In an era of data breaches and constant headlines focused on “security” topics, “security” has become a catch-all term. While the terms cyber security and information security are often used interchangeably, it is important to acknowledge that they focus on different areas – they are related, but their scope differs. In this blog, we will explore how they differ in scope, focus, and application.
Information Security Vs Cybersecurity
To start, information security (infosec) can be thought of as an umbrella term, while cybersecurity is a specialization underneath that umbrella. Using the terms interchangeably can lead to gaps in your defense strategy as cyber security focuses on the digital realm, while information security protects data in all forms.
Information Security
Information Security is the broad practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes both data in the digital realm, as well as physical data (think of a file on your computer and a file in your filing cabinet). The goal of information security is to protect the CIA Triad (note that since cybersecurity is a subset of information security, these goals align to cybersecurity as well – the scope is just more specific). The CIA Triad stands for confidentiality, integrity, and availability:
Confidentiality: is your sensitive information only accessible to those authorized to see it?
Common Threats: phishing, man in the middle attacks, human error
Integrity: is your data authentic, accurate, and reliable?
Common Threats: man in the middle attacks, human error, malware, hardware/software glitches
Availability: are the systems, networks, and data up and running whenever authorized users need them?
Common Threats: distributed denial of service attacks, hardware failure, ransomware, natural disaster
Examples of information security would be the practice of shredding sensitive paper documents, office keycard systems, and encryption policies. Threats against strong information security include theft, natural disasters, and physical breaches.
Cybersecurity
Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious digital attacks. If it involves the internet or a digital network, it’s cybersecurity. In the example above, cybersecurity is the data in the digital realm – a file on your computer (and the systems, networks, and hardware that house it). The goal in cybersecurity is to protect against cyber attacks – hacking, malware, phishing – to name a few. Examples of cybersecurity would be firewalls, antivirus software, and securing “Internet of Things” (IoT) devices. Threats against secure cybersecurity include cyber warfare, hacking, and data breaches.
How They Work Together
Security is a holistic culture, not just a software update. Information security and cybersecurity work together in creating overlapping layers of defense. You cannot have a robust security policy without incorporating both: the physical and digital layers of defense and policies covering both.
For example, infosec would set the overall policy of protecting and encrypting data (business level decision based on risk), while the cybersecurity division would implement the tech to do so (firewalls, encryption, multi-factor authentication, etc). In a situation where a breach or attack does happen, the two have distinct roles but cannot be successful without the other:
Information Security
Determines the data that was stolen
Manages the legal and regulatory fallout (GDPR/HIPAA notifications)
Initiates the Business Continuity Plan to ensure the company stays operational during the cleanup
Cyber Security
Identifies the threat details
Isolates the issue and stops it from continuing
Patches the vulnerability that the hacker used
In short, cybersecurity handles the threats (hackers, viruses, bots) while information security handles the risks (legal compliance, physical safety, data integrity).
Best Practices
With so many of us working from home, it is important to practice good daily security hygiene to make sure that not only the digital data of your company is safe, but potential physical risks are minimized as well. Below is a checklist covering the digital and physical bases to ensure your data stays private and your hardware stays safe:
Digital Checklist (Cybersecurity):
Protect your devices and network from remote attacks.
Secure the Router:
Change the default admin password
Enable WPA3 (or WPA2-AES) encryption
Turn off WPS (Wi-Fi Protected Setup
Segment Your Wi-Fi:
Set up a “Guest Network” specifically for your work laptop
This keeps your work data separate from “unsecure” items like an Amazon Alexa or gaming console
Enable MFA/2FA:
Use an authenticator app (like Google Authenticator or Authy) on every account
Automate Updates:
Set your OS (Operating System) and browser to “Auto-Update” so you get security patches immediately
VPN for Public Use:
Use a reputable VPN to create an encrypted “tunnel” for your data
InfoSec Checklist:
Protect the physical environment and the data itself.
Full Disk Encryption:
Ensure BitLocker (Windows) or FileVault (Mac) is on
The “Clear Desk” Policy:
Don’t leave passwords on sticky notes
Shred any documents containing client names, addresses, or account numbers before throwing them away
Visual Privacy:
Use a privacy screen filter on your monitor
Secure Backup (3-2-1 Rule):
Keep 3 copies of your data:
2 different types of media (laptop and an external drive)
1 copy stored off-site (encrypted cloud storage like Backblaze or iCloud)
Webcam Cover:
Have a physical slide cover for your camera is the only 100% guarantee against “cam-fecting”
Love is in the air and unfortunately, so are scams. With Valentine’s Day on the horizon, cybercriminals are preparing to exploit unsuspecting victims through a variety of deceptive tactics.Emotional vulnerability and digital trust often make this season especially appealing to scammers.
While threat actors continue to rely on familiar scams, this holiday uniquely lends itself to romance-based schemes. As people become more open to meeting and connecting with strangers online, cybercriminals gain new opportunities to exploit unsuspecting victims. The following provides an overview of prevalent scams and guidance on how consumers can protect themselves during the season of love.
Romance Scams & Fake Dating Profiles
Romance scams are designed to exploit emotions before finances. In these schemes, criminals deliberately build affection and trust with their victims to gain access to money or sensitive personal identifying information (PII). Scammers typically seek out targets on dating apps, social media platforms, and singles websites, often posing as someone they are not. Using a carefully crafted fake persona, they engage in tactics such as “love bombing,” overwhelming the victim with attention and affection to quickly create an emotional bond. Once trust is firmly established, the scammer begins to request money or financial help, frequently citing urgent or fabricated emergency situations.
Romance scams and other confidence schemes account for some of the highest financial losses among Internet-facilitated crimes. Data from the FBI’s Internet Crime Complaint Center indicate that in 2023, the most recent year for which statistics are available, approximately 18,000 victims reported losses totaling nearly $700 million.
How to Protect Yourself:
Research an individual’s profile and photos using open-source information techniques.
Proceed with caution when asked to send money. Never send money to anyone you have communicated with solely online.
Be wary of someone who declares love very quickly, tries to isolate you, or becomes evasive when discussing meeting in person
Fake Florist Sites
Like many fraudulent retail websites, fake floral sites are used by scammers to deceive consumers, particularly during holidays when demand for floral arrangements is high. These sites will capitalize on individuals making last minute purchases by mimicking legitimate sites and luring unsuspecting shoppers. To enhance their credibility, they frequently run fake social media ads that direct victims to counterfeit pages, adding a false sense of legitimacy to the scam.
Victims have reported that some sites will fulfill the order, but the quality will be lacking, or the items are damaged. While other victims claim the flowers were never delivered and the shop becomes unreachable.
How to Protect Yourself:
Double check website URLS.
Examine reviews on the website to see possible complaints from victims or unsatisfied customers.
If possible, use secure payment methods that offer fraud protection.
Event and Ticket Scams
Similar to fake websites, hackers use a variety of tactics to deceive individuals into purchasing counterfeit tickets. Scammers exploit the high demand and limited supply of live events by creating fake ticketing websites with legitimate-sounding names, advertising fraudulent tickets on social media marketplaces, and even offering “last-minute deals” outside event venues. These scams are often tied to genuine events taking place in the area, making them appear more credible and increasing the probability that unsuspecting buyers will be fooled.
The likelihood of falling for these scams rises when purchases are delayed until the last minute. Scammers are aware that urgency and stress can cloud judgment, making individuals more vulnerable during rushed situations.
How to Protect Yourself:
Purchase tickets from official sources.
Verify the legitimacy of the event prior to purchase.
Avoid purchases that require uncommon payment types.
Phishing Scams
In 2023, Checkpoint researchers claimed 1 in every 1,000 Valentine’s Day emails were found to be malicious/suspicious. Cybercriminals are skilled at creating enticing emails, messages, or social media posts that appear to come from a secret admirer or a long-lost love interest. These messages often feature subject lines such as “A Valentine’s Day Surprise for You” or “Someone Has a Crush on You.” Their purpose is to entice unsuspecting recipients into clicking malicious links or downloading infected attachments.
These scams can also include fake e-card messages and online shopping deals. Be aware of email ads promoting flowers, chocolates, and romantic getaways. The emails typically contain links to malicious sites that steal personal information and can infect your device with malware.
How To Protect Yourself:
Ensure the sender has a trusted email address, showing the correct domain.
Trust your instincts if the message seems “off” and possibly written by AI.
Use trusted websites for all online shopping and double check website URLs for any odd variations.
Conclusion
Cybercriminals demonstrate a strong capacity to exploit emotions, while scam tactics continue to evolve in sophistication. Research shows that new domains with ‘Love’ or ‘Valentine’ in their names more than double in January compared to the year-end months. Excluding consumer losses, romance scams have accounted for hundreds of millions of dollars in losses each year, with the total increasing annually.
While Valentine’s Day celebrates love, cybercriminals unfortunately see it as an opportunity to exploit unsuspecting victims. As always, it’s important to remain vigilant during any online activity, especially when shopping for the perfect gift or planning a romantic experience.
To see specific examples and screenshots from the dark web, check out our blogfrom last year.
Warfare has always gone hand and hand with technological innovation. Nuclear energy followed the nuclear bomb nearly a decade after the first atomic weapon was detonated. Before the World Wide Web, there wasARPANET, launched in 1969 by the U.S. Department of Defense to connect military and research installations through distributed computer networks, more than 20 years before the internet became public. Before commercial GPS, there was NAVSTAR, a U.S. military satellite program developed in the 1970s, originally designed for missile guidance, troop movements, and precision targeting—years before civilian GPS became available. Military jet engines preceded commercial aviation, military radar predated modern weather forecasting, military encryption existed long before public cryptography and e-commerce, and drones, satellites, and even mass-produced antibiotics were first developed to meet battlefield demands.
Once again, militaries are leveraging technology to redefine tactics and battlefield strategies. Nation-states are increasingly developing offensive cyber capabilities not merely as tools, but as a means to prepare and shape the battlespace before military action occurs. Power grids, communications infrastructure, air defenses, satellites, psychological, and command-and-control systems are now targeted before the first kinetic shots in anger.
In this blog, we’ll review some of the most impactful nation-state offensive cyber operations in the modern era and how they illustrate this escalating trend of warfare.
Operation Orchard – September 6, 2007
Eleven years after Operation Orchard, Isreal admitted it was responsible for an airstrike in Syria that targeted a suspected nuclear reactor which may have been capable of enriching nuclear weapons material. No jets were shot down during the operation and no surface to air defense missiles were deployed from the Syrian military. In other words, Israel entered Syrian airspace without resistance.
According to multiple sources, the failure of Syrian air defenses during the 2007 strike has been attributed to a proactive Israeli cyber and electronic warfare operation that temporarily disabled radar and surface-to-air missile systems. Although specific methods were never publicly disclosed, analysts have speculated that the operation may have involved advanced electronic jamming and a software capability known as Suter.
Suter, reportedly deployed aboard specialized aircraft, is believed to exploit radar and air-defense systems by detecting their emissions and injecting malicious signals back into the emitters. This can result in disrupted sensor feeds, conflicting or false target data, and, in some cases, complete loss of radar functionality, effectively rendering the air-defense network inoperable during the operation.
Russian Invasion of Georgia – August 8, 2008
One day before Russian military units entered Georgia in 2008, there were widespread cyberattacks targeting local media as well as governments websites. These attacks were primarily distributed denial of service (DDOS) and website defacements. Although less sophisticated than other types of nation state cyber operations, these attacks aimed to isolate and silence both Georgian officials, and the civilian population.
With government services offline, it became difficult for state officials to communicate and respond to the events that would take place the following day. And when local media was unable to broadcast, they too could not communicate to the public the impact of Russians invasion into their homeland. This strategic DDOS attack caused confusion and made disinformation more potent as Russia continue to take control of Georgian territory.
The next phase of the cyber operation broadened the scope and targeted financial services, institutions, and even launched anti-Georgian hacktivist websites to stir discontent and make civilian resistance to the Russian operation less attractive.
Russia – Ukraine – 2014
There is ongoing debate among experts regarding the strategic significance of cyber operations during Russia’s 2014 annexation of Crimea. While offensive cyber activity was present during and intensified after the invasion, it is difficult to argue that these operations played a decisive role in enabling Russia’s territorial gains or directly shaping battlefield outcomes for Russian forces on the ground.
More impactful cyber operations emerged after the annexation. The Sandworm campaign stands out as one of the most consequential post-Crimea cyber efforts, causing extensive disruption to Ukrainian networks and, in later operations, contributing to widespread power outages. Other destructive campaigns, including wiper-style malware such as NotPetya, similarly targeted Ukrainian institutions and critical infrastructure in the years following 2014, reinforcing cyber operations as a persistent element of Russia’s broader pressure campaign rather than a decisive pre-invasion enabler.
Russia invasion of Ukraine – 2022
By February 2022, it had become clear that Russian military strategists believed their prior cyber operations were worth leveraging again in the lead-up to a full-scale invasion of Ukraine. Many of the same cyber tactics observed in previous years were redeployed days—or even hours—before Russian troops crossed the Ukrainian border.
In the days preceding the invasion, WhisperGate targeted Ukrainian government websites and servers. Disguised as traditional ransomware, WhisperGate was in fact wiper malware designed to destroy data and render systems inoperable. Shortly thereafter, coordinated DDoS attacks disrupted Ukrainian banks and temporarily took multiple government websites offline.
Just hours before the ground invasion commenced, a synchronized campaign deploying HermeticWiper and IsaacWiper further targeted Ukrainian government networks with wiper malware. These attacks appeared aimed at degrading communications, slowing coordination, and complicating defensive responses.
As wiper malware was overwriting disks across Ukraine, a separate cyberattack targeted satellite communications infrastructure. Ukraine’s ViaSatKA-SAT system was taken down, disrupting satellite connectivity used by civilian networks as well as certain Ukrainian military assets. This attack demonstrated a deliberate effort to impair command, control, and situational awareness at the critical opening phase of the invasion.
United States – Venezuela – 2025
The recent operation in Caracas demonstrates the capabilities that emerge when cyber warfare is integrated with real-world troops in combat. Although few details, means, or methods have been made public, there is still a significant amount of evidence highlighting the impact the United States Cyber Command made during Operation Absolute Resolve.
According to American officials, cyberweapons were used in Venezuela to disable power in regions near military bases in Caracas, as well as to shut down radar defense systems and even handheld radios used by the Venezuelan military (see image below). Unverified reports from soldiers and security personnel in Caracas claim to have experienced “intense sound waves, severe physical distress, and bleeding during the operation”. United States President Trump spoke to NewsNation after the operation and stated that a “sonic weapon” had been used during the raid.
Final Summary – The Cyber Battlespace Comes First
Modern warfare is no longer defined solely by armies, aircraft, and armor. As history has repeatedly shown, military necessity drives technological innovation, often before those capabilities reach the civilian world. Today, offensive cyber operations represent the latest evolution of this pattern—an invisible means of shaping conflict before the first kinetic action occurs.
The cases examined in this blog demonstrate a clear trend: nation-states now treat cyberspace as a domain of warfare. From Israel’s alleged disabling of Syrian air defenses during Operation Orchard, to Russia’s coordinated cyber disruptions preceding invasions of Georgia and Ukraine, cyber operations are used to blind sensors, sever communications, disrupt civilian infrastructure, and undermine public trust. These actions are not isolated technical events; they are strategically timed efforts designed to degrade an adversary’s ability to detect, decide, and respond under pressure.
As we have wrapped up Q4, we’re excited to share major updates to our DarkOwl Vision product suite. Below we highlight some of the most exciting feature updates and launches. These enhancement and net new features reflect our commitment to providing continued value to our partner, clients, and the cybersecurity community. We look forward to what is in store in Q1 of 2026!
Market Features
Understanding darknet marketplaces is critical for identifying emerging threats, monitoring illicit activity, and staying ahead of the evolving cyber‑risk landscape. DarkOwl’s Market Explore feature delivers an intuitive experience to dive deep into our enhanced darknet marketplace dataset. We now have 81 markets, with more than 387,651 listings and 16,225 vendors in our enhanced market listing DarkMart database.
Dataset Visualizations at a Glance
At the top of the Market Explore page, you’ll find a set of visualizations that help you quickly understand:
Overall listing volume and vendor activity
Top shipping sources by listing count
Darknet markets and vendors with the highest activity levels
Selecting View Charts expands the charts into a full‑screen visualization experience, where you can explore trends like:
Enhanced Markets by Topic
New Listings Over Time
Shipping Sources Across the Entire Dataset
Comprehensive Market Overviews
Each market’s Overview page provides a snapshot of marketplace activity:
Total Listings: Unique listings available within our dataset
Total & Top Vendors: Overall vendor count and top vendors ranked by listing volume
Top Shipping Source: The region shipping the highest volume of listings
New Listings Over Time: Daily/weekly/monthly visual trends
Shipping Sources Map: Color‑coded visualization from highest volume to lowest
Additional analyst‑curated information may include Market Descriptions, Currencies Accepted, Admin Handles, Contact Information (emails, Jabber servers, PGP keys). If a PGP key exists, users can reveal and copy it with a single click. You can also jump directly from the Overview into the Markets Research section to further investigate specific listings.
Enhanced Marketplace Research Features
Building on the launch of DarkOwl’s Enhanced Marketplace Research in Q3, the team added several Research features: support for Findings, Search Blocks, and Site Context. Additionally, we have completed currency normalization for prices in market listings, allowing for Sort by Price features.
Paste Search + New Features
Search results from selected paste sources have a new look + improved searchability. Paste results (more than 40 million documents) are now eligible to be returned when you filter by Post Date or Username in both Vision UI or Vision API. If available, Paste Authors are shown on the top of a UI search result and include a pivot link, just like Forum Post Authors or Market Vendors.
Export Case Findings
We launched our Findings Export feature for Cases, allowing our users to bulk export important results out of Vision UI into Word, CSV, or JSON. It makes sharing reports and moving data out of Vision UI faster and easier. This was a top feature request from our customers and we are thrilled to have delivered on this ask!
Other Enhancements for UI + API Users
To more easily filter our noisy sites, or data leaks you’ve already seen, we’ve added an “Exclude this Source” option on the Vision UI search result table.
We added 9 new actors to our Actor database in Q4. Additionally, Actor Explore and Actor API now include associated Sites in the Darknet Fingerprint tab.
Collection Stats
Highlights
Quarter after quarter, our data collection team continues to astonish us with the quantity of data made available across DarkOwl products. Let’s highlight just some of that growth:
6% increase in credit card numbers
2.5% increase in IPs
5% increase in data leak records
Leaks of Interest Collected
When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.
Ryanair Internal Communications
Data purported to be from RYANAIR was posted on DarkForums, a hacking forum, on November 19, 2025. According to the post, the data breach includes email addresses, ticket bookings, travel details (departures, destinations), flight numbers, and ticket claimants. Data exposed includes names, email addresses, internal documents, company names, and internal emails.
IRAN IP NETWORK INFRASTRUCTURE
A post on DarkForums, a hacking forum, on August 22, 2025 linked to the file: iran-net-100k.json. According to the post, the “Caucasian Brotherhood” leaked a dataset of Iranian network information that included IP addresses, open ports, software versions, and DNS records. Data exposed includes countries, IP addresses, and locations.
Farm Credit Union Of Colorado Bank
Data purported to be from Farm Credit was posted on BreachForums, a hacking forum, on September 8, 2025. Data exposed includes names, customer information, physical addresses, online profiles and user identification number (UID).
Curious how these features and data can make your job easier? Get in touch!
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. ‘Bad actor’ hijacks Apex Legends characters in live matches – BleepingComputer
Over the weekend of January 09, players in Apex Legends, a battle royale shooter game, reported game disruptions caused by threat actors hijacking characters, disconnecting users, and changing nicknames. Respawn, the publisher of the game, confirmed the security incident claiming “bad actor is able to control the inputs of another player remotely in Apex Legends”. The company does not believe threat actors were able to exploit or infect malware, nor execute code. Readfull article.
2. 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials – The Hacker News
On December 23, 2025 the Socket Threat Research Team announced the discovery of a 5 month long spear-phishing operation that turned 27 npm packages “into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in”. The campaign targeted 25 organizations across the U.S. and Allied nations focusing on manufacturing, industrial automation, plastics, and healthcare. Specializing in focusing on sales and commercial personnel, the operation repurposed npm and package CDN’s “into durable hosting infrastructure, delivering client-side HTML and JavaScript lures that the threat actor embeds directly in phishing pages.” Following initial interaction, the script redirects the browser to threat-actor controlled infrastructure. Article here.
3. Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading – The Hacker News
ReliaQuest’s Threat Research team has discovered a new phishing campaign using private messages to deliver malicious payloads with the intent to deploy remote access trojan (RAT). The attack began with a message sent via LinkedIn that contained a “malicious WinRAR self-extracting archive”. Once opened, the archive extracts four components, mainly a PDF disguised with names that align with the victim’s industry. The final payload attempts to communicate with an external server that can grant persistent remote access. Read more here.
4. Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware – The Hacker News
Recent activity shows Chinese threat actor, Silver Fox, has begun using income tax themed lures to distribute ValleyRAT. The group has focused on Indian entities, using phishing emails containing decoy PDFs claiming to be from India’s Income Tax Department. Opening the attachment leads victims to download files that injects ValleyRAT into the system and communicates with external servers. Read here.
5. University of Hawaii Cancer Center hit by ransomware attack – BleepingComputer
In August 2025, the University of Hawaii’s (UH) Cancer Center was victim of a ransomware breach that stole participants data, including documents from the 1990’s containing Social Security numbers. UH reported to the state legislature threat actors broke into Cancer Center services, “encrypted files related to a cancer study and demanded payment for a program to decrypt the files”. The breach targeted a specific research project and had no effect on clinical operations or patient care. Learn more.
6. North Korea-Linked Hackers Target Developers via Malicious VS Code Projects – The Hacker News
The Contagious Interview campaign, which has been linked to North Korean threat actors, has been observed leveraging a version of Microsoft Visual Studio Code (VS Code) to deploy a backdoor on compromised systems. First discovered in December 2025, the attack involves instructing targets to clone a repository “on GitHub, GitLab, or Bitbucket, and launch the project in VS Code as part of a supposed job assessment.” The overall goal is for payload to run every time a file in the folder is opened, which eventually leads to deployment of malwares like, BeaverTail and InvisibleFerret. Read full article.
7. Hackers claim to hack Resecurity, firm says it was a honeypot – BleepingComputer
Scattered Lapsus$ Hunters (SLH) announced via Telegram that they had breached systems belonging to Resecurity and stole internal data. To prove their claims SLH posted screenshots of the data which revealed communications between employees and Pastebin personnel. Resecurity published a report in December 2025 disputing the claims and stated after identifying threat actor probing activity in November 2025, they deployed a “honeypot” account. The account was in an isolated environment that contained fake information and was being monitored. Read full article.
The China-linked threat actor UAT-8837 has been observed attempting to compromise North American infrastructure by exploiting both known and zero-day vulnerabilities. The attacks begin with leveraging compromised credentials or by exploiting server vulnerabilities. Recent attacks include zero-day flaw in Sitecore products, CVE-2025-53690. Researchers claim UAT-8837 uses “open-source and living-off-the-land utilities, continually cycling variants to evade detection.” Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
On 28 January 2026 a seizure notice appeared on the notorious darknet forum RAMP4U. The notice stated the FBI had seized the site. Both the clear net and onion domains showed this notice.
RAMP4U
In July 2021, Russian-speaking threat actors on the darknet forums XSS and exploit.in began advertising a new ‘ransomware’ specific discussion forum called RAMP. This appeared to be in response to XSS and Exploit banning the advertising of ransomware on their respective sites. RAMP was advertised to be a ‘safe space’ where ransomware-related discussions and coordination could freely and openly be discussed.
Figure 2 – Post on XSS banning the advertising of ransomware
DarkOwl assess that RAMP originated with members or affiliates of the Babuk ransomware gang. Babuk launched their operation in January 2021 and quickly received notoriety for their cyber campaigns. In early April 2021, the group successfully compromised and allegedly exfiltrated over 250GB of sensitive data from the Washington, DC Metropolitan Police.
Figure 3 – Historic view of RAMP4u forum
Seizure
While the FBI are yet to make a formal statement in relation to the seizure of RAMP4U, the domains now point to domain servers which are used by the FBI when seizing infrastructure.
Furthermore, the alleged administrator of RAMP4U appeared to confirm the seizure on a post via XSS.
Figure 5 – DarkOwl Vision post on XSS confirming seizure of RAMP4U
This current activity highlights a continued trend in Law Enforcement seizure of darknet forums, with BreachForums and XSS being notable takedowns in the last 6 months. However, it remains to be seen the effect that this will have, where will the users of RAMP4U move to and or will the site reappear under a new guise. Time will tell.
Make sure to register for our weekly newsletter to get the latest updates.
Every January, organizations roll out security initiatives, refresh slide decks, and announce new tools. This happens every year because breaches continue to happen every year. More often than not through the same well-known traps.
The uncomfortable truth is that most cyber incidents aren’t caused by a lack of technology or understanding of said technology. They are caused by inconsistent or poor habits.
As we head further into 2026, the most effective cybersecurity resolution isn’t by signing up for or buying another platform, it is institutionalizing repeatable behaviors that reduce risks every day.
Below are five cyber habits that can combat how attackers operate today.
Habit 1: Threat Identity as the Primary Security Perimeter
The network perimeter is gone. The device perimeter is shrinking. Making ‘Identity’ what attackers target first. Credential theft.
Credential theft through infostealers, phishing kits, MFA fatigue, and token hijacking remains the fastest path to initial access. If identity controls fail, everything else becomes irrelevant. A safer 2026 begins by treating authentication as critical infrastructure rather than a convenience feature.
That shift means moving beyond basic MFA (multifactor authentication) toward phishing-resistant options such as FIDO2 keys, WebAuthn, and passkeys, particularly for privileged and external-facing accounts. It requires eliminating shared credentials and reducing service account sprawl that quietly accumulates over time. OAuth grants and long-lived tokens must be reviewed regularly, as attackers increasingly rely on them for persistence that survives passwords resets. Most importantly, authentication monitoring needs a focus on behavioral anomalies rather than simple success failure.
Attackers don’t need to waste their time with malware if they can use your credentials to log in. Make authentication harder to abuse than to bypass.
Habit 2: Assume Logs are Evidence, Not Telemetry
Most organizations have gotten the memo to collect logs, however, few treat them like the forensic evidence they are.
When an incident occurs, defenders often discover too late that critical data has already been overwritten, was never retained, or lacks the context required to reconstruct attacker activity. These gaps don’t just slow investigations, they make accurate timelines impossible.
A mature security habit is logging with intent. That means deliberately retaining the artifacts you may need, because if you can’t quickly answer What happened first?, attackers already have the advantage.
At a minimum, that includes:
Identity and authentication logs retained long enough to reconstruct timelines
Endpoint telemetry with process linage and command execution context
DNS, proxy, and network logs that reveal how systems communicate
Cloud control plane and audit logs that are enabled to centrally stored
Normalized timestamps and identity fields across all sources
Without this foundation, even well-detected incidents turn into partial stories rather than defensible investigations.
Habit 3: Patch What Attackers Actually Exploit
Not all vulnerabilities are equal, and attackers know it… even if organizations don’t.
While many organizations still prioritize patching based on severity scores alone, real-world threat actors focus on systems that provide leverage and persistence. Edge devices, exposed management interfaces, and internet-facing services continue to dominate initial access pathways, particularly when public proof-of-concept exploits accelerated attacker timelines.
A safter approach isn’t patching everything immediately but patching the right things first. Perimeter and identity infrastructure should be treated as endgame assets, with exploit availability and evidence of active abuse prioritized over theoretical risk. In some cases, the most effective remediation is not another compensating control, but the removal of legacy services altogether. Attackers move faster than patch cycles, and defensive prioritization must reflect that reality.
Habit 4: Reduce Signal-to-Noise Before an Incident
Burned-out analysts miss early warning signs just as overloaded detection systems bury real threats.
Many security programs accumulate alerts and tools without revisiting whether those signals still provide value. Over time, if everything becomes high priority then genuine threats blend into the background noise.
Operational discipline is a security habit, in its own right. Alerts should map cleanly to response actions, detections should be tuned to the environment they protect, and enrichment should be automated, so analysts spend their time making decisions rather than gathering context. Security teams rarely fail because they lack data, they fail because they cannot prioritize data effectively under pressure.
Habit 5: Practice the Boring Parts of Incident Response
Many incident response plans look excellent on paper but collapse like a house of cards under real-world pressure.
Teams often understand what they are supposed to do, but they don’t always understand who is supposed to do it, how to quickly make decisions, or what authority is required to act. Organizations that recover faster teat response as a practiced skill, not a “theoretical” exercise.
That practice includes realistic tabletop exercises, rehearsing difficult trade-offs between containment and continuity, and pre-approving actions that would otherwise stall response efforts while leadership is looped in. Clear escalation paths outside normal business hours matter just as much as technical controls. When something goes wrong, muscle memory matters more than documentation.
The Takeaway
Cybersecurity resolutions in 2026 won’t be met by throwing around buzzwords or buying new tools. Resolutions will be met by organizations that turn good security theory into daily practices.
Identity-first controls, intentional logging, threat-informed patching, operational clarity, and practiced responses aren’t flashy. However, they are effective.
Make these five habits your new year’s resolution and keep them long after January fades into a distant memory.
As we enter 2026, the story of cyber risk continues to evolve. At the same time, there are consistencies we have seen growing for some time. Attackers don’t need unique or specialized skills anymore – the world of hacking is much more accessible, especially when they [threat actors] can log in like you or convince you to log in on their behalf. Automation is making that easier, faster, and cheaper than ever, especially with the development of AI.
Here we explore some of the cyber security and crime trends that look most defining for 2026, based on what major incident and law-enforcement reporting has been showing through 2024–2025.
Identity is the “New” Perimeter
Identity-based attacks have been on the rise for some time, and we expect this to continue throughout 2026. These types of attacks remain one of the primary paths attackers take to compromise corporate networks. This is due to the fact that credential information is readily available on the dark web, and it remains one of the simplest ways to gain access, not requiring specialized hacking skills. Therefore, expect 2026 to be the year more organizations stop treating identity as a feature of IT and start treating it as a core security control.
Verizon’s 2025 DBIR notes that Basic Web Application Attacks commonly involve stolen credentials, and credential abuse remains a dominant initial access method across multiple attack patterns.
Because of this, you should expect to see more phishing-resistant authentication being implemented across systems as well as continuous verification.
Social Engineering
Threat actors don’t only have the ability to steal credentials; they can also coerce them from unwitting employees through social engineering. A common target in 2025 was to trick the help desk into resetting MFA and it is expected this will continue into 2026.
With the continued development of AI, it is likely that social engineering attacks will improve with the ability to create deepfakes to fool people into believing they are providing a legitimate person access. DarkOwl analysts started exploring this trend in 2024 here.
Infostealers Keep Feeding the Credential Economy
Infostealer malware isn’t new but in the last year they have appeared to be more widespread and relied upon to conduct real-world intrusions.
Mandiant highlights infostealers as an ongoing pipeline for initial access, where stolen creds from “logs” enable follow-on compromises that end in data theft and extortion.
In 2026 we expect more stealer log compromises that start outside the enterprise – meaning employee personal devices, unmanaged browsers, and reused passwords. As well as the use of stolen cookies/tokens, not just passwords.
As Telegram continues to be a source for both free and paid stealer log subscriptions, they remain relatively easy for threat actors to access, again lowering the threshold for the sophistication that actors need to have to gain access to systems.
Ransomware Keeps Evolving into “Extortion-as-a-Service”
Ransomware has been around for a long time, and it doesn’t show any signs of slowing down as we head into 2026. However, it has developed over the years with ransomware groups operating like mature businesses with specializations, supply chains, affiliate programs, PR, and negotiation playbooks.
In addition, their techniques have also developed, although we commonly refer to these attacks and groups as ransomware, data theft is common, and data theft extortion events where no ransomware is deployed are becoming increasingly common.
In 2026 we expect more “no-encryption” extortion attacks where actors steal data, threaten to leak on a dark web site and do so if the extortion payment is not paid – without ever encrypting the data.
AI
In 2026, AI isn’t just “writing better phishing emails” – it’s enabling highly targeted, multilingual scams at scale, voice cloning for “CEO fraud” and synthetic identities, and deepfake-driven coercion.
European law enforcement has been explicit that AI is accelerating organized crime and enabling impersonation and scalable fraud. ENISA’s 2025 Threat Landscape also notes criminal abuse around AI tooling, including fraudulent AI tool sites used to deliver malware and concerns about AI supply chain risks.
Generative AI will also make it cheap to produce high quality lures for cyberattacks, and it can do this at scale meaning that threat actors can use AI to industrialize phishing attacks as well as other methods of attack.
As highlighted above, social engineering is an attack vector which is likely to increase in 2026, and AI will be at the forefront of enabling that growth. AI-assisted social engineering will include voice cloning for “urgent CFO calls,” fake candidates in hiring funnels, vendor payment diversion among many other techniques – some probably not yet thought of.
However, AI can and will also be a useful tool in defending against threat actors. AI can be used to automate and triage vulnerabilities and risk indicators for faster detection and investigation.
Online Fraud Keeps Growing
Cybercrime isn’t only “breaches.” In raw victim impact, fraud dominates, and it’s increasingly industrialized. The FBI’s Internet Crime Report for 2024 reported record losses and flagged investment fraud, often crypto-related, as a major driver of dollar losses. This is likely to continue to rise.
Dark web marketplaces continue to be a hot bed of activity when it comes to financial crime, with credit cards, bank account information, and access to payment apps being traded routinely.
Geopolitics, Hacktivism, and Disruption Campaigns Stay Loud
Since the invasion of Ukraine by Russia in 2022, hacktivist groups have been particularly vocal and active. This only grew after the October 7 attacks in Israel. The groups primarily conduct DDOS (distributed denial of service) attacks but have also conducted many defacement attacks and in recent times have been more likely to leak data and dox individuals.
This threat is not likely to diminish in 2026, with geopolitics continuing to remain strained throughout the world. It is likely that more groups will emerge in response to real world events and political affiliations.
Conclusion
Many of the cybercrime and cyber security trends of 2025 will continue into 2026, but it is likely to become more difficult to keep up with the speed and scale of attacks due to the use of AI.
It is important for organizations and individuals to remain vigilant and ensure that they are using appropriate precautions to protect themselves.
This podcast features DarkOwl Regional Director and OSINT expert, Lindsay Whyte, and Jennifer Woodard, Chief Product & Technology Officer at Logically.ai who discuss how AI is accelerating cybercrime by powering malicious large language models that generate phishing emails, malware, and ransomware with little user skill required. These tools dramatically scale attacks, leading to everything from personal account takeovers to multimillion‑dollar business email compromise and widespread ransomware incidents. While the threat is growing, Lindsay emphasizes that awareness, simple verification practices, strong security culture, and international cooperation can still meaningfully reduce risk — offering some optimism amid an increasingly complex cyber landscape.
Jennifer: Welcome back to AI on the Record, the podcast that brings together voices from media, policy, enterprise and civil society to explore where influence is heading, how AI is being governed and what decision makers should be paying attention to next. I’m Jennifer Woodard, your host.
Now, today, we’re going somewhere most of us don’t often go – into the darker side of technology, the shadowy corners of the internet and the world of cyber. And we’ll be looking at how AI is now intersecting with these spaces in ways that are both fascinating and, frankly, alarming. With me today is Lindsay White of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Let’s get into it.
So, with me today is Lindsay Whyte of OSINT UK. He’s an expert in open-source intelligence and cybercrime investigations. Lindsay, welcome to the show.
Lindsay: It’s a pleasure to be here. Thank you, even if the topic is somewhat a bit dark.
Jennifer: Indeed. Indeed, it is a little bit dark but thank you so much for being here. Could you just give us a quick intro into a little bit about your background and what you do?
Lindsay: Sure thing. So, I’m a former British soldier and now I’m the co-founder of the UK community, which is a volunteer run, not for profit seeking to bolster the UK’s intelligence capabilities by reintroducing in-person interactions into the world of security, but also at the same time crowdsourcing, new innovations in the rapidly growing world of open-source intelligence technology. My day job is working for DarkOwl, which is a leading darknet intelligence collections company, which was actually founded by the same person that founded the Tor Project itself. So, we illuminate darknet data for governments and security professionals around the world.
Jennifer: That’s very interesting. It’s incredible to hear. And, you know, as you’ve explored these spaces, I’m assuming you’ve seen technology evolve and now that we’re kind of in the age of AI. AI is coming into its own. AI is now part of this kind of cybercrime dark web story. Could you help us understand a little bit about how cyber criminals are using AI, and whether that’s something that we should actually be worried about?
Lindsay: Absolutely. I think it’s a great place to start because, you know, you and I know ChatGPT. I think most people have at least heard of ChatGPT by now. And that’s what, you know, we call a large language model. Basically, it’s a very sophisticated AI that can understand and generate human like text. Now, big companies like OpenAI and Anthropic, they build things which you call guardrails. So, these are rules that prevent their AI from helping you do bad things.
So, if you ask ChatGPT to hack someone’s bank account, it will politely refuse. But malicious large language models (LLMs) – they are the sort of evil twins and they’re built from scratch or modified specifically to remove those sorts of guardrails. They’ll happily help you craft phishing emails, write malware, generate ransomware code, ransomware notes, you name it. Really. So, what’s interesting, of course, is that already this sort of malicious LLM ecosystem, they’re already selling their software in subscription form, so you’ll be able to buy malicious LLM’S on a monthly plan, on an annual plan, a lifetime. I mean, there’ll probably be Christmas discounts, you know, before long. So, it’s basically cybercrime as a service, as the security industry have always known it. But now with that AI superpower. Yeah, I wish I was joking, but that’s the real reality of it.
And, I guess to understand how this matters, we need to talk about the dual use dilemma, which I know, Jennifer, you probably know a lot more about from that sort of policy perspective. But, you know, fundamentally, this dual use dilemma in AI is about, how you use the exact same technology for both good, but also for, you know, for harm and how it can get sort of weaponized for harm. You know, a little like nuclear physics. It’s something which can power a city for, for free and transform a society. But it can also be used in weapons to sort of level a city. So, AI kind of has to be thought of, I think, in the same kind of same kind of way. You know, it gives us the same capabilities, allow a company to automate customer support for the good, or help students, write better essays at university, but it also helps criminals scale up their tax. So even if the technology is neutral, the intent is not.
So, I guess this is where it gets pretty interesting because, you know, the same linguistic precision that makes AI great at, you know, university essays and helping write emails can also make incredibly convincing phishing emails. So, the same coding ability that helps developers debug software, can actually customize malware in the same amount of time, and that’s kind of what makes it tricky from a regulatory perspective. I guess for me, what really concerns me is the way that AI is now democratizing cybercrime, because it used to be that attacks required a certain level of skill. So, you know, language skills, a certain amount of coding knowledge, a deeper understanding of like social engineering per culture in which you’re trying to action this, this attack. This is now available to anyone. So, you know, we’re talking about a skill level between someone who maybe knows how to use Google and understands basic computer concepts. That’s all you need now. So, the days of being an expert coder or a wizard of some description to run a sophisticated attacker are over, you know, and that’s kind of the reality that we’re living with. You know, would you rather face, as someone said it to me once, you know, would you rather face one expert swordsman or a thousand people with guns and you know, these malicious LLMS, they are giving everyone a gun. It’s scale over skill, and from a perspective of cyber defense, that’s pretty terrifying because now attacks that used to take days of research, maybe weeks of research and hours of coding can now be done in minutes by someone who has no prior experience in the field.
Jennifer: Wow, that’s really jarring. And like you said, that’s the reality that we’re living in right now. These aren’t even hypothetical risks anymore. I mean, I remember years ago people talking about this might be on the horizon. What we’re actually living with this right now. It seems like it almost snuck up on us in some cases. So, the tools that you’re talking about to develop these, you know, types of malignant actions, they’re actively in use. Could you walk us through some examples of what those tools look like? I mean, what are they actually called. Are they methods. Could you just kind of walk us through that?
Lindsay: Yeah, yeah. Tragically, that is the case that these already do exist. So, two big names have emerged in the last few weeks are WormGDP, GPT, sorry, and KawaiiGPT. That’s actually wrong. Uh, WormGPT has been around for a while, but I’ll talk about WormGPT specifically because I think it really opens up everyone’s eyes because this is something that appeared, I think it was sort of summer 2023 on underground forums, like hack forums. For those who don’t know, hack forums is pretty much exactly as it sounds, not like friendly Reddit threads. These are places where cyber criminals congregate and share ideas. And WormGPT was being hawked, a bit like the latest smartphone. So, the marketing, I think, even included like a creepy little character with red eyes, it was like the most unsubtle kind of thing, but basically what they were advertising is an uncensored alternative to mainstream ChatGPT – no ethical boundaries whatsoever.
And it was built on open-source model. It was fine-tuned specifically against malicious data sites so malware code phishing email templates, exploit write ups and that sort of thing, and it directly trained itself on that model. So, it was mainly being used for business email compromise. So, that’s where criminals basically impersonate a CEO or a company supplier or something like that. And it tricks employees into sending sensitive information or wiring money outside of the company as part of a scam and normally with these business email compromise emails and messages that we receive, there were telltale signs that it was a scam. So, there would be weird grammar, it would be awkward phrasing, and that would sort of tip us off. But with WormGPT, it could, and it can, generate perfectly fluent professional sounding messages, which even the most savvy employee could fall for. And, and I guess, you know, ironically, WormGPT became a bit of a victim of its own success because the media exposure it got was so big that the creator actually shut it down quite soon after setting it up because it got so much heat. But of course, the problem with that is that the cat was already out of the bag, and it meant that a lot of copycat GPT appearing on the market and other versions started coming out. And, you know, currently you’re looking at sort of WormGPT4, which is more commercialized. It’s got a really slick website.
Remember, I’m talking about a malicious piece of technology here. They have a subscription pricing model. I think it’s like 50 bucks a month, a hundred bucks a year and 200 bucks for, like, lifetime access. So, it’s very affordable. It becomes very problematic. It’s got a big sort of telegram ecosystem that’s growing. It’s like running itself like a legitimate software company. And, you know, people have tested this. It can spit out ransomware notes, ransomware script, with encryption to infect computers. I think the ransomware note that it can generate gives you, it provides the level of detail where it’s instructing a victim how to buy Bitcoin to pay the ransom if they don’t already know how to do it and what sites to use. It’s very smart.
As I mentioned, there’s another one called Kawaii. I think I’m pronouncing that right – KawaiiGPT, basically just Google KawaiiGPT. And that takes a slightly different approach. It markets itself as like a friendly, playful chatbot but it’s, you know, it’s completely free. It was on GitHub until very recently. It may still be there and basically allows people to download it for free. Some security researchers have started to ask it to like, as in legitimately to see its power, test if it can write script for lateral movement. So lateral movement is where an attacker basically goes into one computer in a network and then crab walks into other computers on that network like dominoes falling. It’s able to do all of these things and is pretty terrifying, really, because all of this can be generated in a few seconds. So, yeah, I think overall, what’s worrying about both of these tools is that they’re creating, like any professional tool these days, an ecosystem of developers, of communities, of people, you know, giving feedback and then the product being improved. It’s like these telegram channels, they read a bit like LinkedIn for criminals. It’s pretty surreal.
Jennifer: Yeah, it’s democratization and the worst possible sense. Right? I mean, it’s really the ability to scale this like, never before. And the barrier to entry being so low that just about anybody has access to these types of tools. Anyone who wants to do, do harm. When you lay it out like that, it’s really, I mean, it’s really scary how big this impact is. So, you mentioned a little bit about the victims. You know, you referenced kind of like corporation CEOs. What happens to the victims of these types of attacks? What’s the aftermath of something like this happening?
Lindsay: Well, I mean, the impact does kind of range between, you know, the corporates that you mentioned, right down to sort of like individuals, who fall for this. It can be anything from just being really annoying to completely devastating and life destroying.
I mean, at the lower end, a successful phishing attack that compromises an individual account, you know, an email gets hacked or someone’s social media gets taken over. It’s embarrassing. It’s potentially financially damaging. It might be recoverable but, you know, people can lose their accounts for a while. They might lose their identity. So, it can be a real hassle. It may not necessarily be life destroying, but when you scale up the chain and you start then looking at business email compromise, which I said is the main focus initially of WormGPT, for example. That’s when it gets very serious because a company employee can get tricked into wiring money to a scammer’s account. We’re talking six, seven figures. I’m not exaggerating. I mean, companies have literally gone bankrupt because of successful business email compromise attacks. And imagine you’re the CFO and you get what looks like a legitimately urgent request from the CEO to wire funds for like, an acquisition or something else. That money is then gone. It’s irretrievable and you’re left kind of explaining to the Board how you just wired all of that money out of the business.
And then at the top end, you’ve got ransomware attacks where all of the cybercrime sort of focuses, I’d say right now, where an attacker gets into a network, they spread through the system, they encrypt everything, and demand payment to unlock it. And we’ve seen this happen to hospitals, you know, doctors not being able to access patient records, manufacturers shutting down operations for weeks and for manufacturers, operations being shut down is millions and millions of pounds lost in production. School districts not being able to access their pupil records or that kind of thing before exams. You know, the impact then isn’t just financial. It’s actually emotional as well. And that’s pretty immense. So, I mean, LMS (language models) are making all of these things easier – the sort of the improvements in how it generates convincing language for phishing emails, instant code generation for malware. These tools are accelerating every single phase of an attack. And as I said, what used to take a team, a skilled team, days and weeks can now be done by one person in a matter of hours. Again, imagine someone who is maybe a disgruntled former employee or a, I don’t like to say teenager stuck in their bedroom because that’s such a stereotype, but you don’t need much to trigger someone to then pay that $50 monthly subscription for one of these malicious GPTS. You know, you just need a fraction of these people paying and getting access, and then suddenly you’ve got an enormous, enormous problem on your hands. These aren’t, you know, the companies behind them, of course, you know, they’re not hobbyists themselves, that they are themselves very professional business operations with customer support and engineers and all this sort of thing. Just because you and I could use it and people without much knowledge can use it that does not reflect the level of sophistication on the other side of the fence. They are professional businesses. Right. That’s something that people often forget. These people really know what they’re doing. They’re very well organized. You know, they learn how businesses work. They’ve worked in legitimate businesses in the in the past more often than not.
Jennifer: And cutting edge, it sounds like cutting edge technology developers as well. They’re not just a mom-and-pop shop. Wow. That’s hard to hear, quite alarming. But, you know, in spite of all this, I assume that something is being done to mitigate these risks, right? This is a risk to every sector, every part of the globe. It’s risk to economies worldwide. What is happening on that front? Can these tools actually be stopped, or is this kind of a new reality that we need to adapt to?
Lindsay: This is the problem, I suppose, is that, it does get complicated because there is no silver bullet. If we look to the sort of legal and regulatory side of things, we are sort of in murky waters and you’ll probably know this, that – okay, the original say, WormGPT, this malicious LM was shut down voluntarily by its creator but then we do have other GPT’s, you know, on GitHub and still running. So, you’re going to have to ask like legitimate website, the hosting code that they have to police what kind of code people can share. And that opens up a whole can of worms, to pardon the pun because, you know, here’s the thing. You know, these exact same tools are crucial for legitimate penetration testing.
Penetration testing is an absolutely vital part of cybersecurity posture because essentially what penetration testers do, these are the good guys who are hired to break into a system to find vulnerabilities so that you can bolster your defenses. So again, we’re into that dual use dilemma. The tool itself is neutral and that makes regulatory regulation incredibly difficult in my opinion. Because how do you ban something that has a legitimate use. But I guess there are other approaches that need to happen. I mean, again, I’m not an expert on it, but developers of mainstream API models need to continue with their safety measures. So, making it harder to jailbreak these systems and that sort of thing. Law enforcement needs to get better at tracking the financial flows – so identifying the people behind these cryptocurrency flows, and pursuing them, because as part of my day job at DarkOwl, that’s what we spend our time doing is illuminating dark web forums and crypto currency. And then, I guess, most importantly, is promoting international cooperation on these subjects, because this means absolutely nothing if we don’t have some global approach to countering this because cybercrime is, in its nature, just borderless. You know, you’re always going to attack the jurisdiction that is far away from your own as possible, right? That’s just that’s just common sense if you’re a criminal. So that’s pretty important. Obviously, there’s other things on the side of sort of like the EU AI act, which I’m not quite as familiar with.
But for individuals, there’s quite a bit you can do. I want to be positive here and this is where I get optimistic because even the most convincing phishing email fails if people are trained to verify requests through secondary channels. If your CEO sends you an email asking for an urgent wire transfer, picking up the call, picking up the phone and calling them is what you need to do, and that’s where, you know, the AI model kind of fails because simple practices like this will defeat AI generated attacks in person and face to face options as well to kind of do this, you know, companies specifically. Yes, there’s sort of layered defenses. So, there’s various cybersecurity practices you can put in place good security practices, a healthy amount of skepticism. These are all things that will help. I mean, fundamentally, this is an ongoing arms race. Attackers are going to develop new tools, defenders are going to attack. Attackers are going to evolve. Defenders respond. It’s just going to keep going on and on. It’s been like that in cybersecurity forever. And so, nothing’s really changed.
Jennifer: Right? It’s about staying one step ahead of the bad guys. It’s the same type of a situation as in cyber, for the past, you know, 20, 30 years. Yeah. I’m glad that you bring a little bit of optimism into this, because I’d like to hear, you know, from a technology perspective, given how difficult this is, it sounds almost insurmountable. What is it? What is something that actually gives you hope? Something that makes you think from a technology perspective that we can actually kind of make a difference here?
Lindsay: Yeah, I think there is some hope. And just to sort of flesh out, you know, my optimism on this. Increased awareness does help things tremendously. You know, conversations like this where we’re educating people about these threats do make a real difference. As someone said, an informed public is the best defense. So, when people understand that emails can be generated by AI, you know that perfect grammar is no longer the guarantee of legitimacy, that verification is essential and that sort of thing. This really does change the game. You can have the most sophisticated technical defenses in the world, but if your employees know to pick up the phone and verify a wire transfer request you have just defeated there, and then a multi-billion-pound AI powered attack with a 30 second phone call.
It’s not necessarily about blocking specific tools. I think that’s a losing game. It’s about building systems and cultures to be resilient at scale, and understand the speed of how AI evolves. You know, bringing back human interactions. I’m a big believer in this, whether we do this with, with government or with our own companies – nothing can beat that human interaction to verify something 100%. I think one of the things I’ve always worried about is the way in which and, you know, one thing we haven’t really spoken about is the way in which nation state actors are and governments are actually funding and promoting a lot of this malicious LLM use. Sometimes I think democracies look to the digital world as a form of efficiency, and I think we’re entering into that, and that is right. I mean, it’s changed everything. It’s been revolutionary. But we may be entering into a period where it’s giving us diminishing returns, and we need to return to more in-person interactions, in-person verification. What that looks like, I’m not entirely sure, but you always have that. And I think, you know, understanding that and recognizing that we can’t just rely on digital systems for everything could be counterproductive.
There’s things that are sort of keeping me up at night. I think the accessibility, you know, something that used to need a lot of skill, doesn’t need a lot of skill. There aren’t those barriers anymore. But I think, you know, there is something that we can rely on. And that’s the sort of human element as both the, the biggest weakness, but also the greatest strength that we have.
Jennifer: Yeah, that is actually encouraging, reassuring. You brought up some topics that kind of bring back the optimism to the conversation. So, before we go, I’d like to ask our guests if listeners could take one thing away from today’s conversation about AI and cybercrime, you know what they really, really need to remember? What should it be?
Lindsay: What I would suggest people do is that they start to really think in a hybrid mindset when building technology, managing people, improving society. Don’t rely on technology to save you. Don’t rely and think likewise that technology is going to ruin you. The fact is, it is just another tool. Are we building a society and are you building a business I suppose that takes into account all of these various facets? Sorry, I can’t be more specific than that. I’m still learning a lot about AI. I can’t claim to know everything about how AI is being used within the cybercrime world. It is evolving every second but I think we need to understand and appreciate more the benefits of thinking holistically when talking about even the most digital of phenomena.
Jennifer: And that is a great way to end it, because that’s something that’s in our hands. It’s all about understanding awareness, educating ourselves, and kind of staying ahead of the curve. So, thank you so much, Lindsay Whyte, for joining me today on AI On the Record. It was a pleasure having you here. Even though the topic was a little bit dark, there is some hope for the future, it sounds like. And thank you so much for joining us.
Lindsay: It’s a pleasure, Jennifer. Thank you very much indeed.
Jennifer: That’s it for AI on the record. Thanks so much to Lindsay Whyte for scaring us a little but also adding a little hope in the struggle of good versus bad in the world of AI. If you found this conversation valuable, share it with someone who thinks deeply about tech, trust, and the future of information. Until next time, I’m Jennifer Woodard. Thanks for listening.
Scattered Lapsus$ Hunters, is reported to be a hybrid threat actor group forged from three separate groups, who collectively emerged onto the scene in 2025 and quickly made their mark on the cybersecurity world. Announcing their existence following ShinyHunters alleged social engineering campaign that purportedly resulted in the theft of 1.5 billion Salesforce records, the group consists of threat actors from ShinyHunters, Scattered Spider, and Lapsus$ extortion members.
The three factions were all heavily active in 2024, resulting in a series of arrests of members of the group Scattered Spider in 2024. The group remerged in April 2025 with an attack on UK retailers Marks and Spencer. Due to the significant attacks carried out by the individual groups in recent years, the convergence of their members has introduced even greater chaos into an already volatile landscape.
Salesforce October Deadline
On October 03, 2025,Scattered Lapsus$ Hunters launched a data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. The group set an October 10 deadline for Salesforce to pay the ransom, or for potentially affected companies to contact the group to secure their data. Salesforce refused to negotiate with the threat actors, believing their threats were unsubstantiated and offered support to any of their affected clients.
While the group had threatened to release all information if their demands were not met, eventually they only leaked data from six companies. The victims included Albertsons, Engie Resources, Fujifilm, Gap, Qantas, and Vietnam Airlines. Qantas and Vietnam Airlines each had more than five million customer records exposed. The group later announced on its Telegram channel that it would not release any additional information until 2026, stating that it was unable to leak further data, though no specific reason was provided. The limited amount of victim information leaked during the October extortion attack led some individuals to question the extent of the data the group possesses. This behavior appears to indicate the group believes it can still extract a substantial payment from Salesforce or the affected individuals.
Following the partial leak, Scattered Lapsus$ Hunters posted a Telegram announcement threatening the remaining victims and Salesforce. The statement urged Salesforce to “put down your pride/ego” or their next campaign will be more “destructive” and they have the time and resources to ensure this fate. They warn against policies that mirror Australia’s “Cyber Security Act of 2024” which introduced mandatory reporting of ransomware and cyber extortion payments, as well as strongly discouraging complying with threat actors demanding ransom. The group identified themselves as businesspeople and rejected the label of terrorists or attackers.
The post was signed “We will never stop, see you all in 2026” indicating the group will return with further activity in the new year.
Forecast
In November 2025, the group announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. On a Telegram channel used by the group, they claimed the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Previously, these threat actors have used ransomware encryptors such as Qilin, RansomHub, and DragonForce. Victims of ShinySp1d3r will receive a note that they have “three days to begin negotiations before the attack is made public on the data leak site”.
Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”.
ShinyHunters claims that organizations in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance providers, are excluded from being targeted by its encryptor. However, researchers report that many groups have made similar assurances in the past, only for those self-imposed restrictions to be routinely ignored or violated.
Conclusion
Scattered Lapsus$ Hunters are expected to remain active this year, leveraging both new and familiar tactics to cause disruption across the cyber landscape. The combination of the three groups demonstrates the shift for cybercriminal branding, appearing to highlight credibility and visibility. Given their broad range of targets, effective information sharing between organizations will be critical to countering this threat actor. To mitigate the risks posed by Scattered Lapsus$ Hunters and similar groups, organizations must prioritize monitoring these dark web activities.
To ensure your organization is taking the necessary steps to mitigate threats from these groups, contact us.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
