🚨Chinese-language dark web forums and Telegram channels are flooding cybercrime ecosystems with claims of stolen data from financial institutions worldwide. Group-IB researchers dug in, and the datasets don't hold up.

After analyzing 17,000+ messages across five active sources, names and phone numbers trace back to the 2021 Facebook leak, password hashes to the 2020 Eatigo breach, assigned to entirely different individuals. These are not fresh breaches. They are repackaged old data sold as new.

The research includes sample validation walkthroughs, upstream source mapping, and identification markers organizations can use to assess similar claims.

Read the full analysis.

#CyberSecurity #DarkWeb #InfoSec #ThreatIntelligence

🚨201 arrests. 3,867 victims identified. 53 servers seized.

Group-IB supported INTERPOL’s Operation Ramz, the first large-scale cybercrime operation across the MENA region, spanning 13 countries and targeting phishing, malware, and cyber fraud infrastructure.

Key contributions from Group-IB:
🔹Intelligence on 5,000+ compromised accounts, including government-linked accounts
🔹Identification of active phishing infrastructure across MENA
🔹 Mapping of threat actor clusters involved in phishing distribution and leaked data trafficking

This operation reflects what public-private collaboration can achieve when intelligence is regionally grounded and globally coordinated. Our Digital Crime Resistance Centers in Egypt and the UAE were central to delivering that visibility.

We remain committed to supporting international efforts to dismantle cybercriminal ecosystems and protect individuals and organisations across the MENA region and beyond.

Read More.

#ThreatIntelligence #INTERPOL #DCRC #Phishing

🚨The new Group-IB research uncovers a sophisticated fraud operation targeting SNCF customers through phishing emails, fake SNCF-themed websites, legitimate payment processors, and social engineering phone calls impersonating bank advisors.

Key findings from the investigation:
🔹Fraud infrastructure was timed around French school holidays to exploit periods of increased travel activity
🔹Victims were redirected through legitimate Stripe-hosted payment pages to reduce suspicion during checkout
🔹Targeted users were linked to previously exposed data from the Addka72424 breach, indicating the use of leaked datasets for precision targeting
🔹Threat actors leveraged emotional manipulation and real-time phone calls to extract OTPs, IBAN details, and authorize secondary payments
🔹Infrastructure overlaps and recurring domain patterns suggest a centralized and scalable fraud ecosystem

Read the full analysis

#Cybersecurity #Phishing #FraudPrevention

🎉 Group-IB unveils Prevyn AI, the cognitive core of its Unified Risk Platform designed to shift cybersecurity from reactive detection to predictive defense. Powered by decades of cybercrime intelligence and real-world investigative logic, Prevyn AI enables organizations to anticipate threats, accelerate response, and outpace machine-speed attacks.

Think Faster Than The Threat.

Learn More

#PrevynAI

🚨Our latest investigation uncovers how threat actors are combining deepfake impersonation, social engineering, and cryptocurrency infrastructure to operate at industrial scale across Australia and the United States.

Key highlights:
🔹 A network of 208+ connected fake investment platforms with an estimated $187M in illicit revenue.
🔹 Threat actors impersonate well-known financial professionals using deepfake technology & geo-targeted social media advertisements to funnel victims into WhatsApp-based coordination groups.
🔹 20+ fake WhatsApp accounts impersonating a single Australian economist were identified, indicating centralized control by an organized group.
🔹 Coordinated inflows of $1.5M to $3M, achievable with 500 to 3,000 victims, can drive up to 12.4% price movement in a NASDAQ-listed small-cap stock.
🔹 Use of KYC-compliant exchanges for cash-out, with minimal obfuscation, creating both risk and investigative opportunity.

🔗 Read the full analysis.

#CyberSecurity #FraudPrevention #InvestmentScams

🚨 Group-IB’s latest research exposes the Phoenix System, a Phishing-as-a-Service platform powering reward point scams, fake parcel delivery lures, and large-scale mobile phishing campaigns worldwide.

Key highlights:
🔹 SMS delivery via fake BTS to bypass carrier-level filtering and spoof trusted brands.
🔹 2,500+ phishing domains linked to the operation since January 2025.
🔹 More than 70 organizations targeted across finance, telecom, and logistics globally.
🔹 The phishing sites implement IP-based filtering and geofencing to precisely target victims within specific countries.
🔹 Shared infrastructure is found across reward scam and parcel delivery campaigns despite differences in their attack contexts and target audiences.
🔹 Both campaigns use the Phoenix System, successor to the Mouse System.
🔹 The phishing kits are distributed via a dedicated Telegram ecosystem.

Read the full analysis here.

#Phishing #CyberSecurity #Smishing #ThreatIntelligence

🚨 Our latest research suggests that a significant share of newly registered business accounts in France may be linked to mule activity, highlighting how business-grade payment infrastructure combined with fast remote onboarding has created an attractive entry point for large-scale financial crime operations

Key Highlights:
🔹Verified mule business accounts are sold on underground markets for $300–$700, with sellers offering escrow services, replacement guarantees, and daily inventory.
🔹Threat actors bypass KYC by using real victims harvesting PII via phishing and socially engineering them to complete identity verification.
🔹Operations rely on SIM farms, anti detect environments, and cheap Android devices to scale account creation and maintain infrastructure.
🔹Detecting these operations requires analysing the entire account lifecycle, since sign up, KYC, and first login can appear legitimate in isolation.

Read the full technical analysis.

#FraudPrevention #FintechSecurity #CyberSecurity

😧 In 2025, a hacktivist group filmed itself blocking biomass fuel supply and triggering emergency alarms at a Polish factory, then posted the video on Telegram.

Group-IB's Threat Intelligence team analyzed the 2025–early 2026 threat landscape targeting European manufacturing across six countries.

What we detected ⬇️
▪️200 hacktivist incidents targeting European manufacturers
▪️57 cases of claimed access to industrial control systems

‼️ The shift is real: hacktivist groups have moved beyond website takedowns to physical control of production systems, manipulating boiler temperatures, ventilation pressure, and biomass fuel supply.

Hacktivism is only one of five threat categories covered in our new report, Inside Europe's Manufacturing Cyber Threat Landscape. The other four are just as urgent.

Read more to predict and prevent attacks on your organization.

#CyberSecurity #Hacktivism #ThreatIntelligence

🚨 W3LL wasn't just another phishing operation, it was a mature phishing-as-a-service ecosystem that industrialized BEC at scale. Over 7+ years, the actor built a closed, referral-only marketplace powering 500+ cybercriminals with AiTM tooling designed to bypass MFA, hijack sessions, and compromise Microsoft 365 accounts.

This investigation reveals not just the tools, but the infrastructure, operational model, and key weaknesses behind the W3LL phishing ecosystem.

Key highlights:
🔹 AiTM-based W3LL Panel engineered for MFA bypass and session cookie theft
🔹 W3LL Store: a full-service PhaaS marketplace with tooling, data, and infrastructure
🔹 License validation APIs exposing backend links to the operator
🔹 Analysis of 700+ weaponized phishing samples that supported victim and campaign mapping
🔹 OpSec failures across forums, infrastructure, Telegram, and Indonesian-speaking hacking community ties

Read the full technical analysis.

#ThreatIntel #Cybercrime #Phishing #BEC #CyberSecurity #Infosec

💫We are proud to announce that Group-IB is an initial data contributor to the newly released MITRE Fight Fraud Framework™ (F3) developed by MITRE Corporation.

By contributing our proprietary fraud taxonomy and intelligence derived from real-world investigations, we are helping shape a standardized framework that enables organizations to classify, understand, and respond to fraud threats more effectively.

This collaboration goes beyond classification. By integrating the framework into Group-IB’s Fraud Matrix, organizations will be able to connect standardized fraud techniques with live adversary intelligence, detection methodologies, and mitigation strategies strengthening predictive fraud defense across industries.

Fraud doesn’t begin with a transaction. It begins with an attacker and understanding adversary behavior is key to staying ahead.

Read the full announcement here.

#CyberSecurity #FinancialSecurity #FraudPrevention #ThreatIntelligence #FraudMatrix

🚨Remote hiring has opened new opportunities for companies worldwide but it has also created a new attack surface.

Our latest research dives into how DPRK-linked IT worker operations are infiltrating global companies by posing as remote developers. Instead of relying on traditional cyber intrusions, these actors exploit legitimate hiring processes using synthetic identities, AI-assisted workflows, and trusted developer platforms.

Key highlights:
🔹A coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
🔹Reusable identity infrastructure including resumes, email accounts, and repositories.
🔹Evidence of AI-assisted job application workflows and templated interview responses
🔹Archived “persona packages” containing identity documents, portfolio assets, and operational instructions.
🔹Monitoring the activities of a specific intruder “group” from 2021 to March 2026.

Read the full blog here.

#ThreatIntelligence #CyberSecurity #InsiderThreat #DPRK

The regulatory landscape is shifting fast. The UK, Singapore, Australia, the EU, and North America are introducing mandatory fraud intelligence-sharing frameworks. But there’s a challenge: How can institutions share suspicious activity in real time without violating privacy laws?

The Problem:
🔹 Payments settle in 10–40 seconds
🔹 Fraud detection takes 3–7 days
🔹 Criminals layer funds, convert them to crypto, and move funds offshore
🔹 Less than 1% of laundered funds are recovered

Why Standard Solutions Fail: Traditional hashing methods are vulnerable to dictionary attacks, meaning “anonymized” data can be reversed creating GDPR risks

The Solution: Privacy-preserving distributed tokenization enables institutions to share fraud signals in real time while staying compliant.

Real Results: In a pilot with 46 banks, just two institutions running real-time checks prevented $10–15M in fraud annually.At full participation, projected savings could reach $100–300M.

Read the full framework.

#GDPR #Cybersecurity

That RFQ email from a trusted supplier? It might be delivering Phantom Stealer — a toolkit built to harvest your credentials at scale.

Group-IB researchers have identified a sustained phishing campaign targeting European logistics, manufacturing, and tech companies. Across five distinct waves over three months, every email was blocked by Group-IB's Business Email Protection before reaching end users.

The emails mimic legitimate procurement correspondence with professional signatures and spoofed sender identities. But inside the archive attachment is an infostealer that harvests browser credentials, session tokens, and payment data.

Phantom Stealer is part of a growing stealer-as-a-service market - credential theft is now a subscription business, and threats like this are only scaling.

Our latest Email Protection Spotlight breaks down the full campaign and shows how multi-layer detection stopped it at the inbox. Read the full analysis.

#CyberSecurity #Phishing #InfoStealer #EmailProtection

Most cybersecurity strategies are already legacy the moment they’re approved.
Why? Because they’re built annually, around frameworks, without real-time threat context

Meanwhile, the business shifts constantly. Attackers adapt even faster.
👉 That gap is where risk lives.

In our latest breakdown, we explore where cybersecurity strategies fail in 2026, including:
✅ why security operates out of sync with business priorities
✅ how compliance-first thinking creates blind spots
✅ where gap analysis breaks down at the board level

Move beyond “all talk, no show” strategies:
🔹 Tie security directly to business risk
🔹 Shift to modular, adaptable planning
🔹 Use threat intelligence to drive decisions
🔹 Continuously reassess gaps

Prepare for what’s actually targeting your business right now. Read more.

#Cybersecurity2026 #RiskManagement #ThreatIntelligence

🎉Group-IB was named an Overall Leader in Fraud Reduction Intelligence Platforms by KuppingerCole 2025.

In its 2025 Leadership Compass for Fraud Reduction Intelligence Platforms—eCommerce, KuppingerCole recognized Group-IB across three categories: Overall Leader, Product Leader, and Innovation Leader.

The analyst specifically highlighted our credential intelligence powered by dark web monitoring and Europol/Interpol information-sharing, our device intelligence depth including anti-detect browser and virtual camera detection, and an investigation interface described as "top-notch."

Download the full report.

#FraudPrevention #eCommerce #DarkWeb

🚨 A new ransomware operation, The Gentlemen, has emerged following an affiliate split revealing how threat actors evolve from partners to independent operators while retaining advanced tooling, infrastructure, and access pipelines.

Our latest analysis explores how this group is operationalizing large-scale attacks by combining exploited network devices, credential harvesting, and advanced defense evasion techniques.

What the blog covers:
🔹The origins of The Gentlemen and its connection to a prior affiliate dispute on the RAMP forum
🔹Systematic exploitation of CVE-2024-55591 to compromise FortiGate devices, with an observed inventory of approximately 14,700 exposed systems offered to affiliates
🔹Operational tooling for credential harvesting and lateral movement (NetExec, Impacket, DonPAPI)
🔹Defense evasion via Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR/AV protections at kernel level

Read the full technical analysis.

#ThreatIntel #Ransomware #CyberSecurity

Group-IB is proud to have supported INTERPOL’s Operation Synergia III, a global cybercrime operation targeting malicious infrastructure used in phishing, malware, ransomware, and online fraud campaigns.

Conducted between July 2025 and January 2026, the international operation brought together law enforcement from 72 countries and territories, resulting in:
🔹 94 arrests (with 110 additional individuals under investigation)
🔹 45,000+ malicious IP addresses and servers taken down
🔹 212 electronic devices and servers linked to cybercriminal activity are seized.

As part of the operation, Group-IB provided adversary-centric threat intelligence on phishing infrastructure and malicious servers, sharing insights into phishing domains, hosting infrastructure, and malware distribution networks used by cybercriminal groups.

🔗 Read the full press release.

#ThreatIntelligence #Cybersecurity #INTERPOL #Ransomware #Phishing

🚨MuddyWater is back, and Operation Olalampo reveals how the actor continues to refine its intrusion tradecraft. This campaign combines macro-delivered payload chains, stealthy in-memory loaders, and a Rust-based Telegram C2 backdoor to maintain persistence and evade detection. Our analysis exposes sandbox-evasion techniques, fragmented encrypted communications, infrastructure reuse, and operator telemetry that provides rare insight into post-exploitation behavior.

Key highlights include the discovery of new malware variants, selective loader execution paths, AI-assisted development indicators, and backend infrastructure revealing how victims are tracked and managed with defensive recommendations including RMM tool restrictions, Telegram API monitoring, and memory integrity controls.

Dive into the full technical breakdown to understand the tooling, tactics, and defensive implications behind MuddyWater's latest operation.

#CyberSecurity #ThreatIntelligence #MalwareAnalysis #MuddyWater #Infosec

🚨 Indonesia’s tax season exposed a coordinated fraud campaign powered by industrialized malware infrastructure.

Our latest technical deep dive reveals how the GoldFactory threat cluster leveraged shared infrastructure to deploy multiple malware families across an entire national digital ecosystem.

Key highlights:
🔹 A highly synchronized campaign targeted ~67 million tax residents during the 2026 tax season.
🔹 Infrastructure extended beyond tax services, abusing 16+ trusted brands with an estimated USD 1.5–2M systemic impact.
🔹 A multi-stage attack chain combined phishing, vishing, and malicious APK sideloading for full device takeover.
🔹 228 new Gigabud.RAT and MMRat samples were identified, highlighting rapid malware evolution.
🔹 Attribution confirms GoldFactory’s shift toward unified, cross-border fraud infrastructure.
🔹 Proactive infrastructure mapping reduced fraud success to just 0.027% among protected, compromised devices

Read the full technical breakdown.

#CyberSecurity #MalwareAnalysis

🔐 How to share suspicious fraud data without breaking privacy laws

Until now, banks couldn't share intelligence on suspicious accounts without risking GDPR violations.

Group-IB's Cyber Fraud Intelligence Platform solves this with Bureau Veritas-validated Distributed Tokenization.

Watch our 18-minute panel discussion with experts explaining:
✅ Why SHA-256 hashing fails privacy standards
✅ How distributed tokenization enables compliant collaboration
✅ How to stop APP scams as early as during the warm-up phase before any losses

👉 Watch now!