CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShinyHunters and Scattered Spider Collaboration

First reported
Last updated
5 unique sources, 27 articles

Summary

Hide ▲

The **ShinyHunters and Scattered Spider collaboration**, operating under the **Scattered Lapsus$ Hunters (SLH) alliance**, has escalated its extortion and social engineering tactics in **early 2026** by **recruiting women for vishing attacks** targeting IT help desks, offering **$500–$1,000 per successful call** alongside pre-written scripts. This calculated evolution aims to exploit psychological biases and bypass traditional attacker profiles, increasing the success rate of impersonation and credential harvesting. The group continues to combine **technical intrusions** with **psychological harassment, swatting, and media manipulation** to coerce payments, while leveraging **legitimate services, residential proxies, and tunneling tools** (e.g., Ngrok, Luminati) to evade detection. The alliance’s latest developments include the **ShinySp1d3r RaaS platform**, **Zendesk phishing campaigns**, and **targeted intrusions against financial sectors**, demonstrating a **multi-pronged expansion** in both **technical sophistication** and **psychological warfare**. Their tactics now involve **recruiting diverse social engineering operatives**, deploying **virtual machines for post-exploitation reconnaissance**, and exploiting **cloud APIs (e.g., Microsoft Graph)** to access Azure environments. Despite law enforcement arrests and shutdown claims, SLH remains a **high-risk, low-trust threat actor**, with **no guarantee of data deletion** post-payment and a pattern of **rebranding to evade pressure**. Victims are advised to **refuse engagement** beyond a firm "no payment" stance, as compliance only fuels further escalation and harassment.

Timeline

  1. 31.01.2026 09:58 3 articles · 26d ago

    ShinyHunters Expands Vishing and SaaS Extortion Tactics in January 2026

    In **January 2026**, Mandiant and **Allison Nixon (Unit 221B)** documented a **new wave of vishing and credential-harvesting attacks** by **ShinyHunters and associated clusters (UNC6661, UNC6671, UNC6240)**, targeting **SaaS platforms** (Okta, SharePoint, OneDrive) and **cryptocurrency firms** for extortion. Attackers **impersonated IT staff**, directing employees to **fake credential-harvesting sites** to steal **SSO credentials and MFA codes**, then **registered their own MFA devices** to maintain persistent access. UNC6661 sent phishing emails from compromised accounts, deleting them post-delivery to evade detection, while UNC6671 used **PowerShell scripts** to exfiltrate data from SharePoint/OneDrive after gaining access via **victim-branded harvesting pages**. The groups differ in **domain registrars (NICENIC for UNC6661, Tucows for UNC6671)** and extortion email patterns, suggesting **multiple but interlinked threat actors**. **New insights from Unit 221B** reveal SLSH’s extortion model **mirrors violent sextortion schemes**, where victims are **harassed via swatting, DDoS, and threats of physical violence**—including against **executives’ families**—while the group **manipulates media coverage** to amplify pressure. Nixon warns that **negotiation incentivizes further harassment** and provides SLSH with intelligence on data value for future fraud, advising victims to **refuse payment** and treat extortion demands as a **separate issue from harassment**. The campaign highlights the group’s **escalation from technical intrusion to psychological coercion**, with **no guarantee of data deletion** post-payment. Google’s mitigation recommendations—**phishing-resistant MFA (FIDO2/passkeys), egress restrictions, and help desk verification reforms**—remain critical as SLSH continues to **exploit SaaS vulnerabilities** and **third-party trust relationships**. **February 2026 Update:** SLH is now **recruiting women for vishing attacks**, offering **$500–$1,000 per call** to IT help desks, alongside pre-written scripts. This tactical shift aims to **bypass traditional attacker profiles** by diversifying voices, increasing impersonation success rates. The group also **creates virtual machines post-access** for reconnaissance (e.g., Active Directory enumeration) and **exploits the Microsoft Graph API** to target Azure cloud resources, demonstrating a **deepening focus on identity and cloud infrastructure weaknesses**.

    Show sources
    Open in new tab
  2. 15.12.2025 23:27 2 articles · 2mo ago

    ShinyHunters Extorts PornHub via Mixpanel Analytics Breach

    On **November 8, 2025**, ShinyHunters compromised **Mixpanel**, a third-party analytics vendor, via an **SMS phishing (smishing) attack**, stealing **94GB of data** containing **201,211,943 records** of **PornHub Premium members’ historical search, watch, and download activity** from 2021 or earlier. The stolen data includes **email addresses, activity types (watched, downloaded, searched), video URLs, video names, associated keywords, locations, and timestamps**—highly sensitive information the group is now using to **extort Mixpanel customers**, including PornHub. ShinyHunters sent extortion emails beginning with **"We are ShinyHunters"**, demanding ransom payments to prevent public disclosure of the data. PornHub confirmed the breach impacted **select Premium users** but clarified that **no passwords, payment details, or financial information were exposed**, as the compromise originated from Mixpanel’s systems. **Mixpanel disputed the claim**, stating the data was last accessed by a legitimate PornHub employee account in 2023 and that there is **no evidence it was stolen during their November 2025 security incident**. This discrepancy raises questions about the data's origin, including potential **earlier breaches or insider involvement**. The incident marks a **significant expansion of ShinyHunters’ targeting**, moving beyond **Salesforce and CRM platforms** to exploit **analytics vendors** and **consumer-facing services**, further demonstrating the group's ability to **leverage third-party providers for high-impact extortion campaigns**.

    Show sources
    Open in new tab
  3. 27.11.2025 11:30 1 articles · 3mo ago

    Scattered Lapsus$ Hunters Launches Zendesk Phishing Campaign

    The **Scattered Lapsus$ Hunters (SLSH) alliance** has initiated a **new phishing campaign targeting Zendesk users**, deploying **over 40 typosquatted domains** (e.g., *znedesk[.]com*, *vpn-zendesk[.]com*) and **fraudulent helpdesk tickets** to harvest credentials and deploy **remote access trojans (RATs)**. The domains, registered via **NiceNic** with **US/UK registrant details** and **Cloudflare-masked nameservers**, mirror tactics used in the **August 2025 Salesforce campaign**, including **deceptive SSO portals** and **social engineering lures** aimed at support staff. ReliaQuest reports that **Discord** has already fallen victim, confirming a breach via its **Zendesk-based support system** that exposed user data, including **names, emails, billing information, IP addresses, and government-issued IDs**. The campaign underscores the group’s **expanding focus on high-value SaaS platforms** (Salesforce, Salesloft, Gainsight, and now Zendesk) to exploit **downstream customer data access**. While the activity aligns with SLSH’s modus operandi, ReliaQuest notes it could also be the work of a **copycat group** adopting similar phishing and credential-harvesting techniques. Organizations are urged to **monitor for typosquatted domains**, **audit helpdesk ticket submissions**, and **enhance endpoint protections** for support teams. This development follows the group’s **November 2025 unveiling of the ShinySp1d3r RaaS platform**, signaling a **multi-pronged escalation** in both **technical sophistication** and **target diversification**.

    Show sources
    Open in new tab
  4. 27.11.2025 09:03 1 articles · 3mo ago

    ShinyHunters-Scattered Spider-LAPSUS$ Alliance Unveils ShinySp1d3r RaaS Platform

    The **ShinyHunters-Scattered Spider-LAPSUS$ (SLSH) alliance** has developed **ShinySp1d3r**, a new **ransomware-as-a-service (RaaS) platform** combining advanced technical features with extortion-as-a-service (EaaS) capabilities. The platform includes **anti-forensic measures** such as hooking the *EtwEventWrite* function to disable Windows Event Viewer logging, terminating processes to bypass file locks, and filling free drive space with random data to overwrite deleted files. ShinySp1d3r also supports **network propagation** via *deployViaSCM*, *deployViaWMI*, and *attemptGPODeployment* to encrypt open network shares and spread laterally. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member and former BreachForums/HellCat ransomware administrator, who claims to have **cooperated with law enforcement since June 2025**. Rey describes ShinySp1d3r as a **rehashed version of HellCat ransomware modified with AI tools**. The SLSH alliance has been linked to **51 cyberattacks in the past year**, leveraging **insider recruitment, RaaS/EaaS hybrid models, and multi-vector monetization** to target organizations. Palo Alto Networks Unit 42 warns that the group’s **combined offerings and tactical adaptability** pose a formidable threat, particularly to **Salesforce-dependent enterprises and third-party IT providers**.

    Show sources
    Open in new tab
  5. 26.11.2025 14:05 3 articles · 3mo ago

    Gainsight Attack Expands Salesforce Customer Impact with New IOCs

    The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Gainsight CEO Chuck Ganapathi stated only a "handful" of customers had their data affected, though the full scope remains undisclosed. The breach began with **reconnaissance from IP 3.239.45[.]43 on October 23, 2025**, followed by **unauthorized access via an AT&T IP address on November 8** and approximately **20 suspicious intrusions between November 16–23** using **commercial VPNs (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a tactic linked to the **Salesloft Drift attack**. Salesforce **revoked all access and refresh tokens** for Gainsight applications, while **Google disabled OAuth clients** with callback URIs like *gainsightcloud[.]com*. Gainsight disabled read/write capabilities for **Customer Success (CS), Community (CC), Northpass, and Skilljar**, while isolating **Staircase** (confirmed unaffected). Third parties (**Gong.io, Zendesk, HubSpot**) severed integrations as a precaution, with HubSpot explicitly stating no evidence of compromise. Forensic analysis by **Mandiant** and Salesforce revealed attackers exploited **compromised multifactor credentials** for VPN and critical system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while adopting **Google Threat Intelligence Group (GTIG) mitigations** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the group’s persistent focus on **Salesforce ecosystems**, leveraging **third-party app vulnerabilities, OAuth token abuse, and VPN obfuscation** to maximize impact. **Meanwhile, the SLSH alliance has extended its targeting to Zendesk users**, deploying **typosquatted domains and malicious helpdesk tickets** to harvest credentials and deploy malware, as detailed in a concurrent campaign reported on **November 27, 2025**.

    Show sources
    Open in new tab
  6. 20.11.2025 20:54 1 articles · 3mo ago

    Almaviva Breach Exposes 2.3TB of FS Italiane Group Data

    A threat actor breached **Almaviva**, the IT services provider for **FS Italiane Group (Italy’s national railway operator)**, stealing **2.3TB of data** and leaking it on a dark web forum. The compromised files include **internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and complete datasets from FS Group companies**, with evidence confirming the data is recent (Q3 2025). Almaviva publicly acknowledged the breach, stating its **security monitoring services detected and isolated the attack**, activated counter-response procedures, and ensured the protection of critical services. The company notified Italian authorities, including the **police, national cybersecurity agency (ACN), and data protection authority (Garante)**, and is conducting an investigation with government support. The **structure of the leaked data**—organized into compressed archives by department/company—mirrors the tactics of **ransomware groups and data brokers active in 2024–2025**, though no specific group has claimed responsibility. Almaviva, a global IT provider with **41,000+ employees and $1.4B in annual revenue**, serves FS Italiane Group, a **100% state-owned railway operator** with **$18B+ in annual revenue**, managing railway infrastructure, passenger/freight transport, and logistics chains. As of November 20, 2025, it remains unclear whether **passenger information was exposed** or if other Almaviva clients beyond FS Italiane Group were impacted. The breach underscores the **growing risk to critical infrastructure via third-party IT providers**, a tactic increasingly used by groups like **ShinyHunters and Scattered Spider**.

    Show sources
    Open in new tab
  7. 25.09.2025 14:48 2 articles · 5mo ago

    Scattered Spider Members Arrested in September 2025

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  8. 25.09.2025 14:48 2 articles · 5mo ago

    Noah Urban Sentenced for SIM-Swapping and Cybercrime Activities

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  9. 25.09.2025 14:48 2 articles · 5mo ago

    Ransomware Attack Disrupts European Airports

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  10. 24.09.2025 23:21 3 articles · 5mo ago

    Scattered Spider Member Surrenders in Las Vegas

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  11. 18.09.2025 17:37 4 articles · 5mo ago

    UK Arrests Scattered Spider Members Linked to Transport for London Hack

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  12. 15.09.2025 23:12 5 articles · 5mo ago

    Scattered Lapsus$ Hunters' Claims and Google's Response

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  13. 13.09.2025 12:04 6 articles · 5mo ago

    FBI Alert on UNC6040 and UNC6395 Targeting Salesforce Platforms

    The **Gainsight cyber-attack** has expanded to impact more Salesforce customers than initially disclosed, with notifications sent to all affected parties by **November 21, 2025**. The breach began with **unauthorized access via an AT&T IP address on November 8**, followed by approximately **20 suspicious intrusions** between November 16–23 using **commercial VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method previously observed in the **Salesloft Drift attack**. Gainsight temporarily disabled read/write capabilities for products like **Customer Success (CS), Community (CC), and Northpass**, while isolating **Staircase** (confirmed unaffected due to separate infrastructure). Third-party vendors, including **Gong.io, Zendesk, and HubSpot**, also disabled Gainsight integrations as a precaution, though HubSpot reported no evidence of compromise. Forensic investigations by **Mandiant (Google Cloud’s incident response team)** and Salesforce revealed the attackers leveraged **compromised multifactor credentials** for VPN and critical system access. Gainsight advised customers to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while recommending mitigation measures from the **Google Threat Intelligence Group (GTIG)** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the persistent threat to **Salesforce ecosystems**, with attackers exploiting **third-party app vulnerabilities** and **OAuth token abuse** to expand their reach.

    Show sources
    Open in new tab
  14. 10.09.2025 18:29 5 articles · 5mo ago

    Jaguar Land Rover Data Breach Confirmed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  15. 25.08.2025 22:48 3 articles · 6mo ago

    Farmers Insurance Data Breach Details Revealed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  16. 21.08.2025 09:45 1 articles · 6mo ago

    Scattered Spider Member Sentenced for Cybercrime Activities

    A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison and $13 million in restitution for wire fraud and aggravated identity theft. Urban was arrested in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023, resulting in the theft of at least $800,000 from five victims. Urban and his co-conspirators used SIM swapping attacks to hijack victims' cryptocurrency accounts and steal digital assets.

    Show sources
    Open in new tab
  17. 12.08.2025 19:20 15 articles · 6mo ago

    ShinyHunters and Scattered Spider Target Salesforce Customers

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  18. 12.08.2025 15:00 15 articles · 6mo ago

    ShinyHunters and Scattered Spider Collaboration Detected

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

World Leaks Ransomware Group Exfiltrates 1.4TB of Nike Data

The World Leaks ransomware group has claimed responsibility for a data breach affecting Nike, posting a 1.4TB cache of stolen internal data. The leaked files include R&D and product details, supply chain information, and internal documents dating back to 2020. Nike is investigating the incident, but no customer or employee PII has been identified in the dump. The breach could have significant commercial and operational impacts, including potential disruptions to product launches and supply chain operations. World Leaks removed the Nike entry from its leak site, suggesting potential negotiations or ransom payment. World Leaks is believed to be a rebrand of the Hunters International ransomware group, which emerged in late 2023 and was flagged as a possible Hive ransomware rebrand due to code similarities. Hunters International claimed responsibility for over 280 attacks, including victims such as the U.S. Marshals Service, Tata Technologies, Hoya, AutoCanada, and Austal USA.

Open in new tab

EU Investigates X Over Grok-Generated Sexual Content

The European Commission, along with authorities in the UK, France, California, and now Ireland, are investigating X (formerly Twitter) over the use of its Grok AI tool to generate non-consensual sexual images, including child sexual abuse material (CSAM). The investigations are examining whether X has complied with data protection laws and adequately safeguarded against the generation of harmful content. The Irish Data Protection Commission (DPC) has opened a formal inquiry into X's compliance with GDPR obligations, joining the UK's Information Commissioner's Office (ICO), the European Commission, and French prosecutors in their respective investigations. French authorities have also raided X's offices in Paris and summoned Elon Musk and X CEO Linda Yaccarino for interviews. X has restricted Grok's image generation capabilities to paid subscribers, a move criticized by UK officials.

Open in new tab

Multi-Stage Phishing Campaign Targeting Russia with Amnesia RAT and Ransomware

A sophisticated multi-stage phishing campaign is targeting users in Russia, employing social engineering tactics to deliver ransomware and Amnesia RAT. The attack begins with business-themed documents that appear benign but contain malicious scripts and payloads distributed via GitHub and Dropbox. The campaign leverages multiple public cloud services to enhance resilience and uses defendnot to disable Microsoft Defender. The malware suppresses visibility, neutralizes endpoint protection, conducts reconnaissance, and deploys payloads capable of data theft, remote control, and financial fraud.

Open in new tab

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Open in new tab