Social Engineering

A commercial office building with papers escaping through a cracked window, a hooded figure silhouette, a data pipe with red accent dot, and an open padlock.

shinyhunters

Cushman & Wakefield Got Hit by Two Ransomware Groups in Three Days. ShinyHunters Just Posted 50 Gigabytes.

Cushman & Wakefield confirmed a vishing-related breach on May 5. ShinyHunters and Qilin both listed it on their leak sites within days. After negotiations failed, ShinyHunters posted a 50GB Salesforce dataset on May 8. The dual-claim attribution puzzle is the new operational story for SaaS-era IR.

09 May 2026

A laptop with a defaced login screen, three schoolhouse silhouettes connected by lines, a "MAY 12" calendar tile, and a red-orange accent dot.

shinyhunters

Canvas Defaced Worldwide: ShinyHunters Tells Schools to Pay Up Individually by May 12

ShinyHunters defaced Canvas login pages worldwide on May 7 — disrupting finals week at Harvard, Penn, Duke, and Virginia Tech. The group claims 275 million records from 9,000 schools and is now telling individual schools to negotiate ransom payments by May 12. Instructure had declared the May 1 incident contained

08 May 2026

Minimalist white line art on coral: a theatrical face mask hovering above a webcam and a video-call window, with strings connecting the mask to both like a puppet.

Fraud

A 404 Media Reporter Watched Someone Else Become Him, Live, on Microsoft Teams

404 Media's Joseph Cox published an investigation on May 7, 2026 in which he obtained, installed, and personally tested Haotian AI — a Chinese realtime deepfake software marketed to scammers — and watched a Cambodia-based operator's face shapeshift into his own during a live Microsoft Teams call. Haotian

07 May 2026

Minimalist white line art on beige: a hand emerges from a 'VERIFY' box holding a pill capsule toward a clipboard.

phishing

Australia Warns That Fake Cloudflare CAPTCHAs on Real Australian Websites Are Pushing Vidar Stealer

The Australian Signals Directorate's Australian Cyber Security Centre published an advisory on May 7, 2026 warning that pro-criminal threat actors are using compromised legitimate Australian WordPress websites as launch pads for ClickFix social-engineering attacks delivering the Vidar Stealer information-stealing malware. Visitors to compromised Australian business websites are shown

07 May 2026

Minimalist white line art on gold-amber: a telephone handset with its cord stretching across the frame to loop around a hardware wallet, with a house silhouette and coin pile mid-frame.

Cyber Crime

$250M Crypto Gang's Burglar Just Got 6.5 Years — Hardware Wallets Aren't Safe

Marlon Ferro, a 20-year-old Santa Ana, California man also known online as "GothFerrari" and "Marlo," was sentenced to 78 months in federal prison on May 7, 2026 for serving as the home-invader and money-launderer for a 14-person "Social Engineering Enterprise" that stole more than

07 May 2026

phishing

VENOMOUS#HELPER: SSA Phishing Drops Dual-RMM on 80+ Orgs by Living off Trusted Vendors

Securonix tracked a phishing campaign that has compromised more than 80 organizations — mostly U.S.-based — by abusing legitimate SimpleHelp and ConnectWise ScreenConnect remote-monitoring tools. The lure impersonates the U.S. Social Security Administration. The architecture is dual-RMM redundancy: when defenders detect one channel, the other persists. Securonix Threat Research

05 May 2026

Minimalist white line art on deep plum showing two sign-in windows linked by a central proxy hourglass, a key intercepted mid-flight between them, and a tiny CAPTCHA glyph.

phishing

Microsoft: AiTM Phishing Hit 35,000 Users at 13,000 Orgs in Three Days — Tycoon 2FA Takedown Did Not Kill the Technique

Microsoft Defender Research disclosed a sophisticated AiTM phishing campaign that hit 35,000+ users at 13,000+ organizations across 26 countries in just three days. 92% of targets were in the U.S. The lure was a fake employee disciplinary case. The reverse proxy stole session tokens — bypassing MFA in

05 May 2026

Threat Intelligence

Apple, NVIDIA, Disney Impersonated in Telegram Mini App Scam Network

CTM360 names FEMITBOT — a shared backend running crypto scams, fake AI tools, and Android malware impersonating Apple, NVIDIA, Disney, and the BBC, all inside Telegram.

04 May 2026

Burnt orange background with a central white laptop showing a warning triangle, surrounded by a graduation cap, an open book, and a wrench. Red-orange dots mark each focal point.

Cyber Attacks

Canvas Maker Hit With Second Security Incident in Eight Months

Instructure says its forensics team believes the latest attack is contained — but won't yet say what's been touched.

03 May 2026

Cobalt blue background with a central white cloud icon linked by thin lines to a key, a sign-in window, a document folder, and a target reticle. Red-orange dots mark each focal point.

Threat Intelligence

ConsentFix v3 Runs on Cloudflare, Dropbox, and ZoomInfo

The OAuth phishing kit is plumbed end-to-end through legitimate SaaS, which is exactly the point.

03 May 2026

A Facebook icon overlaid by a phishing hook with a Google-addressed email above and a criminal storefront below.

Trending

30,000 Facebook Business Accounts Stolen via Google AppSheet Phishing — "AccountDumpling" Operation Exposed

Vietnamese-linked operation "AccountDumpling" has compromised 30,000 Facebook Business accounts by sending phishing emails from Google's legitimate AppSheet address — bypassing spam filters and running a criminal resale storefront for stolen accounts.

02 May 2026

A spider web with three red X marks over key nodes, a handcuff icon and gavel below.

Trending

Scattered Spider Member "Bouquet" Arrested in Finland — Peter Stokes, 19, Charged With Four Intrusions Starting at Age 16

Peter Stokes (alias "Bouquet"), 19, was arrested in Finland on April 10 while boarding a flight to Tokyo — charged with four Scattered Spider intrusions since age 16, including an $8M ransom demand against a luxury retailer.

01 May 2026

See all