Ukrainian government and critical infrastructure organizations
September 25, 2024
•[ phishing, malware, espionage ]
Russian nation-state operators exploited a zero-day vulnerability in 7-Zip (CVE-2025-0411) beginning in September 2024 to deliver SmokeLoader malware through spearphishing campaigns targeting Ukrainian government and critical infrastructure entities. The campaign bypassed Windows Mark-of-the-Web protections to execute payloads and conduct espionage activities. No specific victims or data volumes have been disclosed.
AultCare Corporation
September 25, 2024
•[ phishing, data leak ]
An unauthorized party accessed an employee email account and a SharePoint instance on 2024-09-25. AultCare reviewed affected content and began notifying brokers and affected individuals by 2025-01-21.
Multiple Ukrainian government and municipal organizations
September 25, 2024
•[ vulnerability, phishing, malware ]
A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited beginning September 25, 2024, by undetermined Russian-speaking cybercriminal actors via phishing and homoglyph-lure archives. Trend Micro and SecurityWeek confirmed at least nine Ukrainian government and public-service entities (including the Ministry of Justice, Kyiv Public Transportation, and water-utility systems) were compromised. The campaign delivered SmokeLoader malware through malicious archives bypassing Windows Mark-of-the-Web protections.
Equiniti Trust Company, formerly known as American Stock Transfer & Trust Company
September 19, 2024
•[ financial, phishing, finance ]
Equiniti Trust Company agrees to pay $850K after an unknown threat actor, pretending to be an employee of a U.S.-based public issuer client of American Stock Transfer, instructed the Company to issue millions of new shares, liquidate those shares, and send the proceeds to an bank in Hong Kong, leading to a loss of roughly $4.78 million.
Zenith American Solutions, Inc.
September 6, 2024
•[ phishing, data leak ]
Unauthorized access to Zenith American Solutions network discovered September 6 2024 after an employee email account was compromised via phishing; over 12,000 individuals names, dates of birth, Social Security numbers, and benefit-plan documents potentially accessed. The firm notified regulators January 2025 and publicly disclosed in June 2025. No actor attribution or ransom demand reported.
Numotion
September 2, 2024
•[ phishing, data leak ]
Email account compromises exposed customer information at numotion.
Fur Affinity
August 22, 2024
•[ hack, phishing, technology ]
Fur Affinity, a popular social networking website for the furry community, is compromised, after threat actors successfully gained control of the websites domain, redirecting users to phishing sites, crypto scams and other malicious content.
Locata
July 29, 2024
•[ social, phishing, technology ]
A cyber attack on software company Locata spreads across councils across Greater Manchester, leaving thousands of residents vulnerable to a phishing scam.
Connally Memorial Medical Center
July 29, 2024
•[ phishing, data leak ]
Unauthorized access to an employee email led to confirmation of broader file access; notice posted 27-09-2024; continued notifications.
Domestic flight in Australia
June 28, 2024
•[ hack, phishing ]
The AFP charges an Australian man (42) with operating a fake Wi-Fi access point on a domestic flight to steal user credentials and data.
Bloom Health Centers
June 28, 2024
•[ hack, phishing, healthcare ]
Psych Associates of Maryland LLC d/b/a Bloom Health Centers ("Bloom Health") discloses a security breach after the compromise of an employee's email.
The Ambulatory Surgery Center of Westchester
June 26, 2024
•[ social, phishing, healthcare ]
The Mount Kisco Surgery Center LLC d/b/a The Ambulatory Surgery Center of Westchester ("ASCW") discloses a security breach after the compromise of an employee's email.
Town of Arlington
June 5, 2024
•[ financial, phishing, government ]
The town of Arlington discloses that it had lost nearly $446,000 in a monthslong business email compromise (BEC) scam.
Official Microsoft India account on X (formerly Twitter)
June 3, 2024
•[ financial, hack, phishing ]
The official Microsoft India account on X (formerly Twitter), with over 211,000 followers, is hijacked by cryptocurrency scammers to impersonate Roaring Kitty, the handle used by notorious meme stock trader Keith Gill.
Alternate Solutions Health Network, LLC
May 30, 2024
•[ phishing, data leak ]
On or around May 30 2024, an unauthorized actor accessed an employee email account at Alternate Solutions Health Network. The account was secured after discovery; investigation concluded February 14 2025 and confirmed exposure of PHI. Notifications were issued beginning April 14 2025.
RestorixHealth
May 29, 2024
•[ phishing, data leak ]
Investigation confirmed unauthorized access to one mailbox (May 729, 2024); notification letters commenced Feb 14, 2025.
Adam Griffin
May 6, 2024
•[ social, phishing, finance ]
Adam Griffin, a crypto investor is robbed of nearly $500,000 in cryptocurrencies after a scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click yes to a Google prompt on his mobile device.
Undisclosed crypto investor
May 3, 2024
•[ financial, hack, phishing ]
An individual loses around $71 million worth of bitcoin in what appears to be an address poisoning attack. A week later the author of the attack returns the stolen bounty.
Teixeira Cândido (Angolan journalist) / Syndicate of Angolan Journalists context
May 3, 2024
•[ spyware, Predator, mobile infection ]
Amnesty Internationals Security Lab reported forensic confirmation that Intellexas Predator spyware successfully infected the iPhone of Angolan journalist and press freedom activist Teixeira Cndido on May 4, 2024 after he opened a malicious link sent via WhatsApp. Amnesty said the attacker could have gained wide access to device data (including messages and files) and that the infection appears to have been removed after the phone was restarted later that day. The investigation described multiple additional infection links sent afterward that did not appear to succeed. Attribution to a specific government customer was not made in the public report.
