functioning as a criminal wholesale supplier to ransomware operators who lacked the infrastructure to breach targets themselves.

Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. Prosecutors requested he serve 61 months in prison — a significant break from advisory sentencing guidelines calling for more than 12 years — and he was ordered to pay a $100,000 fine and a $1.6 million money judgment. The reduction reflected both his voluntary cooperation and the circumstances of his surrender.

Angelov was sentenced four years after an associate, Vyacheslav Igorevich Penchukov, was arrested in Switzerland and later extradited to the U.S. Penchukov was a member of a group that negotiated a $1 million payment to Angelov and a second individual for access to Mario Kart. A few days after Penchukov's arrest, Angelov contacted U.S. authorities and eventually negotiated his surrender. At the time of his travel and surrender, he was living in the United Kingdom, a country from which the U.S. could have sought his extradition.

Vitlalii Alexandrovich Balint, who provided essential coding to Mario Kart, was sentenced five months earlier in federal court in Detroit to 20 months in prison. While Balint's role in Mario Kart was significant, he was Angelov's subordinate.

The Mario Kart case sits inside a broader DOJ enforcement pattern targeting the upstream criminal economy — the access brokers and botnet operators who supply the tools and entry points that ransomware groups deploy.

The day before Angelov's sentencing, a separate federal court sentenced Russian access broker Aleksei Volkov to 81 months for supplying network access to the Yanluowang ransomware group across dozens of U.S. organizations.

Read: Russian Access Broker Gets Nearly 7 Yrs for Enabling Millions in Ransomware Extortion

Two Russian cybercriminals sentenced in two consecutive days across two different federal districts signals a deliberate prosecutorial push against the ransomware supply chain's foundational layer, not just its most visible operators.

The scheme operated before the peak of ransomware extortion payments, which reached a high of $1.25 billion in 2023. That trajectory makes the infrastructure Angelov built — and the model it demonstrated — directly relevant to understanding how the ransomware economy scaled to where it stands today.

A single individual selling stolen network credentials to the right buyers can cause more damage than any ransomware group operating alone and a federal court in Indiana made that arithmetic concrete by sentencing a 26-year-old Russian citizen to 81 months in prison for precisely that role — of being an access broker.

Aleksei Volkov, of St. Petersburg, Russia, was sentenced in the Southern District of Indiana for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses.

Volkov operated as what the cybersecurity industry calls an initial access broker, which is a specialized criminal role that sits upstream of ransomware deployment. Rather than executing attacks himself, Volkov found vulnerabilities in computer networks and systems, identified ways to access those networks and systems without authorization, and sold that illicit access to conspirators who were also cybercriminals.

Also read: Iranian State Hackers Act as Access Brokers for Ransomware Gangs, Target U.S. and Allies’ Critical Infrastructure

Those co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware, encrypting victims' data and preventing them from accessing it, damaging their business operations.

The conspirators then demanded that the victims pay ransom in cryptocurrency — sometimes in the tens of millions of dollars — in exchange for restoring access to the data and promising not to publicly disclose the hack or release victims' stolen data on a leak website.

The access broker model is a critical enabler of the modern ransomware economy. By separating the intrusion skill from the extortion operation, it allows ransomware groups to scale attacks without needing every member to possess deep technical exploitation expertise. Volkov effectively ran a supply chain for cybercrime — sourcing the raw ingredient that ransomware operators cannot easily produce at volume themselves.

Volkov was arrested on January 18, 2024, in Italy after a Bitcoin transaction originating in Indianapolis tied him to the cybercrime group. He was subsequently extradited to the United States and pleaded guilty to charges including aggravated identity theft and access device fraud.

As part of his plea agreement, Volkov agreed to pay $9,167,198.19 in restitution to known victims. In addition to the 81-month prison term, he received two years of supervised probation. He had been indicted in both the Southern District of Indiana and the Eastern District of Pennsylvania.

The Yanluowang ransomware group, one of the criminal organizations Volkov supplied, previously claimed responsibility for high-profile breaches including a 2022 intrusion into Cisco's corporate network. The group's willingness to target major enterprise organizations shows the downstream risk that a single access broker enabling their operations can create across the entire victim landscape.

Prosecuting access brokers — rather than only the ransomware operators who deploy the final payload — directly attacks the supply chain that makes large-scale ransomware campaigns economically viable. Targeting that upstream layer forces criminal networks to either develop intrusion capabilities in-house — a significant barrier — or risk greater exposure by broadening their supplier relationships.

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.

The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.

Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.

Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground.

Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.

"My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said.

Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.

"We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack

The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.

In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.

So Who Exactly is Handala?

Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.

The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.

The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.

Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate.

Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption]

Also read: Iran-linked Threat Group Handala Actively Targets Israel

Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.

The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.

Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.

Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.

[caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption]

Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.

That contract likely put a target on Stryker's back.

Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed.

Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.

The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe. However, a spokesperson for the company told The Cyber Express that all such claims are "fake news" and do not hold any substance. “Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026 from threat actors claiming an intrusion into our systems in Israel. Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the spokesperson said. Updated on March 13, 2026 1:24 AM ET: The article was updated with a statement from Verifone spokesperson confirming no evidence of intrusion and no authenticity in Handala's claims.

The Notepad++ supply chain compromise is the latest proof that sophisticated adversaries are deliberately targeting the gap between two disciplines: Vulnerability management and detection and response. 

The post The Seam in Cybersecurity Defenses That Nation-States Keep Exploiting appeared first on Security Boulevard.

In this week’s edition of The Cyber Express weekly roundup, some interesting news and cybersecurity stories share an interesting shift in the cyber domain. Critical developments span space cybersecurity, AI vulnerabilities, mobile malware, and global regulatory enforcement, highlighting how digital threats are becoming more sophisticated and interconnected.   From government-led initiatives to strengthen national defense, to high-profile breaches impacting multinational enterprises, and the rise of AI-augmented attacks, this cybersecurity news digest provides a detailed snapshot of the challenges facing organizations, agencies, and individual users worldwide.  This weekly roundup from The Cyber Express emphasizes the urgent need for stakeholders across all sectors to stay informed, adapt strategies in real time, and anticipate new cyber threats before they escalate. 

The Cyber Express Weekly Roundup 

India Strengthens Space Cybersecurity 

India has unveiled new space cybersecurity guidelines developed jointly by the Indian Computer Emergency Response Team (CERT-In) and SatCom Industry Association India (SIA-India). Announced at the DefSat Conference & Expo 2026 in New Delhi, the framework introduces risk-based, secure-by-design practices for satellites, ground systems, and supply chains. Read more... 

Apple Devices Certified for NATO Restricted Data 

Apple Inc. has become the first consumer device maker approved to handle NATO “restricted” classified information on standard iPhone and iPad devices running iOS 26 and iPadOS 26. Certification, granted following testing by Germany’s Federal Office for Information Security, allows personnel across NATO member states to use commercial devices without specialized security software. Read more... 

OpenClaw Vulnerability Threatens Local AI Agents 

Security researchers have discovered a critical flaw in the open-source AI agent OpenClaw, allowing any malicious website visited by a developer to hijack the locally running agent. The vulnerability, present in OpenClaw’s local WebSocket gateway, permitted password brute-forcing and administrative access without plugins or user interaction. Read more... 

Cisco SD-WAN Zero-Day Exploitation Spans Three Years 

Cisco Systems’ Catalyst SD-WAN controllers were compromised via a critical zero-day flaw (CVE-2026-20127) for at least three years, according to Cisco Talos. Threat actors exploited the authentication bypass to gain administrative access and insert rogue peers, chaining the exploit with an older vulnerability (CVE-2022-20775) to escalate privileges while avoiding detection. Read more... 

U.S. Sanctions Russian Zero-Day Broker 

The U.S. Department of State sanctioned Operation Zero, a Russia-linked cyber brokerage network, targeting Russian national Sergey Sergeyevich Zelenyuk and associated entities. Authorities allege Australian national Peter Williams stole eight classified exploits from a U.S. defense contractor between 2022 and 2025, selling them for $1.3 million in cryptocurrency. Read more... 

X Appeals €120M EU Fine 

Social media platform X has filed an appeal against a €120 million penalty under the EU Digital Services Act, challenging enforcement related to its paid verification system, advertising disclosures, and public data access for researchers. X claims procedural errors and misinterpretation of obligations, framing the case as a precedent-setting test for platform accountability, user trust, and regulatory compliance. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights how cybersecurity risks are advancing across sectors, from national space programs to AI agents, mobile malware, and critical infrastructure. Organizations and regulators must adapt in real time, balancing innovation with governance, monitoring, and incident preparedness. As this cybersecurity news highlights, proactive measures remain essential in a complex digital environment.