Critical Infrastructure Under Pressure as AI Threats Grow and Global Enforcement Responds

In the United States, CISA continues core national security operations despite a DHS funding lapse. Switzerland has shifted from voluntary disclosure to mandatory 24-hour reporting for critical infrastructure cyberattacks.

Sustained pressure is being observed across sectors, including universities, healthcare, finance, and transportation, with attacks on the University of Pennsylvania, France’s national bank account registry, the University of Mississippi Medical Center, and Germany’s Deutsche Bahn’s ticketing and scheduling systems.

These incidents highlight that recent cyberattacks have not only exposed personal data but also disrupted medical services and restricted access to other essential services, including travel and financial infrastructure, for hundreds of thousands of individuals.

Cyberattack Hits German Rail IT Systems: Deutsche Bahn DDoS Disrupts Services

German rail operator Deutsche Bahn confirmed a Distributed Denial of Service (DDoS) attack targeted its IT systems, causing widespread disruptions. It led to outages in ticketing and scheduling on both the company's website and app. The inability to access real-time schedules or purchase tickets created significant inconvenience for travelers. 

Eurail Says Stolen Customer Data Is Now Being Sold Online

Eurail B.V. confirmed that stolen customer data is being offered for sale online after a breach earlier this year. A threat actor also published a sample dataset on Telegram. The company is reviewing what specific records were exposed and how many customers may be affected. Eurail operates and sells Interrail and Eurail passes for train travel across Europe. It previously disclosed unauthorized access to its customer database. Exposed data may include passport and financial information.

CISA Sustains Critical Cyber Operations During DHS Funding Pause

CISA will remain operational during the DHS shutdown that began at 12:01 a.m. on February 14, 2026, continuing work in areas allowed under the Antideficiency Act. The agency said key functions tied to national security and critical infrastructure protection will stay active, including maintaining the Known Exploited Vulnerabilities (KEV) Catalog. While many staff are furloughed, a designated group will continue supporting excepted cybersecurity operations, and additional personnel can be recalled if urgent threats emerge. Regulatory efforts such as finalizing the CIRCIA incident reporting rule are expected to pause during the funding lapse. 

Switzerland Enforces Mandatory Reporting of Critical Infrastructure Cyberattacks

Switzerland’s National Cyber Security Centre reported that 2025 marked the rollout and operationalization of a legal requirement obliging critical infrastructure operators to report cyberattacks within 24 hours under the revised Information Security Act. The NCSC received nearly 65K incident reports, including 222 under the new mandate. Switzerland has moved from voluntary cyber reporting to enforceable national oversight of critical infrastructure attacks. 

Dutch Man Arrested After Downloading Mis-Shared Police Files

Dutch authorities arrested a 40-year-old man after he downloaded confidential documents mistakenly shared by police and allegedly sought something in return before deleting them. The files were exposed after an officer sent a download link instead of an upload link during correspondence related to an investigation. Despite being told to stop and delete the material, the man continued accessing the documents. Police searched his residence in Ridderkerk and seized data storage devices. There is currently no indication that the confidential documents were further distributed.

AI-Powered Android Malware PromptSpy Uses Gemini for Persistence

Researchers have identified PromptSpy, the first known Android malware to integrate generative AI directly into its execution flow. The Trojan abuses Google’s Gemini model to analyze on-screen interface data and generate step-by-step navigation instructions. This allows the malware to perform gestures that lock it into the recent apps list, improving persistence across Android versions and vendor skins. PromptSpy’s primary payload includes deployment of a VNC module for full remote device control. Threat actors can view the screen, execute actions, and potentially exfiltrate sensitive data. The technique highlights how large language models can be misused to enhance mobile malware adaptability.

University of Pennsylvania Data Breach Exposes About 624,000 Individuals

A data breach at the University of Pennsylvania has compromised the personal information of approximately 624,000 individuals, including donors. The compromised dataset encompasses names, residential addresses, and demographic data. The October 2025 breach was claimed by ShinyHunters. The incident escalated in February 2026, when over 3.5 GB of exfiltrated data were published on cybercriminal forums after a hacker claimed responsibility for this attack and a Harvard compromise. The breach was identified in Q4 2025.

Admissions Platform Flaw Exposed Data of 1.6 Million Students

The Ravenna Hub admissions platform exposed personal information of over 1.6 million students. The issue stemmed from a vulnerability that allowed authenticated users to access other profiles by modifying a seven-digit URL identifier. Exposed data included students’ names, birthdates, home addresses, photographs, and sibling information. Parent email addresses and phone numbers were also accessible. The flaw was reported and remediated the same day. 

University of Mississippi Medical Center Closes Clinics After Ransomware Attack

The University of Mississippi Medical Center shut down all 35 of its clinics after a ransomware attack. It disrupted the healthcare IT systems and blocked access to electronic medical records. Outpatient surgeries, ambulatory procedures, and imaging appointments were canceled and network systems were taken offline. During a press conference, they acknowledged communication with the attackers. No ransomware group has claimed responsibility. The organization employs over 10,000 people, operates seven hospitals, and has over 200 telehealth sites. 

French Government Discloses National Bank Account Registry Breach

A data breach at France’s Ministry of Economy has exposed 1.2 million bank accounts. The incident occurred after a threat actor used stolen credentials belonging to an official to access the national bank account registry, FICOBA. The incident compromised account holder names, IBANs, addresses, and tax identifiers.

INTERPOL Operation Nets 651 Arrests in Africa-Wide Online Scam Sweep

Law enforcement agencies across 16 African countries arrested 651 suspects and recovered more than $4.3 million during Operation Red Card 2.0. The eight-week effort targeted investment scams and fraudulent mobile loan applications. Investigations linked the schemes to over $45 million in financial losses and identified 1,247 victims, mainly in Africa and other regions. Authorities also successfully seized 2,341 devices besides dismantling 1,442 malicious IPs, domains, and servers. During the law enforcement action, Kenya recorded 27 arrests connected to messaging-based investment scams, and Côte d’Ivoire detained 58 suspects. 

Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown

Polish police have detained a 47-year-old man in the Małopolska region for his alleged involvement with the Phobos ransomware group. The arrest is part of Operation Aether, a coordinated international crackdown targeting Phobos developers and affiliates across Europe and beyond. Authorities found files containing logins, passwords, credit card numbers, as well as encrypted comms linked to Phobos.

Glendale Man Sentenced to 57 months in Prison for Darknet Drug Trade

The last co-defendant in a darknet drug distribution case, a Glendale man, Davit Avalyan has been sentenced to 57 months in federal prison. Operated by multiple vendor accounts on darknet marketplaces, the dark web trade included the prolific "JoyInc," to distribute narcotics across the United States. The network earned in cryptocurrency selling illicit substances like methamphetamine, cocaine, MDMA, and ketamine.

Rhysida Gang Extorts Tribal Government After School Systems Shutdown

The Cheyenne and Arapaho Tribes are facing extortion demands following a ransomware attack that disrupted schools and other critical services. The Rhysida ransomware group claimed responsibility and demanded 10 bitcoin, worth about $660,000, to prevent the release of stolen data. Tribal officials confirmed the incident in January after systems were shut down during response efforts. 

Website Operator Sentenced in IT Hiring Scheme that Compromised 40 U.S. Firms

A Ukrainian national was sentenced to five years in prison for helping North Korean operatives get IT jobs at 40 U.S. companies. He pleaded guilty to identity theft. Prosecutors said he operated Upworksell.com, a platform that enabled the purchase and rental of stolen identities and facilitated fake documentation. He paid U.S. residents $100 per month per laptop to host devices that masked the workers’ overseas locations. He had access to at least 871 American identities, with 18 confirmed victims and 13 facing false tax liabilities. Authorities seized the domain in 2024 before arresting him in Poland and extraditing him to the U.S. 

Romanian National Pleads Guilty in Oregon Emergency Network Intrusion Case

A 45-year-old Romanian citizen admitted to unlawfully accessing systems at Oregon’s Department of Emergency Management in June 2021 and selling that access for $3,000 in Bitcoin. He operated under the alias “inthematrixl” and advertised administrative credentials on criminal forums. Court filings state he exposed an employee’s personal information. Authorities linked him to intrusions at 10 other U.S. organizations. He was arrested in Romania in November 2024 with his sentencing scheduled for May.

California Tech Workers Accused of Transferring Chip Trade Secrets

A federal grand jury indicted three San Jose-based engineers on charges of attempted theft of trade secrets. They obtained files related to processor security, cryptography, and system-on-chip architecture from Google and other semiconductor firms developing mobile chip platforms, including Snapdragon technology. Two of them worked at Google before joining another company, while an accomplice worked at a separate chipmaker. They allegedly transferred proprietary data through external messaging channels, copied it onto personal devices, and photographed internal systems to bypass monitoring tools.

Borderless Cybercrime Meets Coordinated Global Response

The finding around PromptSpy underscores that AI innovation is not pausing for defenders or attackers. Nor are insider risks, what many security leaders call “the threat already inside the cabin.” 

A Ukrainian national was sentenced, a Romanian national admitted to breaching organizations, and California engineers were charged with transferring chip design data, together showing that cyber defenders are fulfilling a dual task of spotting and preventing not just cyber risks but also insider risks.

Law enforcement momentum has accelerated through coordinated international action. From over 600 arrests across Africa to the detention of a suspected Phobos ransomware affiliate, these developments show more than a unified effort. They show a global commitment to dismantle cybercrime networks and also the infrastructure and individuals behind them.

INTERPOL said the operation highlights the importance of cross-border cooperation against organized cybercrime networks. 

Derek Manky, Chief Security Strategist & Global Vice President of Threat Intelligence at Fortinet’s FortiGuard Labs said, “Cybercrime does not respect borders.”

Referring to the Africa-wide crackdown, he noted that INTERPOL supported the effort through real-time information exchange, operational coordination, and digital forensic capacity building. 

At the same time, private-sector partners, including Fortinet through the World Economic Forum Cybercrime Atlas, contributed data and technical insight that helped participating countries identify targets and act more quickly. This is what it means, he said, to move from intelligence sharing to coordinated action.