Everest Ransomware Leak Site
April 6, 2025
•[ ransomware, website defacement, hacktivism ]
The Everest ransomware groups dark web leak site was defaced on April 6 2025 by an unidentified anti-ransomware actor who replaced its content with the message Dont do crime. CRIME IS BAD. xoxo from Prague. Following the defacement, the Everest operators took the site offline. No data theft or encryption occurred.
Tri-City Cardiology Consultants (Phoenix, AZ)
April 6, 2025
•[ data leak ]
22,753 patients notified after an unauthorized third party attempted to infiltrate the network around Apr 6; PHI may have been accessed/obtained; notifications sent in May.
HighWire Press Inc.
April 5, 2025
•[ infostealer, data leak ]
On April 5 2025, Hellcat claimed access to HighWire Press systems using credentials harvested by an infostealer. Data exfiltration was listed on the Hellcat leak site. No encryption or operational disruption has been confirmed.
Individual retail investors using Japanese online brokerage platforms
April 5, 2025
•[ credential stuffing, account abuse ]
Between April 58 2025, foreign criminal actors compromised login credentials of Japanese retail investors and placed unauthorized securities trades through online brokerage portals; Japans Financial Services Agency and police launched an investigation into coordinated credential-stuffing and account abuse.
LeoVegas Group
April 5, 2025
•[ data leak, infostealer, compromised credentials ]
On April 5 2025, Hellcat listed LeoVegas Group on its leak site, claiming exfiltration of internal data through compromised Jira credentials obtained from an infostealer. Hudson Rock verified the inclusion of LeoVegas in the same credential set. No encryption confirmed.
Asseco Poland S.A.
April 5, 2025
•[ data leak, infostealer ]
On April 5 2025, Hellcat listed Asseco Poland on its leak site, claiming data exfiltration using Jira credentials stolen through an infostealer. Hudson Rocks analysis confirmed separate credential sets and data exfiltration from Assecos Jira environment. No encryption was reported or confirmed.
Total Dictation Foundation
April 5, 2025
•[ ddos ]
On April 5, 2025, the official website of the Total Dictation literacy campaign experienced a Distributed Denial of Service (DDoS) attack that temporarily disrupted access during the event, according to Foundation director Vyacheslav Belyakov. No data compromise, perpetrator identification, or motive was reported.
Jaaved Jaaferi / X (Twitter) account
April 5, 2025
•[ account takeover, phishing, scam ]
On April 5 2025, the verified X (formerly Twitter) account of Indian actor Jaaved Jaaferi was hijacked and used to post cryptocurrency scam and phishing messages. The actor warned followers via Instagram not to engage. Control was restored within hours, and no data theft or cross-platform compromise was reported.
Racami LLC
April 5, 2025
•[ data leak, stolen credentials, infostealer ]
On April 5 2025, Hellcat listed Racami on its leak site, stating it had accessed and exfiltrated internal Jira project data using stolen credentials gathered through an infostealer campaign. No encryption or operational disruption was reported.
Igra-Service
April 5, 2025
•[ DDoS, hacktivism, service disruption ]
Between April 5 and 8, 2025, the IT Army of Ukraine claimed responsibility for a DDoS operation against Russian internet provider Igra-Service in Krasnoyarsk Krai. According to reports, traffic reached up to 55 Gbit/s, disrupting internet and television access for several days and causing some collateral outages to Rostelecom networks. The action was described by participants as a protest campaign.
Undisclosed Online Betting Organization
April 3, 2025
•[ DDoS, gambling, sports ]
A multivector DDoS attack was recorded on April 3 2025 targeting an online betting platform; the flooding began at ~67 Gbps at 11:15 UTC, escalated to ~217 Gbps by 11:23, peaked at ~965 Gbps (~0.965 Tbps) by 11:36, then declined to ~549 Gbps by 12:41 before ending; the timing coincided with a major NHL milestone (Alexander Ovechkin tying the all-time goals record).
Blizzard Entertainment
April 3, 2025
•[ ddos, service disruption ]
Blizzards Battle.net platform experienced a distributed denial-of-service (DDoS) attack on April 3 2025, causing login latency and disconnections across multiple games. Blizzard confirmed and mitigated the disruption within roughly four hours. No data theft, encryption, or ransom attempt was reported.
Civic Platform (Platforma Obywatelska)
April 2, 2025
•[ cyberattack, APT ]
The GRUs 85th Main Special Service Center (Unit 26165) (FANCYBEAR) targeted IT systems belonging to Polands ruling Civic Platform party in early April 2025; no operational disruption confirmed.
Department of Pensions
April 2, 2025
•[ ransomware, data theft ]
Department reported a ransomware attack first notified to CERT on April 2; officials overhauling systems and advising pensioners, with no detailed disruption reported; treated as data-theft incident pending further specifics.
AustralianSuper
April 1, 2025
•[ account takeover, credential stuffing, theft ]
Hackers used stolen credentials to access about 600 AustralianSuper accounts in a coordinated campaign targeting Australias superannuation funds; small monetary thefts reported.
Rest Super
April 1, 2025
•[ credential stuffing, account takeover ]
Rest Super confirmed credential-stuffing attempts compromising some member accounts as part of coordinated April 2025 campaign; no losses disclosed.
Ukrainian government and military entities
April 1, 2025
•[ malware, data leak, espionage ]
Russian FSB 18th Center for Information Security (Gamaredon) deployed updated GammaSteel malware to exfiltrate sensitive data from Ukrainian government and defense networks in an ongoing espionage campaign; no operational disruption reported.
Insignia Financial
April 1, 2025
•[ credential stuffing, data leak ]
Insignia Financial confirmed attempts to access customer portals using stolen credentials during April 2025 campaign; extent of compromise under investigation.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Multiple e-commerce stores using Magento extensions
April 1, 2025
•[ supply-chain attack, malware, webshell ]
Supply-chain compromise of 21 Magento extensions backdoored since 2019, activated in April 2025; between 5001,000 e-stores impacted; at least one webshell observed.
