SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

The European Commission's central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile cyberattack was limited by swift action, but cybersecurity observers are speculating that the incident was linked to another recent European incident involving Netherlands government targets that was revealed around the same time.

European Commission Mobile Cyberattack Detailed

The European Commission’s Feb. 5 announcement said its mobile management infrastructure “identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members. The Commission's swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.” The Commission said it will “continue to monitor the situation. It will take all necessary measures to ensure the security of its systems. The incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities.” The Commission provided no further details on the attack, but observers wondered if it was connected to another incident involving Dutch government targets that was revealed the following day.

Dutch Cyberattack Targeted Ivanti Vulnerabilities

In a Feb. 6 letter (download, in Dutch) to the Dutch Parliament, State Secretary for Justice and Security Arno Rutte said the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) had been targeted in an “exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).” Rutte said the Dutch National Cyber ​​Security Centre (NCSC) was informed by Ivanti on January 29 about vulnerabilities in EPMM, which is used for managing and securing mobile devices, apps and content. On January 29, Ivanti warned that two critical zero-day vulnerabilities in EPMM were under attack. CVE-2026-1281 and CVE-2026-1340 are both 9.8-severity code injection flaws, affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features, and could allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. “Based on the information currently available, I can report that at least the AP and the Rvdr have been affected,” Rutte wrote. Work-related data of AP employees, such as names, business email addresses, and telephone numbers, “have been accessed by unauthorized persons,” he added. “Immediate measures were taken after the incident was discovered. In addition, the employees of the AP and the Rvdr have been informed. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.” NCSC is monitoring further developments with the Ivanti vulnerability and “is in close contact” with international partners, the letter said. Meanwhile, the Chief Information Officer of the Dutch government “is coordinating the assessment of whether there is a broader impact within the central government.”

European Commission Calls for Stronger Cybersecurity Controls

The European Commission’s statement noted that “As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU's cybersecurity resilience and capabilities.” To that end, the Commission introduced a Cybersecurity Package on January 20 to bolster the European Union's cyber defenses. “A central pillar of this initiative is the Cybersecurity Act 2.0, which introduces a framework for a Trusted ICT Supply Chain to mitigate risks from high-risk suppliers,” the EC statement said.

A cyberattack on Delta, a Russian provider of alarm and security systems for homes, businesses, and vehicles, has disrupted operations and triggered widespread service outages, leaving many customers unable to access critical security functions. Delta, which serves tens of thousands of users across Russia, confirmed the Delta cyberattack on Monday, stating that it faced a major external assault on its IT infrastructure. The disruption due to cyberattack on Delta has affected both online services and customer communication channels, raising concerns about the resilience of connected security platforms.

Cyberattack on Delta Security Systems Causes Major Outage

In an official statement, the company emphasized its position in the market and its ongoing investments in cybersecurity. Delta said: “On January 26, DELTA experienced a large-scale external attack on its IT infrastructure aimed at disrupting the company's services.” The company added that some services were temporarily unavailable, but insisted there were no immediate signs of customer data exposure. “At this time, no signs of a compromise of customer personal data have been detected.” Delta also apologized to customers and said restoration efforts were underway with the help of specialized experts.

Delta Struggles to Restore Services After Cyberattack

Delta marketing director Valery Ushkov provided additional details in a video address, acknowledging the large scale of the incident. He said: “Our architecture was unable to withstand a well-coordinated attack coming from outside the country.” Ushkov noted that recovery was taking longer than expected because the company was still facing the risk of follow-up attacks while attempting to restore backups. As of Tuesday, Delta’s website and phone lines remained offline. With traditional communication channels down, the company has been forced to issue updates through its official page on VKontakte, Russia’s largest social media platform.

Customers Report Alarm Failures and Vehicle Access Issues

The Delta cyberattack disruption has had direct consequences for customers relying on the company’s systems for everyday safety and mobility. Russian-language Telegram outlet Baza reported that users began complaining shortly after the incidentof cyberattack on Delta that car alarm systems could not be turned off, and in some cases, vehicles could not be unlocked. Newspaper Kommersant also reported ongoing failures despite Delta’s assurances that most services were operating normally. Users described serious malfunctions, including remote vehicle start features failing, doors locking unexpectedly, and engines shutting down while in motion. In addition to vehicle-related issues, customers reported that alarm systems in homes and commercial buildings switched into emergency mode and could not be deactivated. Recorded Future News said it could not independently verify these claims.

Data Leak Claims Surface After Delta Cyberattack

Although Delta maintains that no customer data was compromised, uncertainty remains. An unidentified Telegram channel claiming to be operated by the attackers published an archive it alleges contains stolen information from Delta systems. However, the authenticity of the material and the identity of the hackers have not been independently verified. The cyberattack on Delta has increased anxiety among customers, particularly because Delta’s mobile app, launched in 2020, is widely used for tracking vehicles and managing alarm functions. According to Auto.ru, the app is compatible with most cars and can store payment data, making some users wary of potential financial exposure if internal systems were breached.

Broader Pattern of IT Disruptions in Russia

The Delta security systems cyberattack occurred on the same day as a separate large-scale outage affected booking and check-in systems used by Russian airlines and airports. Airlines reported temporary disruptions to ticket sales, refunds, and rebooking after problems were detected in aviation IT platforms. While the two incidents have not been officially linked, the timing highlights growing instability in critical digital infrastructure. No known hacking group has claimed responsibility for the cyberattack on Delta so far. It also remains unclear whether the incident was a relatively limited distributed denial-of-service (DDoS) attack or something more severe, such as ransomware or destructive malware. For now, Delta says the situation is manageable and expects services to return soon, but customer concerns continue as outages persist and unverified leak claims circulate.

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.

Crimson Collective’s Brightspeed Claims and Customer Risk

In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.

Crimson Collective: An Emerging Threat

Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Victims of the CL0P ransomware group’s August campaign targeting Oracle E-Business Suite vulnerabilities are still coping with the aftermath of the cyberattacks, as Korean Air and the University of Phoenix have become the latest to reveal details of the breach. The University of Phoenix reported earlier this month in an SEC filing that it was among the Oracle EBS victims, after the company was named as a victim by CL0P on the threat group’s dark web data leak site. In a new filing with the Maine Attorney General’s office, the University of Phoenix revealed the extent of the breach – nearly 3.5 million people may have had their personal data compromised, including names, dates of birth, Social Security numbers, and bank account and routing numbers. The sample notification letter provided by the university offered victims complimentary identity protection services. including a year of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services. Oracle EBS victims continue to grapple with the aftermath of the attacks even as CL0P has reportedly moved on to a new extortion campaign targeting internet-facing Gladinet CentreStack file servers.

Korean Air Among Oracle EBS Victims

Korean Air also reported a cyberattack that appears linked to the Oracle EBS campaign. According to news reports, KC&D Service – the former in-flight catering subsidiary of the airline that’s now owned by a private equity firm – informed Korean Air of a leak that involved personal data belonging to the airline’s employees. The compromised data involved 30,000 records and included names and bank account numbers. The breach was revealed in an “internal notice,” according to the reports. The airline said no customer data appears to have been compromised by the breach. According to Korea JoongAng Daily, Woo Kee-hong, vice chairman of Korean Air, said in a message to employees, “Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.” While the reports didn’t specifically mention the Oracle EBS campaign, “Korean Air Catering” was one of more than 100 victims listed by CL0P on its data leak site. Other confirmed victims in the Oracle campaign have included The Washington Post, Harvard University, Dartmouth College, the University of Pennsylvania, American Airlines’ Envoy Air, Logitech, Cox, Mazda, Canon, and Hitachi’s GlobalLogic.

CL0P’s File Services Exploits

CL0P’s ability to exploit file sharing and transfer services at scale has made it a top five ransomware group over its six-year history, with more than 1,000 known victims to date, according to Cyble threat intelligence data. Other CL0P campaigns have targeted Cleo MFT, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere, among others. CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. Some reports have linked the Oracle EBS campaign to the FIN11 threat group, with CL0P acting as the public face of the campaign.

The La Poste cyberattack disrupted France’s national postal service just days before Christmas, temporarily knocking key websites and mobile applications offline and slowing parcel deliveries during one of the busiest periods of the year. La Poste confirmed that the incident was caused by a distributed denial-of-service (DDoS) attack, which impacted digital systems supporting postal operations. While the company stated there was no evidence that customer data had been compromised, it acknowledged that the cyberattack affected parcel distribution and access to online services. The timing of the La Poste cyberattack raised concerns among customers expecting holiday deliveries. Social media users reported delays and uncertainty around parcel arrivals, while French media outlets noted that some people attempting to send or collect packages were turned away from post offices operating under limited capacity. With Christmas being one of the most demanding periods for the postal network, even short-lived disruptions created visible operational challenges.

La Poste Cyberattack Linked to DDoS Incident

According to company, the La Poste cyberattack involved a DDoS attack that overwhelmed parts of its digital infrastructure. As a result, several online platforms became unavailable, and some post offices were forced to operate at reduced capacity. Despite the disruption, customers were still able to carry out essential postal and banking transactions at physical counters. “Our teams are fully mobilised to restore services as quickly as possible,” La Poste said in its Twitter post, noting that remediation efforts were ongoing.

Cyberattack  on La Poste  Impacts La Banque Postale Services

The La Poste cyberattack also affected La Banque Postale, limiting customer access to online banking services and the bank’s mobile application. In a public statement shared on social media, the bank acknowledged the incident and assured customers that its teams were working to resolve the issue. “A computer incident has temporarily unavailable access to our customers' mobile app and online banking. Our teams are working to resolve the situation as quickly as possible. Online payments are possible with SMS authentication,” the bank said. [caption id="attachment_107995" align="aligncenter" width="528"] Source: Twitter[/caption] While digital access was disrupted, card payments at in-store terminals, ATM withdrawals, and SMS-authenticated online payments remained functional, reducing the impact on day-to-day financial transactions.

Recent Cyber Incidents in France

The La Poste cyberattack occurred against the backdrop of several recent cyber incidents in France involving major public institutions. Last week, France’s Interior Ministry disclosed a data breach that resulted in unauthorized access to internal email accounts and confidential documents. On December 17, 2025, authorities arrested a 22-year-old man in connection with the Interior Ministry cyberattack after an investigation led by the Paris prosecutor’s cybercrime unit. The suspect faces charges including unauthorized access to a state-run automated personal data processing system, an offense that carries a potential prison sentence of up to 10 years. Earlier, in November 2025, the French Football Federation confirmed a separate breach in which attackers used stolen credentials to access centralized membership management software. The incident exposed personal information belonging to licensed players registered through clubs nationwide. At the time of writing, La Poste has not attributed the cyberattack to any specific threat actor, and the source of the disruption remains unknown. The Cyber Express Editorial team has contacted the company for further clarification, but no response has been received so far.

The CL0P ransomware group appears to be targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign. The Curated Intelligence project said in a LinkedIn post that incident responders from its community “have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” Cyble said in a note to clients today that CL0P appears to be readying its dark web data leak site (DLS) for a new wave of victims following its exploitation of Oracle E-Business Suite vulnerabilities that netted more than 100 victims. “Monitoring of Cl0p's DLS indicates recent archiving and grouping of all previously listed victims associated with Oracle E-Business Suite exploitation under different folders, a move that strongly suggests preparation for a new wave of data leak publications,” Cyble said. “This restructuring activity is assessed to be linked to the ongoing exploitation of Gladinet CentreStack, with Cl0p likely staging victims for coordinated disclosure similar to its prior mass-extortion campaigns. No victim samples or deadlines related to the CentreStack victims have been published yet.”

CL0P May Be Targeting Gladinet CentreStack Vulnerabilities

It’s not clear if the CL0P campaign is exploiting a known or zero-day vulnerability, but in a comment on the LinkedIn post, Curated Intelligence said that an October Huntress report is “Likely related.” That report focused on CVE-2025-11371, a Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and TrioFox that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Nov. 4. In a Dec. 10 report, Huntress noted that threat actors were also targeting CVE-2025-30406, a Gladinet CentreStack Use of Hard-coded Cryptographic Key vulnerability, and CVE-2025-14611, a Gladinet CentreStack and Triofox Hard Coded Cryptographic vulnerability. CVE-2025-30406 was added to the CISA KEV catalog in April, and CVE-2025-14611 was added to the KEV database on Dec. 15. In a Dec. 18 update to that post, Huntress noted the Curated Intelligence findings and said, “At present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel.” The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791, Huntress noted. “We recommend that potentially impacted Gladinet customers update to this latest version immediately and ensure that the machineKey is rotated,” the blog post said. Curated Intelligence noted that recent port scan data shows more than 200 unique IPs running the “CentreStack - Login” HTTP Title, “making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

CL0P’s History of File Transfer Attacks

Curated Intelligence noted that CL0P has a long history of targeting file sharing and transfer services. “This is yet another similar data extortion campaign by this adversary,” the project said. “CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.” CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. The group’s ability to successfully exploit vulnerabilities at scale has made it a top five ransomware group over its six-year-history (image below from Cyble). [caption id="attachment_107950" align="aligncenter" width="1200"] CL0P is a top five ransomware group over its six-year history (Cyble)[/caption]

French authorities have arrested a 22-year-old man in connection with a French Interior Ministry cyberattack, marking an important development in an investigation into the breach of the ministry’s internal email systems. The arrest was carried out on December 17, 2025, following an inquiry led by the cybercrime unit of the Paris prosecutor’s office. According to a notice issued by France’s Ministry of the Interior, the suspect was taken into custody on charges including unauthorized access to a state-run automated personal data processing system. The offense carries a maximum sentence of up to 10 years in prison. "A person was arrested on December 17, 2025, as part of an investigation opened by the cybercrime unit of the Paris prosecutor's office, on charges including unauthorized access to a state-run automated personal data processing system, following the cyberattack against the Ministry of the Interior," the press release, translated into English, said. The ministry confirmed that the individual, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offenses. Authorities have not disclosed the suspect’s identity. "The suspect, born in 2003, is already known to the justice system, having been convicted of similar offenses in 2025," release added further. [caption id="attachment_107868" align="aligncenter" width="923"] Source: French Interior Ministry[/caption]

Investigation Into Cyberattack on France’s Ministry of the Interior 

The French Interior Ministry cyberattack was first publicly acknowledged last week, after officials revealed that the ministry’s internal email servers had been compromised. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. French Interior Minister Laurent Nuñez described the incident as more serious than initially believed. Speaking to Franceinfo radio, he said, "It's serious. A few days ago, I said that we didn't know whether there had been any compromises or not. Now we know that there have been compromises, but we don't know the extent of them." Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information. However, Nuñez urged caution when assessing the scale of the breach. I can tell you that there have not been millions of pieces of data extracted as of this morning (...), but I remain very cautious about the level of compromise," he added.

Legal Action Aganist French Interior Ministry cyberattack

In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspect of French Interior Ministry cyberattack was arrested as part of an investigation into unauthorized access to an automated data processing system, allegedly carried out as part of an organized group. Prosecutors reiterated that this offense is punishable by up to 10 years’ imprisonment. The investigation is being conducted by OFAC, France’s Office for Combating Cybercrime. Authorities noted that a further statement will be released once the police custody period ends, which can last up to 48 hours. French prosecutors also confirmed that while the suspect has prior convictions for similar crimes in 2025, they are not disclosing further details about those cases.

Government Response and Security Measures

Following the French Interior Ministry cyberattack, the Ministry of the Interior implemented standard security protocols and strengthened access controls across its systems. Speaking on RTL Radio, Minister Nuñez confirmed the attack and the immediate response, "There was indeed a cyberattack. An attacker was able to access a number of files. So we implemented the usual protection procedures." He further stated that investigations into French Interior Ministry cyberattack are ongoing at both judicial and administrative levels, and that France’s data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), has been notified. On RTL Matin, Nuñez emphasized that the origin of the French Interior Ministry cyberattack remains unclear, "It could be foreign interference, it could be people wanting to challenge the authorities and demonstrate their ability to access systems, and it could also be cybercrime. Right now, we don't know what it is."

Claims of Responsibility Surface Online

Following public disclosure of the French Interior Ministry cyberattack incident, a post appeared on an underground forum claiming responsibility for the breach. The post stated, "We hereby announce that, in revenge for our arrested friends, we have successfully compromised 'MININT' — the French Ministry of the Interior." The message appeared to reference the 2025 arrests of five BreachForums moderators and administrators, known online as “ShinyHunters,” “Hollow,” “Noct,” “Depressed,” and “IntelBroker.” However, authorities have not confirmed any direct link between the arrested suspect and these claims. As the investigation into the French Interior Ministry cyberattack continues, French officials have stressed that all possibilities remain under consideration and that further updates will follow once the custody period concludes.

Venezuela’s state-run oil company, Petróleos de Venezuela (PDVSA), has confirmed that a cyberattack on PDVSA’s administrative systems caused widespread disruptions, even as the company publicly claimed that oil operations were unaffected. The Venezuela oil cyberattack  or PDVSA cyberattack comes at a time of escalating political and military tensions between Caracas and Washington, following recent U.S. actions against Venezuelan oil shipments. PDVSA announced the incident in a statement on Monday, blaming the attack on the United States and describing it as part of a broader strategy to seize control of Venezuela’s oil resources. However, cybersecurity experts and company sources cited by Reuters have found no evidence linking the PDVSA cyberattack to the U.S. government.

PDVSA Blames US for Cyberattack on Venezuela’s Oil Company

In its statement, PDVSA accused the United States of coordinating the PDVSA cyberattack as part of what it called an aggressive campaign against Venezuela’s energy sovereignty. “This attempt at aggression adds to the public strategy of the U.S. government to take over Venezuelan oil by force and piracy,” PDVSA said. The company claimed the cyberattack was carried out by foreign interests working with domestic actors to undermine Venezuela’s right to develop its energy sector independently. Venezuela’s oil ministry echoed these accusations, stating that the attack aligned with U.S. efforts to control the country’s oil through “force and piracy.” Despite these claims, PDVSA provided no technical details about the attack or evidence supporting the allegations.

Ransomware Attack Suspected as PDVSA Systems Go Down

While PDVSA said it had recovered from the cyberattack, multiple sources told Reuters that the PDVSA ransomware attack was far more damaging than officials admitted. According to four sources, the company’s administrative systems remained down, forcing a halt to oil cargo deliveries. “There’s no delivery of cargoes, all systems are down,” one PDVSA source told Reuters, adding that workers internally described the incident as a ransomware attack. Sources said PDVSA detected the attack days earlier. In attempting to resolve the issue, antivirus software reportedly disrupted the company’s entire administrative network. As a result, workers were forced to keep handwritten records after systems failed to restart. Although oil production, refining, and domestic fuel distribution were reportedly unaffected due to PDVSA cyberattack, export logistics were severely disrupted. A shipper involved in Venezuelan oil deals confirmed that all loading instructions for export markets remained suspended.

Oil Exports Impacted as PDVSA Limits System Access

As the Venezuela cyberattack on PDVSA continued, the company reportedly ordered administrative and operational staff to disconnect from internal systems. Access for indirect workers was also restricted, according to sources. PDVSA’s website remained offline as of Tuesday afternoon, adding to concerns about the scale of the disruption. Despite official claims of recovery, sources said the effects of the cyber incident were ongoing.

PDVSA Cyberattack Follows US Seizure of Venezuelan Oil Tanker

The PDVSA cyberattack occurred just one week after U.S. military forces seized a PDVSA tanker carrying nearly 1.85 million barrels of Venezuelan heavy crude in the Caribbean. The seizure drew strong condemnation from Cuba, which described it as an act of piracy and a violation of international law. Cuban officials said the tanker was believed to be transporting oil destined for Cuba, a country that relies heavily on Venezuelan oil supplies. Following the seizure, Reuters reported that Venezuelan oil exports fell sharply, with some tankers turning back due to fears of further U.S. action. U.S. officials have indicated that more tanker seizures could follow in the coming weeks.

Geopolitical Pressure Intensifies Around Venezuela’s Oil Industry

The PDVSA cyberattack has unfolded amid a broader U.S. military buildup in the Caribbean, U.S. strikes on alleged drug trafficking boats, and renewed sanctions targeting Venezuelan shipping and individuals linked to President Nicolás Maduro. The Venezuelan government maintains that the United States is seeking regime change to gain access to the country’s vast oil reserves. PDVSA, which plays a key role in Venezuela’s financial ties with China, Russia, Iran, and Cuba, remains central to that struggle. As tensions rise, the PDVSA cyberattack highlights how digital attacks, sanctions, and military pressure are increasingly converging around Venezuela’s oil sector, with significant implications for global energy markets and regional stability.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.