In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.  

The Cyber Express Weekly Roundup 

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures 

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more... 

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets 

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more... 

Ofcom Investigates Telegram and Teen Platforms 

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more... 

Personal Data Exposed in Breach of France’s ANTS Portal 

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more... 

Bluesky Faces Coordinated DDoS Attack 

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more... 

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown 

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more... 

Weekly Takeaway 

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

The U.S. Justice Department has seized four domains tied to Iran-linked cyberattacks, disrupting what officials describe as a coordinated effort to combine hacking with online intimidation and propaganda. The domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were allegedly operated by Iran’s Ministry of Intelligence and Security (MOIS). According to investigators, these sites were used to claim responsibility for cyberattacks, publish stolen data, and issue threats targeting journalists, dissidents, and individuals linked to Israel. This action highlights a shift in how Iran-linked cyberattacks are being carried out—moving beyond system breaches into public messaging and pressure tactics.

Iran-Linked Cyberattacks Used Fake Hacktivist Fronts

Authorities say the domains were connected through shared infrastructure, including Iranian IP ranges and common leak platforms. More importantly, they followed a similar pattern of activity. The sites operated under the guise of hacktivist groups, but investigators say they were part of a state-backed effort. This included launching disruptive cyberattacks, leaking sensitive data, and amplifying the impact by publicly claiming responsibility. One such platform, Handala-hack[.]to, was used to claim a March 2026 malware attack on a U.S.-based medical technology company. The group framed the attack as retaliation linked to ongoing geopolitical tensions. This mix of hacking and messaging is becoming a defining feature of Iran-linked cyberattacks, where the goal is not just access, but visibility.

Data Leaks and Threats Target Individuals Directly

The same infrastructure was also used to expose personal data and issue threats. According to court documents, the Handala-redwanted[.]to domain published identifying details of nearly 190 individuals associated with the Israeli Defense Force and government. The posts included messages suggesting these individuals were being tracked and could face consequences. Other posts named individuals allegedly linked to Israeli institutions, warning that their locations were known and encouraging others to act. In another instance, the group claimed to have stolen 851 gigabytes of data from members of the Sanzer Hasidic Jewish community, along with a warning that more information would follow. These actions show how Iran-linked cyberattacks are increasingly focused on individuals, not just organizations.

Threats Extended Beyond Websites

Investigators found that the campaign did not stop at public posts. Email accounts tied to the same operation were used to send direct threats to journalists and Iranian dissidents living in the United States and abroad. In some messages, the senders claimed to have shared victims’ home addresses and offered financial rewards for acts of violence. The emails also referenced alleged links to criminal groups, adding another layer of intimidation. The use of direct communication alongside public leaks suggests a more aggressive approach in Iran-linked cyberattacks, where the aim is to pressure targets both publicly and privately.

Justice Department Targets Infrastructure Behind Iran-Linked Cyberattacks

The Justice Department’s move focused on taking down the infrastructure enabling these activities. “Terrorist propaganda online can incite real-world violence — thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate,” said Attorney General Pamela Bondi. FBI Director Kash Patel added, “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. We took down four of their operation's pillars and we're not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.” [caption id="attachment_110420" align="aligncenter" width="600"] Image Source: FBI[/caption] Officials also confirmed that the domains Justicehomeland[.]org and Karmabelow80[.]org had previously been used to claim responsibility for data theft targeting Albanian government systems, linked to tensions over support for an Iranian dissident group.

Iran-Linked Cyberattacks Show a Broader Shift

The takedown reflects a wider pattern. Iran-linked cyberattacks are no longer limited to stealing data or disrupting systems—they are being used to send messages, target individuals, and amplify political narratives. By combining cyberattacks with data leaks and direct threats, these campaigns extend their reach beyond technical impact. The Justice Department’s action removes part of that network, but it also points to how these operations are evolving. For now, the focus is on disruption. But the methods behind these Iran-linked cyberattacks suggest this kind of activity is unlikely to disappear anytime soon.

Google began offering "dark web reports" a while back, but the company has just announced the feature will be going away very soon. In an email to users of the service, Google says it will stop telling you about dark web data leaks in February. This probably won't negatively impact your security or privacy because, as Google points out in its latest email, there's really nothing you can do about the dark web.

The dark web reports launched in March 2023 as a perk for Google One subscribers. The reports were expanded to general access in 2024. Now, barely a year later, Google has decided it doesn't see the value in this type of alert for users. Dark web reports provide a list of partially redacted user data retrieved from shadowy forums and sites where such information is bought and sold. However, that's all it is—a list.

The dark web consists of so-called hidden services hosted inside the Tor network. You need a special browser or connection tools in order to access Tor hidden services, and its largely anonymous nature has made it a favorite hangout for online criminals. If a company with your personal data has been hacked, that data probably lives somewhere on the dark web.

Read full article

Comments

© Getty Images | 400tmax