Chrome users were caught off guard by a 4-GB Google AI model baked into Chrome, sparking privacy concerns. The good news: You can easily uninstall it. The bad? You might not want to.
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Office platform, as well as Windows and Linux operating systems.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged by popular C2 frameworks throughout Q1 2026.
Statistics on registered vulnerabilities
This section provides statistical data on registered vulnerabilities. The data is sourced from cve.org.
We examine the number of registered CVEs for each month starting from January 2022. The total volume of vulnerabilities continues rising and, according to current reports, the use of AI agents for discovering security issues is expected to further reinforce this upward trend.
Total published vulnerabilities per month from 2022 through 2026 (download)
Next, we analyze the number of new critical vulnerabilities (CVSS > 8.9) over the same period.
Total critical vulnerabilities published per month from 2022 through 2026 (download)
The graph indicates that while the volume of critical vulnerabilities slightly decreased compared to previous years, an upward trend remained clearly visible. At present, we attribute this to the fact that the end of last year was marked by the disclosure of several severe vulnerabilities in web frameworks. The current growth is driven by high-profile issues like React2Shell, the release of exploit frameworks for mobile platforms, and the uncovering of secondary vulnerabilities during the remediation of previously discovered ones. We will be able to test this hypothesis in the next quarter; if correct, the second quarter will show a significant decline, similar to the pattern observed in the previous year.
Exploitation statistics
This section presents statistics on vulnerability exploitation for Q1 2026. The data draws on open sources and our telemetry.
Windows and Linux vulnerability exploitation
In Q1 2026, threat actor toolsets were updated with exploits for new, recently registered vulnerabilities. However, we first examine the list of veteran vulnerabilities that consistently account for the largest share of detections:
CVE-2018-0802: a remote code execution (RCE) vulnerability in the Equation Editor component
CVE-2017-11882: another RCE vulnerability also affecting Equation Editor
CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to gain control over the system
CVE-2023-38831: a vulnerability resulting from the improper handling of objects contained within an archive
CVE-2025-6218: a vulnerability allowing the specification of relative paths to extract files into arbitrary directories, potentially leading to malicious command execution
CVE-2025-8088: a directory traversal bypass vulnerability during file extraction utilizing NTFS Streams
Among the newcomers, we have observed exploits targeting the Microsoft Office platform and Windows OS components. Notably, these new vulnerabilities exploit logic flaws arising from the interaction between multiple systems, making them technically difficult to isolate within a specific file or library. A list of these vulnerabilities is provided below:
CVE-2026-21509 and CVE-2026-21514: security feature bypass vulnerabilities: despite Protected View being enabled, a specially crafted file can still execute malicious code without the user’s knowledge. Malicious commands are executed on the victim’s system with the privileges of the user who opened the file.
CVE-2026-21513: a vulnerability in the Internet Explorer MSHTML engine, which is used to open websites and render HTML markup. The vulnerability involves bypassing rules that restrict the execution of files from untrusted network sources. Interestingly, the data provider for this vulnerability was an LNK file.
These three vulnerabilities were utilized together in a single chain during attacks on Windows-based user systems. While this combination is noteworthy, we believe the widespread use of the entire chain as a unified exploit will likely decline due to its instability. We anticipate that these vulnerabilities will eventually be applied individually as initial entry vectors in phishing campaigns.
Below is the trend of exploit detections on user Windows systems starting from Q1 2025.
Dynamics of the number of Windows users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)
The vulnerabilities listed here can be leveraged to gain initial access to a vulnerable system and for privilege escalation. This underscores the critical importance of timely software updates.
On Linux devices, exploits for the following vulnerabilities were detected most frequently:
CVE-2022-0847: a vulnerability known as Dirty Pipe, which enables privilege escalation and the hijacking of running applications
CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
CVE-2021-22555: a heap out-of-bounds write vulnerability in the Netfilter kernel subsystem
CVE-2023-32233: a vulnerability in the Netfilter subsystem that allows for Use-After-Free conditions and privilege escalation through the improper processing of network requests
Dynamics of the number of Linux users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)
In the first quarter of 2026, we observed a decrease in the number of detected exploits; however, the detection rates are on the rise relative to the same period last year. For the Linux operating system, the installation of security patches remains critical.
Most common published exploits
The distribution of published exploits by software type in Q1 2026 features an updated set of categories; once again, we see exploits targeting operating systems and Microsoft Office suites.
Distribution of published exploits by platform, Q1 2026 (download)
Vulnerability exploitation in APT attacks
We analyzed which vulnerabilities were utilized in APT attacks during Q1 2026. The ranking provided below includes data based on our telemetry, research, and open sources.
TOP 10 vulnerabilities exploited in APT attacks, Q1 2026 (download)
In Q1 2026, threat actors continued to utilize high-profile vulnerabilities registered in the previous year for APT attacks. The hypothesis we previously proposed has been confirmed: security flaws affecting web applications remain heavily exploited in real-world attacks. However, we are also observing a partial refresh of attacker toolsets. Specifically, during the first quarter of the year, APT campaigns leveraged recently discovered vulnerabilities in Microsoft Office products, edge networking device software, and remote access management systems. Although the most recent vulnerabilities are being exploited most heavily, their general characteristics continue to reinforce established trends regarding the categories of vulnerable software. Consequently, we strongly recommend applying the security patches provided by vendors.
C2 frameworks
In this section, we examine the most popular C2 frameworks used by threat actors and analyze the vulnerabilities targeted by the exploits that interacted with C2 agents in APT attacks.
The chart below shows the frequency of known C2 framework usage in attacks against users during Q1 2026, according to open sources.
TOP 10 C2 frameworks used by APTs to compromise user systems, Q1 2026 (download)
Metasploit has returned to the top of the list of the most common C2 frameworks, displacing Sliver, which now shares the second position with Havoc. These are followed by Covenant and Mythic, the latter of which previously saw greater popularity. After studying open sources and analyzing samples of malicious C2 agents that contained exploits, we determined that the following vulnerabilities were utilized in APT attacks involving the C2 frameworks mentioned above:
CVE-2023-46604: an insecure deserialization vulnerability allowing for arbitrary code execution within the server process context if the Apache ActiveMQ service is running
CVE-2024-12356 and CVE-2026-1731: command injection vulnerabilities in BeyondTrust software that allow an attacker to send malicious commands even without system authentication
CVE-2023-36884: a vulnerability in the Windows Search component that enables command execution on the system, bypassing security mechanisms built into Microsoft Office applications
CVE-2025-53770: an insecure deserialization vulnerability in Microsoft SharePoint that allows for unauthenticated command execution on the server
CVE-2025-8088 and CVE-2025-6218: similar directory traversal vulnerabilities that allow files to be extracted from an archive to a predefined path, potentially without the archiving utility displaying any alerts to the user
The nature of the described vulnerabilities indicates that they were exploited to gain initial access to the system. Notably, the majority of these security issues are targeted to bypass authentication mechanisms. This is likely due to the fact that C2 agents are being detected effectively, prompting threat actors to reduce the probability of discovery by utilizing bypass exploits.
Notable vulnerabilities
This section highlights the most significant vulnerabilities published in Q1 2026 that have publicly available descriptions.
At the core of this vulnerability is a Type Confusion flaw. By attempting to access a resource within the Desktop Window Manager subsystem, an attacker can achieve privilege escalation. A necessary condition for exploiting this issue is existing authorization on the system.
It is worth noting that the DWM subsystem has been under close scrutiny by threat actors for quite some time. Historically, the primary attack vector involves interacting with the NtDComposition* function set.
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21533 is essentially a logic vulnerability that enables privilege escalation. It stems from the improper handling of privileges within Remote Desktop Services (RDS) components. By modifying service parameters in the registry and replacing the configuration with a custom key, an attacker can elevate privileges to the SYSTEM level. This vulnerability is likely to remain a fixture in threat actor toolsets as a method for establishing persistence and gaining high-level privileges.
CVE-2026-21514: a Microsoft Office vulnerability
This vulnerability was discovered in the wild during attacks on user systems. Notably, an LNK file is used to initiate the exploitation process. CVE-2026-21514 is also a logic issue that allows for bypassing OLE technology restrictions on malicious code execution and the transmission of NetNTLM authentication requests when processing untrusted input.
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
This vulnerability in the AI agent leaks credentials (authentication tokens) when queried via the WebSocket protocol. It can lead to the compromise of the infrastructure where the agent is installed: researchers have confirmed the ability to access local system data and execute commands with elevated privileges. The danger of CVE-2026-25253 is further compounded by the fact that its exploitation has generated numerous attack scenarios, including the use of prompt injections and ClickFix techniques to install stealers on vulnerable systems.
CVE-2026-34070: LangChain framework vulnerability
LangChain is an open-source framework designed for building applications powered by large language models (LLMs). A directory traversal vulnerability allowed attackers to access arbitrary files within the infrastructure where the framework was deployed. The core of CVE-2026-34070 lies in the fact that certain functions within langchain_core/prompts/loading.py handled configuration files insecurely. This could potentially lead to the processing of files containing malicious data, which could be leveraged to execute commands and expose critical system information or other sensitive files.
CVE-2026-22812: an OpenCode vulnerability
CVE-2026-22812 is another vulnerability identified in AI-assisted coding software. By default, the OpenCode agent provided local access for launching authorized applications via an HTTP server that did not require authentication. Consequently, attackers could execute malicious commands on a vulnerable device with the privileges of the current user.
Conclusion and advice
We observe that the registration of vulnerabilities is steadily gaining momentum in Q1 2026, a trend driven by the widespread development of AI tools designed to identify security flaws across various software types. This trajectory is likely to result not only in a higher volume of registered vulnerabilities but also in an increase in exploit-driven attacks, further reinforcing the critical necessity of timely security patch deployment. Additionally, organizations must prioritize vulnerability management and implement effective defensive technologies to mitigate the risks associated with potential exploitation.
To ensure the rapid detection of threats involving exploit utilization and to prevent their escalation, it is essential to deploy a reliable security solution. Key features of such a tool include continuous infrastructure monitoring, proactive protection, and vulnerability prioritization based on real-world relevance. These mechanisms are integrated into Kaspersky Next, which also provides endpoint security and protection against cyberattacks of any complexity.
An anti-ICE website, GTFO ICE, linked to Miles Taylor, is accused of exposing the personal details of 17,662 activists, sparking concerns that the data may have reached government agencies.
There’s a lot to security that isn’t necessarily “cyber.” It’s not all hackers or complex network attacks.
Alongside traditional cyberattacks that deploy malware or exploit known software vulnerabilities, there are also less technical—yet equally devastating—forms of theft.
This doesn’t mean that well-known cybersecurity best practices don’t apply. Every small business owner should still use unique passwords for every account, turn on multi-factor authentication, keep their software and operating systems updated, and run always-on cybersecurity software.
But for the everyday small business owner juggling dozens of accounts, networks, devices, and the reams of data being created, stored, and shared across text messages, emails, and online portals, this advice is for you.
For National Small Business Week in the US, here are three ways to protect your business that require little technical prowess.
Don’t use your Social Security Number as your tax ID
In the US, the Internal Revenue Service (IRS) allows small business owners to use their personal Social Security Number (SSN) as the Federal Tax ID. It’s a small grace meant to simplify annual record-keeping for sole proprietors and owner-employees, but for cybercriminals, it’s a basic oversight they’d like every small business to make.
Using your Social Security Number as your Federal Tax ID means putting your Social Security Number in an ever-increasing number of hands. That’s because small business taxes are different from taxes for everyday salaried employees.
Whenever a small business takes on a new client or a contractor who pays for services costing at least $600, that small business has to share and receive what is called a W-9 form. This exact form isn’t filed with the IRS, but it is used to track payments for later filings.
What’s more important, though, is that this form asks for an owner’s name, address, and tax ID number.
This means that as a small business grows, its vulnerability to identity theft increases in tandem. Every W-9 filed that uses an owner’s SSN as their tax ID number is another opportunity for that SSN to be stolen. After just one year of operation, a small business owner’s SSN could end up in the inboxes, filing cabinets, and cloud drives of a dozen different people and companies.
This is exactly what cybercriminals want.
Equipped with a W-9 form about your business, a cybercriminal could impersonate you or your business. They could open a business credit line, file fraudulent returns that claim your small business income, or scam your clients.
How to stay safe:
Apply for a free Employer Identification Number (EIN) at IRS.gov. It’s quick to do and it separates your business tax identity from your personal tax identity. After that, put the EIN on W-9s, 1099s, and all other business paperwork instead of your SSN.
Keep your personal cloud storage personal
The most popular cloud storage for most small business owners is the cloud storage they already have—their personal Google Drive or iCloud.
Built to make memory archival as easy as possible, these tools can automatically back up and secure nearly every single moment that happens through your device, from the vacation photos you snapped last summer, to your kid’s first steps recorded on video, to the texts you sent, the notes you made, and the calendar appointments you managed.
But this type of automatic archival poses a threat to any non-personal information that you view, send, markup, or sign when using your personal smartphone. Suddenly, and often without thinking about it, your cloud storage has backups of signed contracts, tax returns, client intake forms, invoices, business financial statements, and photos of physical paperwork.
Above, we warned about using your SSN as your tax ID because it creates a risk if anyone in your business network is breached. But storing client information in your personal cloud storage creates a different problem: it puts that risk directly on you.
Compounding the threat here is the fact that many personal cloud storage accounts are shared with family members. More people accessing the same account means more exposure and more chances for mistakes, even if everyone has good intentions.
How to stay safe:
Go through the cloud backup settings on both your phone and your computer and manage what data is being synced. Move sensitive business files to a dedicated business storage account with proper access controls, sharing permissions, and audit logs—something that can tell you who opened a file and when.
If anything business-related has to live in a personal cloud account, give that account a strong, unique password, turn on multi-factor authentication, and don’t share access with anyone who isn’t you.
Protect device and account access in the home
Devices have a funny way of moving around. Your smartphone goes into your spouse’s hands as they override your music choices in the car. Your tablet ends most nights in your kid’s bedroom as they watch TV. And your laptop gets tugged around from couch to counter to kitchen table—each time fully opened and logged in, a portal to the web.
You trust everyone in your home to act safely online, but the path to online safety is full of mistakes.
A single errant click on a fake ad, a malicious search result, or a disguised download is all it takes to compromise your device today, along with all your small business records.
Aside from the threat of malware, someone using your device could make purchases, accidentally delete files, and overwrite important documents.
Remember, an “insider threat” doesn’t need to be malicious to cause damage—they just need to be inside your network (which in this, is your home).
How to stay safe:
Treat your devices that you use for work as work devices. That means requiring a passcode or password for device entry, along with multi-factor authentication for important business accounts.
Also, to ensure that any wrong click doesn’t lead to a malicious PDF download or a wayward malware installation, use always-on antimalware protection software, like Malwarebytes for Teams.
Secure your success
It’s easy to get overwhelmed with modern cybersecurity advice. Every week there are new vulnerabilities to patch, emerging scams to avoid, and novel viruses and pieces of malware that can seemingly take over your device, your data, and your business.
Thankfully, there are important steps you can take today that don’t require you to fiddle with internal settings or take a class on network engineering. Some of the most effective protections are simple: Limit how widely you share sensitive information, keep business and personal data separate, and control who can access your devices.
For everything else, try Malwarebytes for Teams to receive 24/7, always-on antimalware protection to shut out viruses, block malware attacks, and keep hackers out of your business.
Jerry’s Store, a card-checking service used by cybercriminals, exposed 345,000 stolen payment cards after leaving its server open, revealing sensitive data.
A cybercriminal operation known as Jerry’s Store has reportedly exposed a large cache of stolen payment card data after leaving its own infrastructure accessible online. The service appears to have been used to test whether stolen credit and debit card details were still valid, effectively acting as a verification tool for fraudsters before the data was resold or abused.
“Jerry’s Store marketplace leaked 345,000 stolen credit card details through an exposed, insecurely configured server created using AI assistance.” reads the report published by CyberNews.
“The leak occurred after Cursor AI generated flawed code without authentication, exposing credit card numbers, names, addresses, and security codes.”
Researchers found that the exposed server contained information linked to roughly 345,000 payment cards. Of those, nearly 200,000 cards had been marked as invalid by the service, while more than 145,000 records were identified as valid. The leaked records reportedly included highly sensitive cardholder data such as card numbers, expiration dates, security codes, names, and billing addresses. Cybernews
The incident is notable not only because of the volume of exposed data, but also because it shows how organized and automated parts of the carding economy have become. Instead of manually checking stolen cards one by one, criminal marketplaces and fraud services increasingly rely on infrastructure that can validate payment data at scale. Once a card is confirmed as active, it becomes more valuable for resale, fraud attempts, or account takeover activity.
Cybernews estimated that valid stolen card records typically sell for around $7 to $18 on dark web markets. Using that range, the valid card data exposed through Jerry’s Store could be worth between $1 million and $2.6 million. The true value of the broader operation may be higher, since the platform reportedly handled more than just the leaked payment-card records.
CyberNews researchers found that Jerry’s Store operators used Cursor, an AI coding tool by Anysphere, to build their server and admin dashboards. However, flawed guidance from the AI likely led to misconfigurations, leaving the system exposed and causing the data leak.
“We were able to confirm that the leak originated from the user asking to create a statistics dashboard, and Cursor created an unauthenticated open web directory to serve the webpage, ignoring the need to set up authentication or ensure that only the intended dashboard would be accessible,” CyberNews team explained.
Source CyberNews: Jerry’s Store data leakSource CyberNews: Jerry’s Store data leak
The case is ironic: a cybercriminal service built to profit from stolen card data exposed itself due to poor security. This failure creates added risk for victims, as data already circulating in underground markets can spread further, reaching new attackers who did not originally steal it.
The story also highlights a wider trend in cybercrime: illicit services are becoming more productized. Carding shops, validation tools, automated fraud services, and dark web marketplaces increasingly resemble commercial platforms, with pricing models, customer interfaces, and backend infrastructure. Rapid7 has described this broader ecosystem as “carding-as-a-service,” where stolen cards and fraud tooling are packaged for easier use by criminals with varying levels of technical skill.
A similar pattern has been seen in other carding-related incidents. BidenCash, a carding-focused marketplace, became known for releasing large batches of stolen payment-card data as a promotional tactic to attract users and vendors.
Law enforcement has also targeted related ecosystems. In a case involving B1ack’s Stash, authorities seized domains tied to underground vendors trafficking stolen financial data, including payment-card records. That case underlines how carding markets remain a priority for investigators because they support a chain of downstream crimes, from unauthorized purchases to identity theft and money laundering.
Consumers should closely monitor accounts, enable alerts, use virtual cards, and replace compromised ones. Banks must strengthen fraud detection, quickly block stolen cards, and monitor underground markets.
The Jerry’s Store leak shows that even cybercriminal platforms can have weak security. When they fail, the impact still hits ordinary users, whose stolen card data may spread further and be reused, traded, and exploited across the fraud ecosystem.
In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.
Recently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.
This is a screenshot of the example they sent us.
Screenshot email from PayPal scammers
As you can see, the email comes from service@paypal.com. It wasn’t spoofed, which means it passes standard security checks (DKIM, SPF, DMARC).
While the body of the email says that you received a payment of ¥1 JPY (a whopping $0.0063), the subject line tells a different story:
“Pending charge of USD 987.90 for account activation. Questions? Call-(888) 607-0685.”
As an extra bonus for the scammers, the email contains personalized details—the recipient’s actual name and a real transaction ID.
The number in the subject line is not PayPal’s. The legitimate contact number appears inside the email.
“The amount doesn’t match what I see in the email body—that’s weird and scary.”
“I need to call this number immediately to dispute this charge.”
They call the number in the subject line, only to reach tech support scammers.
These scammers pretend to be PayPal support and may try to:
Get you to “verify” payment methods
Collect banking details
Convince you to install remote access tools
Take control of accounts or devices
All of the above
How the subject line is altered is still unclear. Based on PayPal’s documented email behavior, subject lines are typically fixed and not meant to include arbitrary free text or phone numbers. Our findings indicate that the subject line was already weaponized at the point PayPal’s systems signed the email. If someone along the way had rewritten the subject, the dkim=pass header.d=paypal.com result would likely fail.
One possibility is that the scammer abused PayPal’s note or remittance field in a way that surfaces in certain payout templates, including the subject line and HTML <title>, even though normal merchant payment‑received emails don’t allow arbitrary subjects.
The title tag matches the subject line of the email
We have contacted PayPal for comment and will update this post if we hear back.
How to avoid PayPal scams
The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:
Use verified, official ways to contact companies. Don’t call numbers listed in suspicious emails or attachments.
Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.
Report suspicious emails to PayPal.Send the email to phishing@paypal.com to support their investigations.
If you’ve fallen victim to a tech support scam:
Paid the scammer? Contact your bank or card provider and let them know what’s happened. You can also file a complaint with the FTC or your local law enforcement, depending on your region.
Shared a password? Change it anywhere it’s used. Consider using a password manager and enable 2FA for important accounts.
Gave access to your device?Run a full security scan. If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.
Watch your accounts: Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.
Be wary of suspicious emails. If you’ve fallen for one scam, they may target you again.
Pro tip: Malwarebytes Scam Guard recognized this email as a call back scam. Upload any suspicious text, emails, attachments, and other files to ask for its opinion. It’s really very good at recognizing scams.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
In a major international enforcement action, Operation Tri-Force Sentinel, led by Dubai Police, in coordination with the FBI and Chinese Police, has dismantled a large transnational fraud network involved in global financial scams. The Operation Tri-Force Sentinel crackdown resulted in the arrest of 276 individuals linked to organised cyber-enabled fraud activities spanning multiple countries, primarily involving suspects from Southeast Asia.
The Operation Tri-Force Sentinel was carried out under the UAE Ministry of Interior and focused on disrupting criminal syndicates running high-yield investment scams, commonly known as HYIS, “pig butchering” schemes, and virtual currency fraud. Authorities confirmed that nine major fraud centres were dismantled during the coordinated action.
276 Arrests and Nine Fraud Centres Dismantled in Operation Tri-Force Sentinel
As part of the operation, law enforcement agencies executed synchronized raids that dismantled three major criminal syndicates operating fraud centres. These centres were responsible for large-scale financial deception campaigns targeting victims across several regions.
The operation led to the arrest of 276 suspects, with authorities confirming that the network used advanced social engineering techniques. Victims were reportedly engaged through digital platforms, where trust was gradually built before financial exploitation took place.
Dubai Police also confirmed the arrest of a key leader of one of the syndicates in Thailand, carried out in coordination with the Royal Thai Police. The enforcement action marked one of the most significant coordinated strikes against cyber-financial crime groups in recent times under Operation Tri-Force Sentinel.
[caption id="attachment_111753" align="aligncenter" width="553"] Image Source: Dubai Police[/caption]
Dubai Police, FBI, and Chinese Police Coordination
Dubai Police played a central role in directing and executing Operation Tri-Force Sentinel, enabling real-time intelligence sharing between international partners. The collaboration with the FBI and Chinese Police was described as critical to the success of the operation.
Dubai Police stated that the operation reflects a proactive strategy to combat evolving transnational financial crime threats. The agency emphasized that coordinated international efforts were essential to dismantling complex criminal networks operating across borders.
The FBI highlighted the significance of joint enforcement efforts, stating that the operation demonstrates the effectiveness of coordinated global action in disrupting large-scale fraud schemes. It further noted that the partnership with the UAE authorities, particularly the Dubai Police, played a key role in achieving operational success.
Chinese Police also reaffirmed their commitment to combating telecom and financial fraud crimes. They emphasized continued cooperation with global law enforcement agencies to address emerging cross-border criminal activities targeted in Operation Tri-Force Sentinel.
Transnational Fraud Networks and Financial Crime Disruption
The dismantled network operated multiple fraud centres using structured and organised digital fraud models. These included investment scams and cryptocurrency-related fraud schemes that have increasingly affected victims across several countries.
Authorities noted that the criminal groups involved in Operation relied heavily on psychological manipulation and digital engagement strategies to execute financial scams at scale. The coordinated enforcement action disrupted key operational infrastructure of these networks in a single phase.
International Cooperation Strengthened
This operation highlights the growing importance of international cooperation in tackling financial crime networks that operate beyond national borders. The joint action between Dubai Police, the FBI, and the Chinese Police demonstrates strengthened coordination in intelligence sharing and enforcement execution.
Officials involved in the operation emphasized that continued collaboration is essential to countering sophisticated fraud networks.
The success of Operation reflects the ability of global law enforcement agencies to respond jointly to complex cyber-enabled financial threats.
The operation marks a significant step in global efforts to combat organised fraud networks and reinforces the role of coordinated international enforcement in addressing cross-border financial crime.
A major Canada SMS blaster cybercrime case has come to light as Toronto Police charge three men with 44 offences in what authorities describe as a first-of-its-kind investigation in the country. The case, part of Project Lighthouse, highlights a growing threat where cybercriminals use mobile technology to target thousands of people at once.
The investigation began in November 2025 after a security partner alerted police to a suspected SMS blaster operating in downtown Toronto. What followed was a months-long probe into a sophisticated operation that combined mobility, deception, and large-scale disruption.
What Is the Canada SMS Blaster Cybercrime Case?
At the center of the Canada SMS blaster cybercrime case is a device that mimics a legitimate cellular tower. When nearby mobile phones connect to it, users receive fraudulent messages that appear to come from trusted organizations. These messages often include links to fake websites designed to steal sensitive information such as banking credentials and passwords.
This method is widely known as “smishing,” a form of phishing carried out through text messages. However, the scale and mobility of the device used in this case set it apart from typical cyber fraud schemes.
Deputy Chief Rob Johnson said the operation posed serious risks beyond financial fraud. He noted that the technology had the capability to reach thousands of devices simultaneously, raising concerns about public safety.
Large-Scale Disruption Across the Greater Toronto Area
Investigators found that the SMS blaster was not stationary. It was operated from vehicles, allowing suspects to move across the Greater Toronto Area and deploy the device in multiple locations.
According to Detective Sergeant Lindsay Riddell, tens of thousands of devices connected to the rogue network over several months. Police also recorded more than 13 million network disruptions, during which affected devices were unable to connect to legitimate cellular networks.
These disruptions had serious implications. During those moments, access to emergency services such as 9-1-1 could have been impacted, making the Canada SMS blaster cybercrime case not just a financial threat but also a public safety concern.
Arrests and Seizure of Devices
Toronto Police executed search warrants on March 31 at residences in Markham and Hamilton, leading to the arrest of two suspects. Authorities seized multiple SMS blasters along with a significant amount of electronic evidence.
A third individual later turned himself in on April 21. All three now face a combined total of 44 charges linked to the operation.
The Canada SMS blaster cybercrime case involved extensive coordination between multiple agencies, including the Royal Canadian Mounted Police National Cybercrime Coordination Centre, regional police services, financial institutions, and telecom providers. Officials say this collaboration was key to identifying and disrupting the activity.
A New Type of Cyber Threat in Canada
Law enforcement officials emphasized that this is the first known case of SMS blaster technology being used in Canada. The case reflects how cyber-enabled crimes are becoming more advanced and harder to detect.
Authorities noted that while the technology is new, the objective remains the same: to gain unauthorized access to personal and financial information. The Canada SMS blaster cybercrime case shows how attackers are combining traditional fraud tactics with newer tools to scale their operations.
Public Advisory and Safety Measures
Police are urging the public to remain cautious when receiving unexpected text messages. Users are advised not to click on suspicious links or share personal information through unsolicited messages.
Officials recommend accessing banking services only through official applications or by directly entering website addresses into browsers. Victims of suspected fraud are encouraged to report incidents to law enforcement.
Deputy Chief Johnson also acknowledged the role of the Toronto Police Coordinated Cyber Centre and partner agencies in handling the investigation. He stressed that staying informed and vigilant remains one of the most effective defenses against such threats.
Entrar
Image Source: Dubai Police[/caption]
