Global Crackdowns, Major Arrests, and AI Security Fixes Mark February’s Close

Arrests, indictments, and convictions maintained continued pressure on ransomware, fraud networks, and insider threats, with criminal activity moving laterally across airlines, energy, healthcare, and education sectors, reflecting broad sector exposure.

Governance issue is becoming harder to ignore as enterprises race to adopt AI while struggling to secure codebases, third-party components, and non-human identities. Operational challenges after a cyber incident pushed a crypto platform to shut its doors.

Meanwhile, researchers surfaced new malware, evasive backdoors, and developer-centric attack chains, with critical weaknesses discovered in AI tools such as OpenClaw and Claude workflows. The message is clear that as AI becomes embedded in daily operations, attackers are moving quickly to test its edges.

Spanish Police Arrest Two Over Anonymous Fénix DDoS Campaign

Spanish authorities detained two individuals alleged to be members of Anonymous Fénix, a splinter of the global hacktivist collective. The Guardia Civil carried out arrests last week in Ibiza and Móstoles, Madrid. Officials said the suspects orchestrated a series of Distributed Denial of Service attacks targeting government ministries, political parties, and other public institutions.

Airline Scams Surge with 11,600 Suspicious Domains Detected

Scams and impersonation attacks are leveraging the airline industry. BforeAI researchers observed a total of 1,799 suspicious domains between September and December of 2025, targeting over 35 global airlines. In 2025, during the end-of-year holiday rush to the beginning-of-the-year, their team observed over 11,600 suspicious domains targeting the airline industry. Campaigns span phishing, investment scams, and betting, among others.

Ransom Group Claims 400 GB Theft From Energy, Construction Firms

INC Ransom added ACWA Power and Larsen & Toubro to its leak site on February 24, 2026. The group claims it exfiltrated 400 GB of data from the two firms. Posted samples allegedly include ISO certifications, technical specifications, engineering drawings, invoices, and project documentation. Both companies operate in the energy and large-scale infrastructure sectors. The claims follow a double extortion model designed to pressure victims into payment. Internal documents were shared as proof of compromise. The full scope and impact remain unverified.

UAT-10027 Targets U.S. Education and Healthcare With DoH Backdoor

Threat actor UAT-10027 is targeting U.S. education and healthcare organizations using a custom backdoor known as Dohdoor, according to Cisco Talos research. The malware leverages DNS over HTTPS for command and control communications, routing traffic through legitimate cloud services such as Cloudflare to blend with normal encrypted DNS. Dohdoor establishes covert backdoor access, enabling data theft, lateral movement, persistent Cobalt Strike deployment, and long-term network compromise across targeted education and health care environments.

Scattered Lapsus$ Hunters Look for Women Operators for Vishing 

The Scattered Lapsus$ Hunters cybercrime group is actively recruiting women on public channels to conduct voice phishing attacks. Recruits are incentivized with $500 to $1,000 per call and are provided with pre-written scripts to target IT help desks. SLH is a group formed by an alliance of Lapsus$, Scattered Spider, and ShinyHunters that aims for high-profile corporate breaches. The tactics signal an effort to diversify the group's social engineering campaigns

AI-Driven Development Outpaces Enterprise Security and Governance

An analysis of 947 commercial codebases across 17 industries finds AI-assisted development moving faster than enterprise security can keep up. The report shows average open-source vulnerabilities per codebase rising 107% to 581%, with 44% containing critical flaws. Licensing conflicts affect 68% of audited codebases, exposing companies to legal and compliance risk. There is also a “zombie components,” with 93% of codebases relying on software inactive for two years, with only 7% using the latest versions. While 97 percent of organizations use open source AI models, governance frameworks lag behind adoption.

Claude Code Flaws Enabled RCE and API Token Theft

Researchers disclosed critical vulnerabilities in Anthropic’s Claude Code tool that enabled remote code execution and API token theft. Exploitation of flaws, tracked as CVE-2025-59536 and CVE-2026-21852, could allow attackers to embed malicious commands in project configuration files to compromise developers opening untrusted repositories. The issue involved automatic shell execution through Hooks and Model Context Protocol features. Anthropic said patches were deployed prior to public disclosure.

OpenClaw Flaw Exposes Developers to AI Agent Takeover Risk

Researchers disclosed a high-severity vulnerability in OpenClaw, a rapidly adopted AI agent, that could allow any website to take control of a locally running agent. The flaw stemmed from misplaced trust in localhost connections and missing rate limits on password attempts. Researchers achieved full administrative control, including the ability to execute commands and access connected services. Successful compromise could expose API keys, messaging data, and local system access in enterprise environments. There is no public evidence of widespread in-the-wild exploitation nd a patch has been released. 

$40 Million Hack Forces Crypto Platform Shutdown

Step Finance shut down after a January 31 breach led to the theft of about $40M. The company said executive team devices were compromised during the attack. It explored financing and acquisition options but failed to secure a viable path forward, prompting an immediate wind-down. Associated projects SolanaFloor and Remora Markets were also closed. About $3.7 million in Remora assets and $1 million in other coins were recovered, and reimbursement plans were outlined.

UK Fines Reddit Over Children’s Data and Age Checks

The UK Information Commissioner’s Office fined Reddit about $19.5 million for failing to implement effective age verification controls. Reliance on self-declared ages allowed children under 13 to access the platform. The ICO found Reddit lacked a lawful basis to collect and use children’s data and failed to complete a required data protection impact assessment before January 2025. The enforcement forms part of a broader campaign targeting platforms that depend on self-declaration for age checks. Reddit said it does not require identity information due to privacy concerns and plans to appeal the decision. 

Russia Opens Terrorism-Related Criminal Case Against Telegram Founder

Russian authorities have opened a criminal investigation against Telegram founder Pavel Durov on charges of “facilitating terrorism.” Officials cite alleged misuse of Telegram for criminal activity, claims that Durov has dismissed as pretexts to increase control on the platform and restrict access in Russia. Russia’s actions follow recent restrictions on Telegram and a push toward state-backed alternatives. 

Greek Court Convicts Four in Predator Spyware Case

A Greek misdemeanor court convicted Intellexa founder Tal Dilian and three associates over the Predator spyware scandal. The defendants were found guilty of unlawful access to communications and data privacy violations. The court imposed a combined sentence of 126 years and eight months, with a maximum enforceable term of eight years under Greek law. Predator was used to target at least 87 individuals in Greece, including politicians, journalists, and senior officials. Prosecutors referred elements of the case for further investigation into potential additional offenses, including espionage.

Project Compass Disrupts “The Com” Network Across 28 Countries

Europol’s Project Compass has disrupted activities linked to “The Com,” a decentralized extremist network targeting minors and vulnerable individuals online. The initiative safeguarded four victims, identified 62 others, and found 179 perpetrators, leading to 30 arrests. Coordinated by Europol’s European Counter Terrorism Centre, the operation brings together law enforcement agencies from 28 countries. The network used social media, messaging platforms, gaming, and streaming services to recruit and impact young targets.

Forex Card Fraud Attempts Trigger Service Disruptions

BookMyForex, the foreign exchange subsidiary of Indian travel company MakeMyTrip, reported unauthorized international transaction attempts on YES Bank–issued multi-currency prepaid forex cards. Customers traveling abroad said balances reduced to zero, and SMS alerts showed attempted debits in U.S. dollars and Brazilian real. The company stated its own systems were not breached and that no customer data was compromised. YES Bank identified unusually high volumes of declined transactions and blocked malicious activity. 

Olympique Marseille Confirms Attempted Cyberattack After Leak Claims 

French football club Olympique de Marseille confirmed it was targeted in an attempted cyberattack after a threat actor claimed to have breached its systems. The attacker leaked a sample dataset and alleged theft of a database of 400,000 individuals, including names, addresses, email addresses, mobile numbers, and order details. It also included over 2,050 Drupal CMS accounts linked to staff and contributors. The club stated operations continue normally following containment measures. 

Trojanized Gaming Utilities Spread Java-Based RAT via Browsers and Chat Platforms

Threat actors are distributing trojanized gaming utilities through web browsers and chat platforms to deploy a Java-based remote access trojan, according to Microsoft Threat Intelligence. The attack uses a malicious downloader that stages a portable Java runtime and executes a JAR file named jd-gui.jar, leveraging PowerShell and LOLBins such as cmstp.exe for stealth. The malware establishes persistence through a scheduled task and a Windows startup script called world.vbs while deleting initial artifacts and modifying Microsoft Defender exclusions. Once active, it connects to an external command-and-control server to exfiltrate data and deploy additional payloads. Separately, researchers detailed a new Windows RAT called Steaelite that combines credential theft, surveillance, and ransomware capabilities within a single web-based control panel.

Malicious Next.js Repositories Target Developers With Job-Themed Lures 

A coordinated campaign is targeting software developers with job-themed lures, distributing malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Microsoft Defender researchers said the repositories contain embedded execution triggers that activate when developers open the folder, start a dev server, or launch the backend service. The malicious code downloads a JavaScript backdoor that runs in memory within the Node.js process, enabling remote code execution and data exfiltration. The infection progresses through staged payloads that establish command-and-control communication, execute attacker-supplied JavaScript, and support file browsing and exfiltration. Microsoft advised developers to enable VS Code Workspace Trust, apply Attack Surface Reduction rules, monitor risky sign-ins, and minimize exposed secrets on development endpoints.

Defense Contractor Sentenced for Selling Cyber Exploits

An Australian national was sentenced to 87 months in U.S. prison for stealing and selling classified cyber-exploit components from a U.S. defense contractor to a Russian broker. Peter Williams, 39, pleaded guilty to two counts of trade secret theft after admitting he removed eight national security software components over three years. The tools were designed for exclusive U.S. government and allied use and could have enabled access to millions of devices. Williams executed written contracts with the broker and received cryptocurrency payments of up to $4 million, later spending proceeds on luxury goods and property.

Poland Charges 11 in Scheme Stealing 100,000 Facebook Logins

Poland’s Central Bureau for Combating Cybercrime charged 11 suspects over a cross-border operation that allegedly harvested more than 100,000 Facebook login credentials between May 2022 and May 2024. Authorities said the group used fake news websites and spoofed Facebook login pages to capture usernames and passwords. Prosecutors filed more than 400 charges, including participation in an organized criminal group, unauthorized account access, fraud, and money laundering. Six suspects were placed in pretrial detention, and assets worth approximately 1 million Polish złoty were seized. Investigators urged potential victims to verify whether their data was compromised and to report related financial losses, including fraud involving Poland’s BLIK payment system.

OnlyFake Operator Pleads Guilty to Selling 10,000 Digital IDs

A Ukrainian national pleaded guilty to operating OnlyFake, a website that sold more than 10,000 digitally fabricated identification documents. The platform generated fake U.S. driver’s licenses, passports, Social Security cards, and IDs from at least 56 countries. Customers paid in cryptocurrency, with bulk packages offering up to 1,000 fake IDs at a time. The documents were designed to bypass Know Your Customer checks at banks and crypto exchanges, enabling money laundering and identity concealment.

Moscow Man Charged With Impersonating FSB to Extort Conti

Russian authorities charged a Moscow resident with attempting to extort members of the Conti ransomware group by posing as an officer of the Federal Security Service. Investigators allege Ruslan Satuchin contacted a Conti affiliate in September 2022, claiming he could shield the group from prosecution in exchange for a large payment. The case marks a rare instance of pursuing charges linked to individuals targeting a ransomware network. Conti formally disbanded in 2022 after internal leaks, with members since been linked to Akira and BlackBasta.

Enforcement Intensifies as Cybercrime Diversifies

Threat actors continued blending familiar and unconventional tactics, from job-themed lures against developers to large-scale harvesting of Facebook credentials and the industrial-scale creation of digital fake IDs. Law enforcement responses remained assertive. 

Authorities pursued insider threat cases, dismantled DDoS activity, disrupted “The Com” network, and advanced prosecutions linked to spyware and fraud. Coordinated action by agencies in Spain, Poland, Greece, the United States, and Europol-led coalitions celebrated tremendous progress through cross-border collaboration.

In a rare twist, we also witnessed a Moscow resident allegedly attempting to extort members of a ransomware group. At the same time, threat actors were reported recruiting women with monetary incentives, signaling efforts aimed at successful social engineering.

Child safety and social media accountability remained a priority. The UK fined Reddit over age-verification failures while Russian authorities opened a criminal case against Telegram’s founder over alleged platform misuse.