The post Conti Ransomware Leader Sentenced for Pediatric Extortion and Global Terror appeared first on Daily CyberSecurity.

An anti-ICE website, GTFO ICE, linked to Miles Taylor, is accused of exposing the personal details of 17,662 activists, sparking concerns that the data may have reached government agencies.

Private chats and photos of celebrities and influencers were exposed after a suspected stalkerware setup left a database open, revealing sensitive messages and files.

A misconfigured server linked to the carding marketplace Jerry’s Store exposed 345,000 stolen credit cards after an AI coding error caused a major security flaw.

In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.  

The Cyber Express Weekly Roundup 

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures 

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more... 

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets 

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more... 

Ofcom Investigates Telegram and Teen Platforms 

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more... 

Personal Data Exposed in Breach of France’s ANTS Portal 

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more... 

Bluesky Faces Coordinated DDoS Attack 

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more... 

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown 

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more... 

Weekly Takeaway 

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

Private Fiverr user documents, including tax records and IDs, were reportedly found in Google search results due to a storage configuration issue. Read more about the findings and the company’s response to the data exposure.

ShinyHunters hackers leak 7.54 GB of Rockstar Games data from Snowflake analytics systems, confirming no player records or personal information were exposed.

Human error exposed 512,000+ lines of Anthropic Claude AI Code, revealing KAIROS and Capybara secrets, pushing users to switch to the Native Installer.

World Leaks is a cyber extortion operation that steals sensitive data from organizations and threatens to leak it via the dark web if a ransom is not paid. Read more in my article on the Fortra blog.

WorldLeaks group hit Los Angeles and its Metro system, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks.

WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks.

This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays.

“Unauthorized activity on internal administrative computer systems prompted Metro to limit access to those systems, resulting in station monitors not displaying arrival times, the transit agency announced Thursday.” reported NBC Los Angeles.

Riders face issues adding funds to TAP cards online or via support, so Metro urges them to use ticket machines. Rail and bus services continue to run normally, and no customer or employee data is affected. Metro continues security checks and works to restore full access.

In a separate incident, officials in Foster City said a ransomware attack is widely disrupting municipal services and pushing leaders to declare a state of emergency to secure external support and funding. Emergency services like 911 continue to operate normally, but many city services that rely on internal systems remain unavailable. City Hall stays open with limited services.

The city identified the attack early Thursday and quickly took most systems offline to protect the network. Officials are working with independent cybersecurity experts to investigate and restore operations.

The disruption affects digital services and access to information, while core emergency response remains intact. Authorities say it is still unclear whether attackers accessed or copied sensitive data, but they warn that public information may have been exposed. As a precaution, officials urge anyone who has interacted with the city to change passwords and take steps to protect their personal data.

“Out of an abundance of caution, those who have done business with the City of Foster City are encouraged to change their personal passwords and take measures to protect their personal data,” the city said, as reported by the San Francisco Chronicle.

BREAKING

The City of Los Angels, California has been breached by WorldLeaks pic.twitter.com/5kCWTlGiTC

— Dominic Alvieri (@AlvieriD) March 20, 2026

On March 20, 2026, the WorldLeaks ransomware group added the City of Los Angeles to the list of victims on its data leak site. The ransomware group claimed the theft of 159.9 GB (779 files).

WorldLeaks is an extortion-focused cybercrime group that steals company data to pressure victims into paying, threatening public leaks if they refuse. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law-enforcement pressure, it abandoned file encryption and shifted entirely to data theft and extortion, claiming hundreds of victims to date.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Los Angeles)

LAPSUS$ claims it breached AstraZeneca, offering alleged source code, credentials, cloud configs, and employee data for sale in leaked samples.

The U.S. Justice Department has seized four domains tied to Iran-linked cyberattacks, disrupting what officials describe as a coordinated effort to combine hacking with online intimidation and propaganda. The domains—Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to—were allegedly operated by Iran’s Ministry of Intelligence and Security (MOIS). According to investigators, these sites were used to claim responsibility for cyberattacks, publish stolen data, and issue threats targeting journalists, dissidents, and individuals linked to Israel. This action highlights a shift in how Iran-linked cyberattacks are being carried out—moving beyond system breaches into public messaging and pressure tactics.

Iran-Linked Cyberattacks Used Fake Hacktivist Fronts

Authorities say the domains were connected through shared infrastructure, including Iranian IP ranges and common leak platforms. More importantly, they followed a similar pattern of activity. The sites operated under the guise of hacktivist groups, but investigators say they were part of a state-backed effort. This included launching disruptive cyberattacks, leaking sensitive data, and amplifying the impact by publicly claiming responsibility. One such platform, Handala-hack[.]to, was used to claim a March 2026 malware attack on a U.S.-based medical technology company. The group framed the attack as retaliation linked to ongoing geopolitical tensions. This mix of hacking and messaging is becoming a defining feature of Iran-linked cyberattacks, where the goal is not just access, but visibility.

Data Leaks and Threats Target Individuals Directly

The same infrastructure was also used to expose personal data and issue threats. According to court documents, the Handala-redwanted[.]to domain published identifying details of nearly 190 individuals associated with the Israeli Defense Force and government. The posts included messages suggesting these individuals were being tracked and could face consequences. Other posts named individuals allegedly linked to Israeli institutions, warning that their locations were known and encouraging others to act. In another instance, the group claimed to have stolen 851 gigabytes of data from members of the Sanzer Hasidic Jewish community, along with a warning that more information would follow. These actions show how Iran-linked cyberattacks are increasingly focused on individuals, not just organizations.

Threats Extended Beyond Websites

Investigators found that the campaign did not stop at public posts. Email accounts tied to the same operation were used to send direct threats to journalists and Iranian dissidents living in the United States and abroad. In some messages, the senders claimed to have shared victims’ home addresses and offered financial rewards for acts of violence. The emails also referenced alleged links to criminal groups, adding another layer of intimidation. The use of direct communication alongside public leaks suggests a more aggressive approach in Iran-linked cyberattacks, where the aim is to pressure targets both publicly and privately.

Justice Department Targets Infrastructure Behind Iran-Linked Cyberattacks

The Justice Department’s move focused on taking down the infrastructure enabling these activities. “Terrorist propaganda online can incite real-world violence — thanks to our National Security Division and the U.S. Attorney’s Office for the District of Maryland, this network of Iranian-backed sites will no longer broadcast anti-American hate,” said Attorney General Pamela Bondi. FBI Director Kash Patel added, “Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. We took down four of their operation's pillars and we're not done. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.” [caption id="attachment_110420" align="aligncenter" width="600"] Image Source: FBI[/caption] Officials also confirmed that the domains Justicehomeland[.]org and Karmabelow80[.]org had previously been used to claim responsibility for data theft targeting Albanian government systems, linked to tensions over support for an Iranian dissident group.

Iran-Linked Cyberattacks Show a Broader Shift

The takedown reflects a wider pattern. Iran-linked cyberattacks are no longer limited to stealing data or disrupting systems—they are being used to send messages, target individuals, and amplify political narratives. By combining cyberattacks with data leaks and direct threats, these campaigns extend their reach beyond technical impact. The Justice Department’s action removes part of that network, but it also points to how these operations are evolving. For now, the focus is on disruption. But the methods behind these Iran-linked cyberattacks suggest this kind of activity is unlikely to disappear anytime soon.

Android 17 beta is here. Here’s what is confirmed so far, what leaks suggest, and which rumored features may arrive later in 2026.

The post Android 17 Leaks Reveal Major Redesign, AI Features, and Privacy Upgrades appeared first on TechRepublic.

There’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.

Maybe avoid using them.

ASEC Blog publishes Ransom & Dark Web Issues Week 4, January 2026           New Ransomware Group 0APT and BravoX Identified [1], [2] RAMP Cybercrime Forum Domains Seized by FBI and DOJ World Leaks Targets U.S. Global Sportswear Company in Ransomware Attack

A whistleblower trapped inside a “pig butchering” scam compound gave WIRED a vast trove of its internal materials—including 4,200 pages of messages that lay out its operations in unprecedented detail.

Google began offering "dark web reports" a while back, but the company has just announced the feature will be going away very soon. In an email to users of the service, Google says it will stop telling you about dark web data leaks in February. This probably won't negatively impact your security or privacy because, as Google points out in its latest email, there's really nothing you can do about the dark web.

The dark web reports launched in March 2023 as a perk for Google One subscribers. The reports were expanded to general access in 2024. Now, barely a year later, Google has decided it doesn't see the value in this type of alert for users. Dark web reports provide a list of partially redacted user data retrieved from shadowy forums and sites where such information is bought and sold. However, that's all it is—a list.

The dark web consists of so-called hidden services hosted inside the Tor network. You need a special browser or connection tools in order to access Tor hidden services, and its largely anonymous nature has made it a favorite hangout for online criminals. If a company with your personal data has been hacked, that data probably lives somewhere on the dark web.

Read full article

Comments

© Getty Images | 400tmax