Cybersecurity Pressure Builds Amid Crime, AI Risk, and Enforcement Actions

Cybersecurity activity intensified across law enforcement, enterprises, and cloud environments. Authorities advanced ransomware prosecutions with arrests and cross-border extraditions while major data exposures and fraud schemes exposed identity and access weaknesses.

SoundCloud Confirms Data Breach and Theft of 20% of User Emails

SoundCloud confirmed a security breach in which threat actors accessed a user database, resulting in widespread service disruptions. Due to incident response measures, users connecting to the platform via VPN services have been experiencing "403 Forbidden" errors. The stolen data was allegedly limited to email addresses and publicly visible profile information.

One of the Largest Lead-Generation Databases Exposed Online 

More than 16 terabytes of corporate and professional data was exposed through an unsecured MongoDB database containing roughly 4.3 billion records. Researchers described it as one of the largest lead-generation datasets ever found exposed online. The data appears scraped from platforms such as LinkedIn and Apollo.

VolkLocker Ransomware Flaw Allows Victims to Decrypt Files for Free

Researchers found that VolkLocker, a ransomware strain linked to the CyberVolk group, contains a critical design flaw that allows victims to decrypt files. The malware uses hard-coded master keys that are also written to a plaintext file on infected systems and never deleted. While VolkLocker targets both Windows and Linux and includes typical ransomware behaviors, the exposed keys break its extortion model.

Eurojust-Backed Authorities Dismantle Ukraine-Based Cyber Fraud Call Center Network

European and Ukrainian authorities dismantled a large cyber-enabled fraud network operating call centres in multiple Ukrainian cities. The group used social engineering scams, impersonating police and banks to steal money from victims across Europe. Victims were tricked into transferring funds to attacker-controlled accounts or installing remote access software. 

Colombia’s National Roads Agency Hit by Cyberattack, Internet Access Disrupted 

Colombia’s National Roads Institute suffered a cyberattack that left the agency without internet access for nearly 48 hours. A complaint has been filed with the Attorney General’s Office, though the type of attack and any data theft remain unconfirmed. Employees were instructed to work remotely during the disruption.

Japanese School Yokosuka Gakuin Confirms Ransomware Attack While Rhysida Sells Data

Yokosuka Gakuin School Corporation confirmed a ransomware-related cyber incident in early December 2025 that led to unauthorized server access and data leakage involving photos and videos. The school said it disconnected systems from the internet and is working with external specialists to investigate and restore affected infrastructure. Rhysida is allegedly listing data claimed to be from the school for sale on the dark web, demanding 6 BTC.

Fake Online Stores Campaign Targets Global Retail

BforeAI’s PreCrime Labs uncovered a large-scale fake online shop campaign impersonating major global retail brands. Researchers tracked 244 fraudulent domains registered in 2025, timed around major shopping events like Black Friday. The operation relies on automated domain churn, privacy-protected WHOIS data, and shared infrastructure.

AI Expands Software Supply Chain Risk as Compliance Becomes Critical

Researchers warn that weak AI governance is expanding software supply chain risk as release cycles accelerate. A Black Duck report finds that regulatory compliance is closely tied to faster responses to software supply chain vulnerabilities. While 95% of organizations use AI in development, 24% fully assess AI-generated code for security, licensing, and quality risks. The study shows that SBOM validation and automated monitoring improve readiness and remediation speed. 

France Arrests Suspect in Interior Ministry Cyberattack Probe

French authorities have arrested a 22-year-old suspect as part of an investigation into a cyberattack on the country’s Ministry of the Interior. Prosecutors say the suspect, previously convicted for similar offenses in 2025, faces charges carrying a potential 10-year prison sentence. The incident coincides with unverified claims on BreachForums alleging responsibility for the attack.

LKQ Confirms Oracle E-Business Suite Breach Impacting 9,000 Individuals

LKQ Corporation has confirmed it was impacted by the Cl0p ransomware campaign exploiting Oracle E-Business Suite systems. The company disclosed that personal information belonging to more than 9,000 sole proprietor suppliers was compromised. LKQ said the incident was limited to its Oracle EBS environment. The company was also named on Cl0p’s leak site.

From Fraud to Trust and Safety

A former cybercriminal has publicly detailed how personal trauma led him into years of undetected fraud before a life event pushed him to change course. Alex Hall, now a Trust and Safety Architect at Sift, described how a painful breakup and subsequent psychological distress preceded his entry into large-scale fraud. “I realized that here was a very lucrative way of paying the bills without getting caught,” he told SecurityWeek.

U.S. Indicts 54 in Tren de Aragua ATM Jackpotting Case

U.S. prosecutors have unsealed indictments charging 54 individuals in a multi-million-dollar ATM jackpotting scheme linked to Tren de Aragua. The defendants are accused of using malware and physical access to force ATMs to dispense cash across multiple states. Prosecutors allege the proceeds were laundered and partially used to support the group’s broader criminal activities. If convicted, some defendants face sentences ranging from 20 to 335 years in prison.

Amazon Blocks 1,800+ Suspected North Korean IT Operatives From Securing Remote Roles

Amazon says it has blocked more than 1,800 suspected North Korean IT operatives from securing remote roles since April 2024. The company reported a 27% quarter-over-quarter rise in detected DPRK-linked job applications this year. Amazon attributes the effort to AI-powered screening combined with identity verification and structured interviews. The company warned the scheme is widespread across the tech industry and urged firms to share indicators.

A New Role: The Transformation of a Former Cybercriminal

According to Alex Hall, the birth of his daughter marked a decisive shift away from criminal activity. He said he stopped committing fraud immediately and later transitioned into fraud prevention. Initially working as an analyst before moving into leadership roles, Hall now applies insights gained from his past to help organizations identify abuse patterns that remain difficult to detect. 

Nefilim Ransomware Operator Pleads Guilty; Accomplice Remains at Large

U.S. prosecutors confirmed that a Ukrainian national has pleaded guilty for his role in the Nefilim ransomware operation, active since at least 2020. The defendant was arrested in Spain in 2024 and extradited to the United States in 2025. Authorities said he helped deploy ransomware against large enterprises. Sentencing is scheduled for May 2026, while a senior accomplice linked to the operation remains at large.

Repetitive Attack Patterns and Security Gaps

Attackers are exploiting speed and operational gaps with the broader picture reflecting a growing need for governance, visibility, and faster execution. Brian Soby CTO and co-founder of AppOmni said traditional security boundaries are fading across SaaS environments.

Addressing security gaps, Soby said, “Most current zero trust and identity solutions are not keeping pace with real-world attacker tactics, techniques, and procedures. As a result, in 2026, we’ll see more of what we’ve been seeing.”

He added that future cyber attacks will also target the existing weak links. “There’s no question the success of ShinyHunters/UNC6040 and Drift/UNC6395 has caught the attention of other threat groups.”

Cory Michal, CSO of the organization said, “A flawed check on “who is this user and what can they access?” can become cross-tenant data exposure or abuse of powerful admin and integration features. What is surprising is how these issues persist, even as the industry talks more about them every year.”

Michal recommended enforcing a default least privilege model so users, service accounts, and integrations start with minimal access and are only elevated when there is a definite requirement.

During writing and deploying code, they must build security into the software development lifecycle: threat-modeling auth flows, using SAST/DAST checks, and adding targeted tests for authorization and multi-tenant isolation so these weaknesses are found and fixed long before they ship into production.