Cybercrime Evolves, Defenders Adapt: AI, Insider Threats, and Cross-Border Raids Redraw the Arena 

This week’s cyber landscape underscored an escalating clash between advanced criminal alliances and coordinated law enforcement responses. While the week centered on digital and data-driven threats, Daniel Gaeta of GuidePoint Security warned that similar pressures are rising across industrial environments, where adversaries increasingly target operational technology for strategic disruption.

Bob Maley of Black Kite pointed out that the race to embed AI into business operations is moving faster than security can adapt. As AI systems spread across vendor networks and supply chains, fragmented governance and weak oversight are creating new risks, particularly among smaller providers with deep data access but limited defenses.

Tim Erlin of Wallarm added that if 2025 marks the rise of AI, 2026 will bring the rise of AI breaches. He emphasized that AI’s reliance on APIs is exponentially expanding the attack surface, predicting a wave of both new AI-specific exploits and traditional API attacks retooled to target AI agents.

Jeffrey Wheatman, also of Black Kite, emphasized that manufacturers continue to overlook cyber risks in their supply chains despite remaining ransomware’s top target for four consecutive years. He predicted that in 2026, at least one major manufacturer will face an eight-figure financial loss from a supply-chain-related cyber incident. Wheatman also expects AI market consolidation to leave many customers stranded with unsupported tools, while boards increasingly push for continuous visibility into vendor cyber exposures.

Ferhat Dikbiyik of Black Kite speculated that ransomware attacks are likely to surge as smaller groups join forces to form larger, more capable collectives. These operations, he said, will increasingly target connected supply chains, keeping manufacturing at the center of the threat landscape.

Jabber Zeus Developer 'MrICQ' in US Custody After Extradition from Italy

Alleged Russian-Ukraine-based cyber-criminal developer “MrICQ” (Yuriy Rybtsov) has been extradited from Italy to the U.S. to face charges for his role in the “Jabber Zeus” banking trojan operation, accused of intercepting OTPs and laundering millions from U.S. firms.

The cyber-gang launched “man-in-the-browser” attacks, using a module called “Leprechaun” to hijack protected bank accounts and funnel funds through networks of money mules.

Breach of Trust: Former Employees of Cybersecurity Companies Indicted for Links to ALPHV BlackCat Ransomware

Three U.S. cybersecurity professionals were indicted for allegedly working with the ALPHV (BlackCat) ransomware gang. Prosecutors said they used their roles at incident response firms to help extort companies across several states. The indictment named two suspects and detailed attacks on universities, law firms, and financial organizations.

Louvre Heist Exposes Significant Security Flaws, Including an Obvious Surveillance Server Password

A €90 million Louvre robbery revealed that the museum’s surveillance server password was set to “LOUVRE.” Authorities said four suspects were arrested after DNA traces were found on a freight elevator. Prosecutors confirmed the suspects lacked ties to organized crime despite the scale of the heist.

55 New Arrests Made in Operation Ironside in AN0M App Sting After Court Ruling

Australian police have arrested 55 additional suspects in a renewed phase of Operation Ironside. The arrests follow a High Court ruling confirming that evidence from the AN0M encrypted app was lawfully obtained. Authorities say more prosecutions are expected as they continue analyzing millions of intercepted criminal messages.

Stolen Police Logins Raise Flock Safety Surveillance Camera Security Concerns, 35 Customer Passwords Leaked

U.S. lawmakers are urging an FTC probe after stolen police logins exposed Flock Safety’s surveillance camera network to hackers. The breach revealed 35 leaked passwords and the absence of mandatory MFA for law enforcement users. Lawmakers warn that unauthorized access could let foreign actors track millions of Americans. 

Police Busts Credit Card Fraud Rings With 4.3 Million Victims

International authorities have dismantled three massive credit card fraud and money laundering networks linked to €300 million ($344 million) in losses and over 4.3 million victims across 193 countries. Dubbed Operation Chargeback, the coordinated effort led by German prosecutors and Europol resulted in 18 arrests, the seizure of €35 million in assets, and the exposure of payment service providers that allegedly enabled the fraud between 2016 and 2021.

€600 Million Cryptocurrency Scam Network Dismantled, Nine Arrested

European authorities have dismantled a vast cryptocurrency fraud network that stole more than €600 million from victims worldwide. Coordinated by Eurojust, the October operation spanned Cyprus, Spain, and Germany, leading to nine arrests and the seizure of over €1.5 million in assets. Investigators say the suspects lured investors through fake crypto platforms and laundered the proceeds via complex blockchain transactions.

Scattered LAPSUS$ Hunters Emerges as Extortion-as-a-Service Cybercriminal Alliance 

A new cybercriminal alliance called Scattered LAPSUS$ Hunters (SLH) has formed from members of Scattered Spider, ShinyHunters, and LAPSUS$. Operating under an Extortion-as-a-Service model, SLH combines AI-driven social engineering, zero-day exploits, and a Telegram-based communication strategy to target SaaS and CRM providers. 

Data Broker Report Finds EU Officials’ Location Data for Sale, Characterized as a ‘Priority Security Threat’

An investigation has revealed that detailed phone locations of senior EU officials are being sold by data brokers, exposing serious privacy and national security risks. The dataset contained 278 million location points across Belgium, including movements of staff at the European Commission and Parliament. EU authorities have issued guidance to mitigate tracking threats.

Microsoft Teams Flaws Allowed Message Editing and Caller ID Spoofing

Researchers discovered multiple vulnerabilities in Microsoft Teams that enabled attackers to edit messages invisibly, spoof notifications, and forge caller identities. The flaws, disclosed by Check Point Research and patched by Microsoft, highlighted how threat actors could manipulate trust cues. Experts warn that as enterprise reliance on tools like Teams grows, so does their appeal as targets for social engineering and executive impersonation campaigns.

New Malware Uses AI to Adapt During Attacks

A new report reveals malware families like “PromptSteal” and “PromptFlux” leveraging large-language models to generate commands and rewrite their own code at runtime, enabling an unprecedented evasion mechanism. Although it is still experimental, this signals a shift where attackers use AI to scale and automate offensive operations.

New York Fiber Laser Expert Convicted of Stealing Trade Secrets for China in Economic Espionage Case

A New York federal jury convicted fiber laser expert Ji Wang of economic espionage and theft of trade secrets for China. He stole hundreds of confidential files from Corning Inc. related to DARPA-funded military laser technology. Prosecutors said Wang intended to use the data to start a fiber-laser business in China, posing a major national security risk to the United States.

Washington Post Confirms Oracle E-Business Suite Data Breach, Cl0p Ransomware Claims the Attack

The Washington Post confirmed it was among victims of a cyber breach related to Oracle’s E-Business Suite platform. The ransomware group CL0P claimed responsibility for it and listed the newspaper on its leak site. It is believed to have compromised data of more than 100 companies using Oracle’s applications. 

Italian Political Consultant Francesco Nicodemo Targeted with Paragon Spyware

Italian political consultant Francesco Nicodemo disclosed he was targeted with Paragon spyware, drawing attention to the ongoing surveillance scandal. WhatsApp notified him of the attempted intrusion in January, as part of a wider campaign affecting journalists and activists. 

Nevada Government Declined To Pay Ransom, Says Cyberattack Traced To Breach In May 

Nevada officials refused to pay a ransom after hackers impacted over 60 state systems across multiple agencies. The breach, traced to a backdoor planted months earlier, triggered a 28-day recovery operation. Investigators said attackers deleted backup volumes before deploying encryption, to maximize disruption. Despite severe operational strain, the state restored services without yielding to extortion demands. 

Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation

Researchers found nine malicious software packages that appear legitimate but contain hidden, time-triggered sabotage code. The most severe, Sharp7Extend, targets factory systems and can crash them minutes after installation. Some variants activate years later (2027–2028), making detection and response extremely difficult.

How Experts Read This Week’s Cyber Landscape

We reached out to security leaders to understand how they view the week’s unfolding threats, defenses, and the shifting balance between innovation and risk. And this is what they said.

Kasey Best of Silent Push says insider threats now include U.S. employees, not just offshore staff. She warns financial pressure or personal gain often drives double-agent behavior, urging stronger audits and oversight.

“Identity security will soon dominate defense strategies,” said Matt Mullins of Reveal Security. “With malware-less breaches on the rise, detecting behavioral anomalies after authentication is critical. Zero Trust simply cannot work without strong identity management.”

Jeff Williams, Co-Founder and CTO of Contrast Security, predicted that 2026 will mark the year AppSec moves into production. He described a shift from scanning artifacts to continuously watching running systems and from static problem lists to dynamic understanding, enabling teams to see what’s active, vulnerable, and under attack in real time.

David Norlin, CTO of Lumifi Cyber, warned of major compromises involving AI-connected services in email, workplace tools, and SaaS platforms as organizations rush to deploy agentic systems that receive unfiltered external input. Comparing this wave to past injection-style attacks, he cautioned that misconfigured agents tied to backend data could expose sensitive information if not properly isolated and monitored.

As attackers weaponize AI, defenders are racing to keep pace. Aptly highlighted by Naomi Buckwalter of Contrast Security, threat hunting still relies heavily on manual effort, and meaningful automation will come only when security tools evolve toward standardized, AI-compatible integration.

These perspectives underscore a rapidly accelerating year, one in which defenders are striving to keep pace with fast-evolving threats.