Waltio
January 24, 2026
•[ data leak, extortion, cryptocurrency ]
French crypto tax platform Waltio reported being targeted by the ShinyHunters group, which claimed to possess personal data for nearly 50,000 users and threatened to leak users 2024 tax reports unless a ransom was paid. Waltio stated that its services and production systems remained secure and that no sensitive banking credentials or crypto access data was compromised. The incident primarily involves alleged data theft and extortion threats rather than service disruption, with the full scope of stolen fields not detailed in the summary.
CarMax
January 24, 2026
•[ data breach, extortion, data leak ]
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
HanseMerkur
January 24, 2026
•[ data leak, ransomware, financial documents ]
DragonForce claimed it stole 97 GB of internal data from German insurer HanseMerkur and released sample financial documents; the company had not confirmed the breach at the time of reporting.
Winona County
January 23, 2026
•[ ransomware, forensics, emergency services ]
Winona County, Minnesota reported responding to a ransomware incident that impacted its computer network. The county engaged third-party cybersecurity and forensics specialists and coordinated with local, state, and federal law enforcement. While emergency services such as 911, fire, and emergency response operations were reported to remain operational, the incident was significant enough that county leadership declared a local emergency. Further technical details, including the ransomware variant, extent of disruption across departments, and whether data was stolen, were not provided in the brief public update.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
TELEPORT.RF
January 22, 2026
•[ DDoS attack, availability disruption, denial-of-service ]
The Russian-language news outlet Teleport RF reported that its website (teleport2001.ru) was subjected to a DDoS attack. The report described disruptions to site availability consistent with a traffic-flooding denial-of-service, affecting readers ability to access content. No claims of data theft or system compromise beyond availability disruption were described in the article.
PcComponentes
January 22, 2026
•[ data breach, investigation, customer data ]
TechRadar reported that the PC-components retailer PcComponentes was looking into online claims of a breach while the company denied that a confirmed customer data breach had occurred. The article focused on the investigation and the companys public position. In the accessible page text used here, there was no definitive disclosure of an attacker, a verified data set, or a confirmed number of affected customers, so the impact to customer data is coded as undetermined.
Local Government Services Portal (KOVTP)
January 22, 2026
•[ cyberattack, denial-of-service, service disruption ]
A Russian-language summary report stated that the portal for local government services (KOVTP) was subjected to a large-scale cyberattack that disrupted availability. The incident was presented as a service disruption affecting public access, consistent with an external denial-of-service scenario. The available summary did not provide exact downtime, traffic characteristics, or evidence of data theft, so the record is coded as disruptive with undetermined duration and scope details.
Viafier
January 22, 2026
•[ malware, data leak, unauthorized access ]
The Swiss rail operator Viafier Retica shut down its Vereina car-shuttle online ticket shop after discovering malware on the system. The organization stated that attackers likely accessed the web shop database, which may contain customer and employee contact details and hashed passwords. Users were advised to change passwords used on other services. The incident caused service disruption to online ticket sales while containment and investigation actions were undertaken.
Nike
January 22, 2026
•[ ransomware, data leak, exfiltration ]
A ransomware group calling itself WorldLeaks (reported as a rebrand of Hunters International) claimed it breached Nike and began leaking data online. The groups leak-site posting dated January 22, 2026 alleged exfiltration of more than 1.4TB of files. A review of the leaked directory names suggested the exposed material primarily relates to product development and manufacturing operations, including design specifications and supplier-related operational documents, along with internal presentations and collaboration materials. Nike stated it was investigating the claims.
The Connecticut Port Authority
January 22, 2026
•[ Business Email Compromise, Phishing, Financial Fraud ]
Connecticut Port Authority officials reported that a subtle change in an email address used to pay a vendor resulted in a fraudulent party receiving more than $16,000 from the quasi-public agency. The report said $16,666 was stolen and that $14,166 of that amount was recovered through an insurance claim. The incident triggered operational changes including renewed focus on encryption and security practices and recurring cybersecurity training. The article did not provide the precise date of the payment, only that it occurred the prior year relative to the January 22, 2026 report.
At least one Jordanian activist
January 22, 2026
•[ digital forensics, government surveillance, data extraction ]
The Record summarized findings from a Citizen Lab report stating that Jordanian authorities used Cellebrite digital forensic software to extract data from phones belonging to at least seven Jordanian activists and human rights defenders between late 2023 and mid-2025. The reports evidence was based on forensic analysis of seized phones in multiple cases and court records in others, and it stated the extractions occurred while individuals were interrogated or detained for speech critical of Israels Gaza campaign.
Dresden State Art Collections
January 21, 2026
•[ targeted cyberattack, operational disruption, digital infrastructure ]
The Record reported that Dresden State Art Collections discovered a targeted cyberattack on Wednesday (January 21, 2026) that disrupted significant parts of its digital infrastructure. The state of Saxonys culture ministry said the museum network had limited digital and phone services, with online ticket sales, visitor services, and the museum shop unavailable. On-site payments were restricted to cash, though tickets purchased online before the incident could still be scanned, and the museums remained open. The ministry stated security systems protecting the collections were not affected and physical/technical security remained intact, indicating the primary impact was operational disruption of public-facing digital services rather than compromise of collection security systems.
At least one individual in Greece
January 21, 2026
•[ phishing, SMS blaster, rogue mobile base station ]
The Record reported that Greek police dismantled a scam operation in the Athens area that used a fake cell tower concealed in a car to send phishing messages to nearby mobile users. Authorities said the device operated as a rogue mobile base station (SMS blaster), mimicking legitimate telecom infrastructure and forcing phones to connect while downgrading them to 2G, which the criminals used to facilitate mass scam messaging. The article focuses on law-enforcement action against the operators and describes the method used; it does not quantify victim counts, confirmed credential theft outcomes, or specific financial losses, so scope and data impacts are coded as undetermined.
Sociedad Hipotecaria Federal
January 21, 2026
•[ ransomware, data leak, encryption ]
Sociedad Hipotecaria Federal was listed by LockBit, which claimed to have stolen 277 GB of data and published it after a ransom deadline expired; reporting also cited encryption of critical systems and operational disruption.
eScan Antivirus (MicroWorld Technologies)
January 20, 2026
•[ supply chain attack, malware delivery, software update ]
Attackers breached an eScan update server and replaced a legitimate update file with a malicious executable, resulting in malware delivery to customers via the software supply chain without confirmed data theft or operational disruption.
At least one Iranian consumer
January 20, 2026
•[ Android banking trojan, Remote-access trojan (RAT), Ransomware ]
Cyble Research and Intelligence Labs (CRIL) reported discovering deVixor, an advanced Android banking trojan that has remote-access (RAT) capabilities and can also deploy a ransomware-style device lock screen. The campaign explicitly targets Iranian users, distributing malicious APKs via phishing websites posing as legitimate automotive businesses and luring victims with heavily discounted vehicle offers. Once installed, deVixor prompts victims to grant high-risk permissions (contacts, SMS, media files, accessibility service), then harvests SMS data to extract banking information such as account balances, OTPs, bank alerts, credit card details, and crypto transaction data. It also uses WebView-based JavaScript injection to load real banking sites inside a hidden WebView and steal login credentials during authentication. In some cases, operators activate a ransom overlay that locks the device and demands payment to a cryptocurrency wallet. Cyble said it identified 700+ deVixor samples since October 2025 and observed indicators (Persian artifacts, targeted-app lists, Telegram infrastructure) suggesting strong familiarity with Irans financial ecosystem.
McDonald's India
January 20, 2026
•[ ransomware, data leak, data exfiltration ]
HackRead reported that on January 20, 2026 the Everest ransomware group claimed it breached McDonalds India and exfiltrated 861 GB of customer data and internal documents. The report described screenshots purportedly showing internal financial reports (20232026), audit trails, cost tracking, ERP migration files, pricing data, and other internal communications, as well as a Contact Database spreadsheet with investor/business-partner contact details and store-level manager contact information. Everest reportedly issued a short deadline and threatened to leak data; the article noted the claim was unverified at the time.
At least one Afghan government worker
January 20, 2026
•[ phishing, malware, data exfiltration ]
The Record reported that attackers targeted Afghan government workers with phishing emails disguised as official correspondence from the office of the countrys prime minister. Researchers said the campaign, first detected in December, used a decoy document resembling a government letter (including a forged signature) to entice recipients in ministries/administrative offices to open it. Once opened, the document delivered malware dubbed FalseCub, designed to collect and exfiltrate data from infected computers. The report is focused on the campaign and malware behavior; it does not list specific compromised agencies, confirmed infection counts, or stolen data volumes, so impacts are coded as undetermined.
