Weekly Cybersecurity Roundup: Extortion Stumbles, Trust Gets Tested, and Investigators Close In
Published
Not every extortion attempt ended with a payday this week. Stolen data from 7-Eleven franchise records and Ameriprise Financial still surfaced online, but both cases highlighted organizations that did not appear to yield to pressure. Meanwhile, a cloud exposure involving prison communications records showed that neither enterprise data nor inmate information is beyond reach when security gaps are exploited.
Dutch authorities delivered two notable victories, seizing more than 800 servers tied to suspected cyberattack infrastructure and arresting a suspect linked to the AFC Ajax breach.
From phishing emails to counterfeit medicines, attackers continued to exploit familiar touchpoints. Adobe infrastructure was abused in a LinkedIn-themed campaign, while U.S. authorities concluded a years-long investigation into a darknet drug trafficking network that manufactured and distributed counterfeit prescription pills linked to multiple overdose deaths.
TrapDoor Malware Campaign Poisons npm, PyPI, and Crates.io Packages to Loot Developer Secrets
A supply chain operation named TrapDoor is targeting developers through malicious packages uploaded to npm, PyPI, and Crates.io, with researchers identifying more than 34 harmful packages and over 384 related artifacts. The campaign focuses heavily on crypto, DeFi, Solana, AI, and developer communities by stealing SSH keys, browser logins, wallet extensions, API tokens, AWS credentials, and local development files from infected systems. The earliest known package, eth-security-auditor 0.1.0, appeared on PyPI on May 22.
7-Eleven Franchisee Data Leak Confirmed After ShinyHunters Extortion Attempt
Over 185,000 accounts linked to 7-Eleven were exposed after the ShinyHunters threat group leaked data stolen during an April 2026 extortion campaign. The breach, later added to Have I Been Pwned on May 24, included names, email addresses, phone numbers, dates of birth, and physical addresses. Attackers published a 9.4GB archive after the company allegedly refused to meet extortion demands. The exposed dataset appears consistent with administrative franchise records, though some entries reportedly contained additional unspecified data fields beyond standard contact information.
From Data Halls to Handcuffs: Dutch Raid Targets Alleged Cyberattack Pipeline
Dutch authorities arrested two men and confiscated over 800 servers during an investigation into hosting infrastructure used to support disinformation and sanctions evasion across Europe. The Dutch Fiscal Information and Investigation Service (FIOD) said the suspects were tied to interconnected hosting entities, including Stark Industries Solutions, PQHosting, MIRhosting, and WorkTitans BV. Investigators carried out coordinated raids in business offices and major data centers, seizing phones, laptops, and server infrastructure. Reports linked parts of the network to attacks against Danish government institutions during the week of Denmark’s 2025 municipal elections.
Ameriprise Financial Data Breach Turns Failed Extortion Talks Into 200GB Data Leak
A March 2026 breach at Ameriprise Financial has now been added to Have I Been Pwned (HIBP), revealing that 502,600 accounts were exposed after the ShinyHunters group allegedly leaked over 200GB of stolen data. The attackers reportedly pulled information from the firm’s Salesforce environment and internal SharePoint systems before launching a “pay or leak” extortion attempt that escalated after negotiations failed. While Ameriprise’s regulatory filing disclosed 47,876 affected individuals, the broader HIBP dataset includes hundreds of thousands of email addresses tied to customers, staff, and operational contacts.
Lithuania Probes State Registry Breach After Misused Government Credentials Expose Records
Lithuanian authorities are investigating a breach involving over 600,000 records stolen from the country’s Centre of Registers. Attackers allegedly abused login credentials. The intrusion affected Lithuania’s Real Estate and Legal Entities Registers, exposing names, birth dates, national identification numbers, addresses, and cadastral records. Officials estimated financial damages at more than €111,000, while opposition leader Laurynas Kasciunas claimed the compromise leveraged access connected to systems used by Lithuania’s Department of Migration under the Interior Ministry.
Dutch Police Bring AFC Ajax API Breach Suspect onto the Pitch Amid Ticket Manipulation Probe
Dutch authorities have arrested a 35-year-old man suspected of carrying out multiple intrusions into the IT systems of football club AFC Ajax. Investigators linked him to a compromise involving exposed APIs and shared access keys. The incident, first disclosed in March, reportedly allowed unauthorized access to supporter information, stadium bans, season tickets, and user accounts. The intrusion appears tied to weak API security. The suspect had previously identified a separate Ajax data leak in 2017 and was reportedly instructed to stay away from the club’s systems after signing a confidentiality agreement.
LinkedIn Phishing Campaign Misuses Adobe Tracking Service
Cybercriminals are abusing Adobe’s Target platform in a LinkedIn-themed phishing campaign that disguises credential theft behind fake business collaboration emails and attachments. The operation uses HTML files masquerading as PDFs via a “pdf.html” double extension trick. Obfuscated code presents victims with a counterfeit LinkedIn login page containing their email address prefilled to increase legitimacy. Attackers use Adobe Target infrastructure as a redirection and victim-tracking layer, misusing trusted marketing and analytics platforms. After credentials are entered, the data is transmitted to a PHP endpoint hosted on a Russian domain before victims are redirected to the legitimate LinkedIn site.
Carnival Passenger Data Exposure Linked to Employee Deception Tactics
Carnival Corp disclosed that attackers accessed a section of its internal systems in April after deceiving an employee through social engineering. They accessed passenger information, potentially including contact details and government-issued identification numbers such as passports and driver’s license details. The incident surfaced shortly after ShinyHunters claimed to possess 8.7 million records. The breach has already triggered multiple lawsuits from former passengers. Social engineering campaigns continue to bypass enterprise defenses without malware-heavy intrusion methods.
Federal Investigators Bring Down Darknet Pill Ring as Fourth Defendant Faces Prison
Federal authorities have sentenced the fourth and final member of a Massachusetts darknet drug trafficking conspiracy. The group manufactured and distributed counterfeit prescription pills. The operation was linked to multiple fatal overdoses across the United States. They used darknet marketplaces and the U.S. Postal Service to sell fake Oxycodone, Adderall, and Xanax tablets secretly laced with fentanyl, methamphetamine, Bromazolam, and the ultra-potent synthetic opioid Pyro. Investigators linked the operation to at least 12 overdose deaths. The final sentencing closes a years-long investigation led by Homeland Security Investigations alongside the FBI, DEA, and CBP, with the four defendants collectively receiving more than 57 years in federal prison.
Threat actors are exploiting CVE-2026-35616 in FortiClient Endpoint Management Server (EMS) to distribute a credential-stealing malware disguised as an official Fortinet security patch. According to Arctic Wolf Labs, the flaw allows unauthenticated attackers to bypass API authentication and enable the malicious payload to reach managed endpoints under the appearance of a legitimate fix. Organizations relying on patch distribution systems are allegedly manipulated into delivering infostealer malware through the mechanisms designed to protect enterprise devices. The EKZ Infostealer reportedly harvested browser passwords, session cookies, credit card data, addresses, and phone numbers from browsers.
Fake FIFA Ticket and Career Sites Flood the Internet Ahead of 2026 World Cup
Cybercriminals are rapidly launching fake FIFA-themed websites ahead of the 2026 FIFA World Cup, exploiting the global excitement surrounding the tournament. They are targeting personal data, selling fraudulent tickets, and potentially facilitating broader scams, according to a new FBI and IC3 advisory. Investigators observed a surge of typo-squatted and spoofed domains designed to closely imitate official FIFA infrastructure. What stands out is the sheer scale of the impersonation campaign, where attackers are building an entire parallel ecosystem of FIFA services ranging from careers and hospitality to merchandise and World Cup ticketing.
Fake Signal Support Messages Target Backup Recovery Keys in New Phishing Wave
Threat actors are impersonating Signal Support in a phishing campaign designed to steal recovery keys used for Signal Secure Backups. This potentially exposes archived message histories stored in encrypted cloud backups. Reports of the activity surfaced on May 27 after screenshots of the fraudulent messages were shared online. Reports from unrelated individuals who encountered the same lure were sent to researchers, suggesting the operation is reaching beyond political targets.
Lawmakers Push Pentagon to Tighten Smartphone Tracking Protections for Troops
U.S. lawmakers are urging the Department of Defense to strengthen smartphone security after reports that foreign adversaries used commercially available geolocation data to monitor American military personnel in the Middle East. The concern centers on advertising-related location data collected from smartphones and sold through data brokers, which can reveal troop concentrations and movement patterns. Current policies do not require service members to disable geolocation features on personal devices in active conflict zones.
Pay Tel Cloud Exposure Leaks Inmate Records and 300,000 Identity Documents
A cloud storage server managed by prison communications provider Pay Tel was left publicly accessible, exposing over 300,000 scans of driver's licenses and other documents. The Microsoft Azure-hosted repository also contained inmate communications, including text messages, handwritten notes, financial records, profile photos, and images exchanged with family members. Data tied to 387 correctional facilities was reportedly referenced in the dataset. Some uploaded images retained location metadata that could reveal precise real-world locations, including residential addresses, creating significant privacy concerns for affected individuals.
Fraudsters Reach the End of the Line as Ukraine-Latvia Probe Shuts Scam Call Center
A joint investigation by authorities in Latvia and Ukraine has dismantled a scam call center in Kharkiv. The operation targeted people who had already lost money to previous scams, falsely claiming they could recover their funds while extracting additional payments. The group used fake investment opportunities, like cryptocurrency-related offers, fabricated profit reports, and unauthorized credit agreements to deceive victims. A coordinated enforcement action on May 26 resulted in four arrests and the seizure of devices, vehicles, and other evidence.
A Trojan Horse by Any Other Name
Developers found themselves in attackers' sights. At the same time, Latvia and Ukraine demonstrated what coordinated action can achieve, dismantling a scam call center operation that preyed on people already victimized by fraud.
Criminals abused systems and services designed to create trust, and attackers turned a Fortinet flaw into a fake security update. That makes timely patching and verification more important than ever.
If security tools themselves become part of the lure, will the next attack arrive disguised as something users are taught to trust?
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular