At least one 7-Zip user
January 26, 2026
•[ malware distribution, proxy botnet, domain impersonation ]
Toms Hardware reported that the unofficial domain 7-zip.com (not the official 7-zip.org) served malware-laden downloads for roughly ten days, from January 12 to January 22. The site initially displayed legitimate links, but after 2030 seconds a script swapped download links to a malicious executable, likely to evade basic automated scanning. The malwares primary described function was to install a proxy service, turning victims PCs into nodes in a proxy botnet that criminals could route traffic through to obscure their origins. This is a malware distribution campaign impacting end users rather than a single named victim organizations breach.
Enviro-Hub Holdings Ltd.
January 25, 2026
•[ ransomware, server breach ]
Enviro-Hub Holdings Ltd. disclosed a ransomware attack targeting group servers; company reported no material operational impact.
Waltio
January 24, 2026
•[ data leak, extortion, cryptocurrency ]
French crypto tax platform Waltio reported being targeted by the ShinyHunters group, which claimed to possess personal data for nearly 50,000 users and threatened to leak users 2024 tax reports unless a ransom was paid. Waltio stated that its services and production systems remained secure and that no sensitive banking credentials or crypto access data was compromised. The incident primarily involves alleged data theft and extortion threats rather than service disruption, with the full scope of stolen fields not detailed in the summary.
CarMax
January 24, 2026
•[ data breach, extortion, data leak ]
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
HanseMerkur
January 24, 2026
•[ data leak, ransomware, financial documents ]
DragonForce claimed it stole 97 GB of internal data from German insurer HanseMerkur and released sample financial documents; the company had not confirmed the breach at the time of reporting.
Edmunds
January 24, 2026
•[ data breach, ShinyHunters, PII ]
In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone numbers and vehicle-related records.
Winona County
January 23, 2026
•[ ransomware, forensics, emergency services ]
Winona County, Minnesota reported responding to a ransomware incident that impacted its computer network. The county engaged third-party cybersecurity and forensics specialists and coordinated with local, state, and federal law enforcement. While emergency services such as 911, fire, and emergency response operations were reported to remain operational, the incident was significant enough that county leadership declared a local emergency. Further technical details, including the ransomware variant, extent of disruption across departments, and whether data was stolen, were not provided in the brief public update.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
TELEPORT.RF
January 22, 2026
•[ DDoS attack, availability disruption, denial-of-service ]
The Russian-language news outlet Teleport RF reported that its website (teleport2001.ru) was subjected to a DDoS attack. The report described disruptions to site availability consistent with a traffic-flooding denial-of-service, affecting readers ability to access content. No claims of data theft or system compromise beyond availability disruption were described in the article.
PcComponentes
January 22, 2026
•[ data breach, investigation, customer data ]
TechRadar reported that the PC-components retailer PcComponentes was looking into online claims of a breach while the company denied that a confirmed customer data breach had occurred. The article focused on the investigation and the companys public position. In the accessible page text used here, there was no definitive disclosure of an attacker, a verified data set, or a confirmed number of affected customers, so the impact to customer data is coded as undetermined.
Local Government Services Portal (KOVTP)
January 22, 2026
•[ cyberattack, denial-of-service, service disruption ]
A Russian-language summary report stated that the portal for local government services (KOVTP) was subjected to a large-scale cyberattack that disrupted availability. The incident was presented as a service disruption affecting public access, consistent with an external denial-of-service scenario. The available summary did not provide exact downtime, traffic characteristics, or evidence of data theft, so the record is coded as disruptive with undetermined duration and scope details.
Viafier
January 22, 2026
•[ malware, data leak, unauthorized access ]
The Swiss rail operator Viafier Retica shut down its Vereina car-shuttle online ticket shop after discovering malware on the system. The organization stated that attackers likely accessed the web shop database, which may contain customer and employee contact details and hashed passwords. Users were advised to change passwords used on other services. The incident caused service disruption to online ticket sales while containment and investigation actions were undertaken.
Nike
January 22, 2026
•[ ransomware, data leak, exfiltration ]
A ransomware group calling itself WorldLeaks (reported as a rebrand of Hunters International) claimed it breached Nike and began leaking data online. The groups leak-site posting dated January 22, 2026 alleged exfiltration of more than 1.4TB of files. A review of the leaked directory names suggested the exposed material primarily relates to product development and manufacturing operations, including design specifications and supplier-related operational documents, along with internal presentations and collaboration materials. Nike stated it was investigating the claims.
The Connecticut Port Authority
January 22, 2026
•[ Business Email Compromise, Phishing, Financial Fraud ]
Connecticut Port Authority officials reported that a subtle change in an email address used to pay a vendor resulted in a fraudulent party receiving more than $16,000 from the quasi-public agency. The report said $16,666 was stolen and that $14,166 of that amount was recovered through an insurance claim. The incident triggered operational changes including renewed focus on encryption and security practices and recurring cybersecurity training. The article did not provide the precise date of the payment, only that it occurred the prior year relative to the January 22, 2026 report.
At least one Jordanian activist
January 22, 2026
•[ digital forensics, government surveillance, data extraction ]
The Record summarized findings from a Citizen Lab report stating that Jordanian authorities used Cellebrite digital forensic software to extract data from phones belonging to at least seven Jordanian activists and human rights defenders between late 2023 and mid-2025. The reports evidence was based on forensic analysis of seized phones in multiple cases and court records in others, and it stated the extractions occurred while individuals were interrogated or detained for speech critical of Israels Gaza campaign.
Dresden State Art Collections
January 21, 2026
•[ targeted cyberattack, operational disruption, digital infrastructure ]
The Record reported that Dresden State Art Collections discovered a targeted cyberattack on Wednesday (January 21, 2026) that disrupted significant parts of its digital infrastructure. The state of Saxonys culture ministry said the museum network had limited digital and phone services, with online ticket sales, visitor services, and the museum shop unavailable. On-site payments were restricted to cash, though tickets purchased online before the incident could still be scanned, and the museums remained open. The ministry stated security systems protecting the collections were not affected and physical/technical security remained intact, indicating the primary impact was operational disruption of public-facing digital services rather than compromise of collection security systems.
At least one individual in Greece
January 21, 2026
•[ phishing, SMS blaster, rogue mobile base station ]
The Record reported that Greek police dismantled a scam operation in the Athens area that used a fake cell tower concealed in a car to send phishing messages to nearby mobile users. Authorities said the device operated as a rogue mobile base station (SMS blaster), mimicking legitimate telecom infrastructure and forcing phones to connect while downgrading them to 2G, which the criminals used to facilitate mass scam messaging. The article focuses on law-enforcement action against the operators and describes the method used; it does not quantify victim counts, confirmed credential theft outcomes, or specific financial losses, so scope and data impacts are coded as undetermined.
Sociedad Hipotecaria Federal
January 21, 2026
•[ ransomware, data leak, encryption ]
Sociedad Hipotecaria Federal was listed by LockBit, which claimed to have stolen 277 GB of data and published it after a ransom deadline expired; reporting also cited encryption of critical systems and operational disruption.
Cloud Imperium Games (CIG)
January 21, 2026
•[ unauthorized access, data breach, personal information ]
Cloud Imperium Games disclosed that on January 21, 2026 it was targeted by a sophisticated attack that resulted in unauthorized access to some backup systems with limited access to users basic account details. The company said impacted data included metadata, contact details, username, date of birth, and name. It stated the access was read-only and that no passwords or financial/payment information were stored in or accessible from the affected systems, and it had no indication the data had been leaked publicly at the time of disclosure.
