[April-22-2026] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report provides a comprehensive analysis of a series of cybersecurity incidents documented primarily on April 21 and 22, 2026. The intelligence gathered indicates a highly active threat landscape characterized by extensive data breaches, widespread mass website defacements, prolific distribution of credential combo lists, active carding operations, and the advertisement of malicious infrastructure services. Threat actors, ranging from hacktivists to financially motivated cybercriminals, have targeted a diverse array of victims globally, encompassing government entities, financial institutions, educational organizations, technology providers, and private individuals.

2. Threat Landscape Analysis by Category

2.1 Data Breaches and Information Leaks

Data leaks constitute a significant portion of the observed malicious activity, exposing personally identifiable information (PII), corporate data, and government records.

  • Government and Public Sector:
    • Morocco: A threat actor named “Keymous Plus” leaked a database belonging to the Fédération Royale Marocaine de Football (FRMF), exposing names, national IDs, passport numbers, and FIFA IDs of players and personnel. This was corroborated by another actor, “MDGhost,” who shared similar data. Furthermore, data from the Regional Investment Center of Rabat-Salé-Kénitra, including personal and professional information, was leaked by “kutam_dz”.
    • France: The “Asha” threat actor leaked a database of SDIS13 (French Fire and Rescue Service), containing 6,841 personnel records. Additionally, the threat actor “Angel_Batista” leaked roughly 7GB of images and files related to EDF French nuclear power plants via a subcontractor compromise.
    • Nigeria: The Economic and Financial Crimes Commission (EFCC) suffered a data leak exposing agent names, codes, and password hashes, posted by “ki4t”. The Federal Housing Authority of Nigeria was also breached, with backend files, database schemas, and source code leaked by “0xLei” and the “Nullsec” group.
    • Belgium: A dataset of approximately 482,000 records from the Belgian Social Security Administration was offered for sale, containing detailed personal, employment, and benefits data.
    • Brazil: Multiple municipal chambers were targeted. The threat actor “wh6ami” leaked legislative and citizen data from Barra do Bugres , Nortelândia , Nova Marilândia , Arenápolis , and Porto Estrela.
    • Israel: The Institute for National Security Studies (INSS) was allegedly breached by the “Sumud Cyber Command,” which claimed to leak 15.92 terabytes of classified research and strategic intelligence. A separate 20GB database of Israeli lawyers was leaked by “MDGhost”. Furthermore, an Israeli sports facilities inventory database was leaked via Telegram.
    • Indonesia: The East Kalimantan Social Affairs Disability Database (2.3 million records) , the Ministry of Industry (structural positions and addresses) , the Karangrejo Village Government (family and residency data) , and the BRIMOB Mobile Brigade Corps (law enforcement PII and passwords) were all subject to data leaks.
    • Other Nations: Data from the National Employment Agency of Cambodia (2.9GB of backend data) , the Bangladesh Ministry of Expatriates’ Welfare (4.6GB of passports and IDs) , Saudi Arabia’s TAMM Government Portal (350,000 professional lead records) , Peru’s CENEPRED , the Bolivian Road Administration (over 9,000 PDF reports) , the Henan Province Social Insurance System in China (~900,000 records) , and Mexican entities including the CIAPACOV water authority , Salud Guanajuato , and the tjacdmx.gob.mx court authority (leaked by GhostSec) were also exposed.
  • Technology and Cryptocurrency Sector:
    • The Vercel cloud platform suffered a breach involving database access and source code, allegedly sold by the “ShinyHunters” group. This breach was reportedly facilitated by a Lumma infostealer infection of a Context.ai employee, which compromised a core support account.
    • A massive dataset from over 30 cryptocurrency platforms, including Binance, Coinbase, and Kraken, totaling over 11 million records, was offered for sale.
    • “CoinMarketCap” saw 100 million user records scraped and sold, exposing usernames, handles, and account statuses.
    • “The Crypto Merchant,” a US-based hardware wallet reseller, suffered a breach exposing 2,136 customer records, including physical shipping addresses and purchase details.
    • “MetaXSeed,” a crypto gaming platform, had a database of over 32,000 users leaked, exposing wallet addresses, KYC status, and credentials.
    • “BullionStar,” a precious metals dealer, suffered an API exploitation that exposed its complete database schema and PII of its users.
  • Corporate and Private Sector:
    • Cybercrime Forums: Ironically, the underground community itself was targeted. “BreachForums” had its infrastructure backup and MariaDB database offered for sale , while “BreachedForums” (breached.st) suffered a 3.3 GB database and source code leak.
    • E-commerce and Services: “Tokopedia” faced a customer database breach exposing PII and order details. The “Dîner en Blanc” dining event organization suffered a breach of 411,000 user records. “Alert 360 Opco Inc.” had over 2.5 million records exposed. “Ledil Immobilier,” a French real estate agency, suffered a leak of 6,700 structured user records.
    • Telecommunications: “Reliance Jio Infocomm” had internal server data leaked, specifically exposing an algorithmic trading system and Futures & Options trading data.
    • Education: “Evalang.fr” (French proficiency testing) had 269,000 records breached. A Danish educational database of 800,000 student records was sold for $10,000. The Matabacus Business School in Uganda suffered a database dump of student enrollment records.

2.2 Website Defacement Campaigns

Defacements were heavily utilized as a disruptive tactic, primarily targeting Linux-based servers.

  • Alpha Wolf Team (Threat Actor: XYZ): This group executed a prolific mass defacement campaign. Their targets included “Software Designers” , “Sinkohs Plugins” , “Synfinity Solutions” , “Synco Hosting” , “Synco Technology” , “Little Rock Church of Christ” , “Joslins Pressure Wash” , and “Backroads Boho”. The defacement artifact was frequently hosted at the path /w00t.txt.
  • CYBER ERROR SYSTEM (Threat Actor: PENERUS DYS_404): This actor focused heavily on Japanese targets, primarily in the online gambling sector. They defaced “Online Casino Games JP” , “Online Casino History” (including redefacements) , “Online Casinos 365” (redefacement) , an “Online Casino Platform” , and the business services website “OfficeMaster”.
  • Other Defacements: “Dkid03” defaced “c-s.me” , “mylocal.ws” , and “Snap Fitness Competition”. “CYKOMNEPAL” targeted “Aarambha IT” in India. “Br4inRoot” of Jav4nym0uz Corp defaced “instadia.uk”. “Irene” from XmrAnonye.id redefaced an Indonesian educational site.

2.3 Credential Harvesting and Combo Lists

The distribution of combo lists (email and password pairs) represents a massive threat vector for credential stuffing attacks. Hundreds of millions of records were distributed across various forums (e.g., CrackingX, DemonForums, Altenens).

  • Mass Distribution by “CODER”: This actor was highly active, distributing lists of staggering volume via Telegram and cracking forums. Their releases included an 11 million corporate business email list , a 5 million blockchain-targeted list , a 7.3 million SMTP list , a 7.4 million Twitter/Facebook Ads list , an 8 million multi-platform list (Spotify, TikTok, Amazon) , a 10 million mixed service list (Crypto, VPN, Office) , a 12 million Hotmail list , and a 4 million UK-specific list.
  • Regional Targeting: Combo lists were frequently categorized by country to facilitate targeted attacks. Collections included data from Poland , Germany , India , Indonesia , Hungary , Greece , Finland , Japan , Denmark , Croatia , Cuba , Estonia , and the Dominican Republic.
  • Service-Specific Targeting: “HQcomboSpace” leaked lists targeting Yahoo and streaming services (~578,000 records) , Hotmail and streaming services (~1.2 million records) , and corporate mail passes. Microsoft’s Hotmail was a disproportionately frequent target, with numerous lists varying from hundreds to millions of records posted by actors like “MegaCloudshop”, “alphaxdd”, “ValidMail”, and “Larry_Uchiha”.

2.4 Carding and Financial Fraud

Carding forums remained highly active, with actors sharing and selling stolen credit and debit card information.

  • Payment Card Dumps: Actors like “BATTMAN”, “camilo232323”, “balkisksouri”, “Jazz” frequently posted card data (PAN, expiry, CVV).
  • High-Value Targets: There was a specific market for “non-VBV” (Verified by Visa) cards, which are easier to use for fraud. Corporate purchasing cards, which often have higher limits, were also shared, including those from Chase Bank and Mastercard.
  • Fullz Data: Several cards were leaked alongside complete personally identifiable information (“Fullz”), including names, addresses, and phone numbers. Examples include victims in Granite City, Illinois , Etobicoke, Canada , Detroit, Michigan , Denham Springs, Louisiana , and Cincinnati, Ohio.
  • Premium Account Abuse: Compromised premium accounts were traded alongside financial data. A Japanese Netflix premium account complete with session cookies was shared by “brainfroze/jambo”. Verified Coinbase accounts were sold by “OpenUps”. Duolingo Education Premium accounts were also shared to promote a LinkedIn Premium upgrading service.
  • Financial Scams: The actor “kilop” openly advertised advance-fee fraud (“cash flips”) targeting CashApp, PayPal, and Zelle alongside the sale of stolen credit cards.

2.5 Malware, Initial Access, and DDoS Infrastructure

The proliferation of malicious infrastructure and access tools facilitates further attacks.

  • DDoS Stressers: Services like “Deep Stresser,” “Goofystress,” and the “Herios Botnet” aggressively advertised Layer 4 and Layer 7 attack capabilities. Goofystress claimed up to 2 million PPS TCP floods and specific bypasses for popular games like Fortnite and Minecraft. Herios Botnet advertised massive raw network capacities of 1T-2.5T.
  • Phishing-as-a-Service (PhaaS): The actor “petrushka” sold the “Bluekit” PhaaS platform, which featured Evilginx-based adversary-in-the-middle capabilities, 2FA bypass, and AI voice cloning.
  • Initial Access and Web Shells: Actors like “ShinyHunters” sold critical API access to a major Brazilian financial transactions company. “PORTAL” offered rented RDP access to AWS and Azure environments. Web shells were also sold by actors like “kyless133” and the “BABAYO EROR SYSTEM”.
  • Tools and Malware: The actor “Nopsec” sold a DexProtector RASP bypass tool targeting financial applications like Revolut. “Starip” distributed an Avast Antivirus account checker and an MD5 hash decryption tool. Stealer logs, particularly from the Rhadamanthys malware, were actively traded, containing harvested credentials and session cookies.

3. Notable Threat Actor Operations

Several specific actors and groups demonstrated significant operational tempo:

  • ShinyHunters: Continued high-profile sales, offering Vercel source code and critical API access to a major financial institution. They also allegedly breached Abrigo Inc., stealing over 1.75 million records from Salesforce.
  • GhostSec: Engaged in hacktivism under “OpDrugWar,” leaking Mexican court records related to cartel investigations , and breached the Fekrawhats marketing platform.
  • Nullsec / 0xLei: Focused on government targets, breaching the Nigerian Economic and Financial Crimes Commission , the Federal Housing Authority of Nigeria , and the National Employment Agency of Cambodia.
  • Sumud Cyber Command: Conducted a politically motivated attack on Israel’s Institute for National Security Studies (INSS), exposing vast amounts of classified intelligence.
  • HasanBroker / BreachForums: In a display of inter-forum conflict, HasanBroker issued a formal “declaration of war” against the “LAPSUS$ Hunters” group, urging the community to doxx and neutralize them.
  • Everest Group: Allegedly conducted a coordinated attack against banks, US citizens, a Spanish drone company, and industrial entities in the UK and Indonesia.
  • Unconventional Threats: In a highly unusual physical intrusion, inmates at an Ohio state prison built secret computers in a ceiling and utilized tools like Kali Linux and Wireshark to breach the prison’s network and commit financial fraud.

4. Conclusion

The cybersecurity events recorded in April 2026 illustrate a mature, highly compartmentalized cybercrime ecosystem. The data reveals a clear pipeline: Initial Access Brokers (IABs) and malware operators (like those deploying Rhadamanthys or Lumma) harvest credentials and session cookies. These are aggregated into massive combo lists by distributors like “CODER” and “HQcomboSpace” , which are then utilized for credential stuffing attacks against consumer, corporate, and government targets.

Furthermore, the vulnerability of government and critical infrastructure remains a pressing concern. Hacktivist and state-aligned actors continue to successfully exfiltrate highly sensitive data, as seen in the INSS and various municipal breaches. Simultaneously, the persistent mass defacement campaigns highlight widespread, unpatched vulnerabilities in web infrastructure. To mitigate these threats, organizations must prioritize robust identity and access management (IAM), rapid vulnerability patching (as highlighted by the exploitation of Cisco and JetBrains flaws) , and stringent monitoring of third-party subcontractor risks.

Related Posts