As February 2026 progresses, this week’s The Cyber Express Weekly Roundup examines a series of cybersecurity incidents and enforcement actions spanning Europe, Africa, Australia, and the United States.   The developments include a breach affecting the European Commission’s mobile management infrastructure, a ransomware attack disrupting Senegal’s national identity systems, a landmark financial penalty imposed on an Australian investment firm, and the sentencing of a fugitive linked to a multimillion-dollar cryptocurrency scam.  From suspected exploitation of zero-day vulnerabilities to prolonged breach detection failures and cross-border financial crime, these cases highlights the operational, legal, and systemic dimensions of modern cyber risk.  

The Cyber Express Weekly Roundup 

European Commission Mobile Infrastructure Breach Raises Supply Chain Questions 

The European Commission reported a cyberattack on its mobile device management (MDM) system on January 30, potentially exposing staff names and mobile numbers, though no devices were compromised, and the breach was contained within nine hours. Read more... 

Ransomware Disrupts Senegal’s National Identity Systems 

In West Africa, a major cyberattack hit Senegal’s Directorate of File Automation (DAF), halting identity card production and disrupting national ID, passport, and electoral services. While authorities insist no personal data was compromised, the ransomware group. The full extent of the breach is still under investigation. Read more... 

Australian Court Imposes Landmark Cybersecurity Penalty 

In Australia, FIIG Securities was fined AU$2.5 million for failing to maintain adequate cybersecurity protections, leading to a 2023 ransomware breach that exposed 385GB of client data, including IDs, bank details, and tax numbers. The firm must also pay AU$500,000 in legal costs and implement an independent compliance program. Read more... 

Crypto Investment Scam Leader Sentenced in Absentia 

U.S. authorities sentenced Daren Li in absentia to 20 years for a $73 million cryptocurrency scam targeting American victims. Li remains a fugitive after fleeing in December 2025. The Cambodia-based scheme used “pig butchering” tactics to lure victims to fake crypto platforms, laundering nearly $60 million through U.S. shell companies. Eight co-conspirators have pleaded guilty. The case was led by the U.S. Secret Service. Read more... 

India Brings AI-Generated Content Under Formal Regulation 

India has regulated AI-generated content under notification G.S.R. 120(E), effective February 20, 2026, defining “synthetically generated information” (SGI) as AI-created content that appears real, including deepfakes and voiceovers. Platforms must label AI content, embed metadata, remove unlawful content quickly, and verify user declarations. Read More... 

Weekly Takeaway 

Taken together, this weekly roundup highlights the expanding attack surface created by digital transformation, the persistence of ransomware threats to national infrastructure, and the intensifying regulatory scrutiny facing financial institutions.  From zero-day exploitation and supply chain risks to enforcement actions and transnational crypto fraud, organizations are confronting an environment where operational resilience, compliance, and proactive monitoring are no longer optional; they are foundational to trust and continuity in the digital economy. 

SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

As the first week of February 2026 concludes, The Cyber Express weekly roundup examines the developments shaping today’s global cybersecurity landscape. Over the past several days, governments, technology companies, and digital platforms have confronted a wave of cyber incidents ranging from disruptive attacks on public infrastructure to large-scale data exposures and intensifying regulatory scrutiny of artificial intelligence systems.  This week’s cybersecurity reporting reflects a broader pattern: rapid digital expansion continues to outpace security maturity. High-profile breaches, misconfigured cloud environments, and powerful AI tools are creating both defensive opportunities and significant new risks.  

The Cyber Express Weekly Roundup 

Cyberattack Disrupts Spain’s Ministry of Science Operations 

Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more.. 

OpenAI Expands Controlled Access to Advanced Cyber Defense Models 

OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more.. 

French Authorities Escalate Investigations Into X and Grok AI 

French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more.. 

AI-Generated Platform Moltbook Exposes Millions of Credentials 

Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more.. 

Substack Discloses Breach Months After Initial Compromise 

Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more.. 

Weekly Takeaway 

This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.

A cyberattack on Berchem school has raised serious concerns after hackers demanded ransom money not only from the institution but also directly from students’ families. The Berchem school cyberattack incident occurred at the secondary school Onze-Lieve-Vrouwinstituut Pulhof (OLV Pulhof), where attackers disrupted servers and later threatened to release sensitive information unless payments were made. The case, confirmed by the public prosecutor’s office and first reported by ATV, highlights the growing threat of ransomware attacks on schools, where cybercriminals increasingly target educational institutions due to their reliance on digital systems and the sensitive data they store.

Cyberattack on Berchem School Disrupted Servers

The Berchem school hacking incident took place shortly after the Christmas holidays, in early January. According to reports, the school’s servers were taken offline, causing disruption to internal systems. Hackers reportedly demanded a ransom from the school soon after the breach. However, the institution refused to comply with the demands. This decision appears to have triggered an escalation in the attackers’ strategy, shifting pressure onto parents.

School Files Police Complaint After Ransom Demand

Following the cyberattack on Berchem school, OLV Pulhof acted quickly by contacting law enforcement. The school filed a formal complaint against unknown persons and brought in the police’s Regional Computer Crime Unit (RCCU) to respond to the incident. In addition to involving authorities, the school also moved to secure its digital infrastructure. Out of concern for student safety and data protection, the institution reportedly set up a new, secure network environment soon after the breach. The incident is now under investigation by the Federal Judicial Police.

Hackers Target Parents With €50 Per Child Ransom Demand

This week, the cybercriminals expanded their attack by sending threatening messages directly to parents of students. The hackers demanded a ransom of 50 euros per child, warning that private information such as addresses or photos could be released if the payment was not made. A student described the situation, saying that the school required everyone to change passwords and warned students not to click on suspicious links. “We had to change all our passwords at school, otherwise they would release our addresses or photos,” the student said. Another student added that their father received an email demanding payment, which caused fear and uncertainty. “My dad also got an email last night. That scares me a little. They were asking for 50 euros per child.” This tactic reflects a disturbing trend in school cyberattacks, where criminals attempt to exploit families emotionally and financially.

Parents Advised Not to Pay and Not to Click

The school has strongly advised parents not to respond to the ransom demands. Families were told not to pay, and more importantly, not to click on any links or attachments included in the hackers’ communications, as these could lead to further compromise or malware infections. Cybersecurity experts generally warn against paying ransoms, as it does not guarantee that stolen data will be deleted or that systems will be restored. Paying can also encourage attackers to continue targeting schools and vulnerable communities.

Classes Continue Despite Cybersecurity Incident

Despite the attack, lessons at OLV Pulhof have continued. While the school’s servers were initially down, it appears that temporary solutions and new systems allowed teaching to proceed. However, the full consequences of the hacking have not yet been disclosed. It remains unclear what data may have been accessed or whether any personal information was stolen. Educational institutions often store sensitive records, including student details, contact information, and internal documents, making them attractive targets for cybercriminal groups.

Rising Concern Over Ransomware Attacks on Schools

The cyberattack on the Berchem secondary school is part of a wider pattern of increasing cybercrime targeting schools across Europe. Schools often face limited cybersecurity budgets, older IT systems, and large networks of users, making them easier to infiltrate than larger corporate organizations. Attacks like this demonstrate how ransomware incidents can go beyond technical disruption, affecting families and creating fear in local communities.

Investigation Ongoing

Authorities have not yet identified who is behind the attack. The Federal Judicial Police continue to investigate, while the school works to strengthen its systems and protect students and staff. For now, parents are being urged to remain cautious, avoid engaging with the attackers, and report any suspicious communications to law enforcement. The cyberattack on Berchem school incident serves as a reminder that cybersecurity in schools is no longer optional, but essential for protecting students, families, and the education system itself.

Cyble’s Annual Threat Landscape Report for 2025 documents a cybercrime environment that remained volatile even as international law enforcement agencies escalated disruption efforts. Large-scale takedowns, arrests, and infrastructure seizures failed to slow adversaries for long. Instead, cybercriminal ecosystems fractured, reorganized, and re-emerged across decentralized platforms, encrypted messaging channels, and invitation-only forums. The ransomware landscape, in particular, demonstrated a capacity for rapid regeneration that outpaced enforcement pressure.  According to Cyble’s report, ransomware was the most destabilizing threat category throughout 2025. Attacks expanded across government, healthcare, energy, financial services, and supply-chain-dependent industries. Many groups moved away from encryption-centric campaigns toward extortion-only operations, relying on data theft, public exposure, and reputational damage to extract payment. This shift reduced operational friction and shortened attack cycles, making traditional detection and containment models less effective.  Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response. 

Measured Threat Activity Across Underground Ecosystems 

CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities.  [caption id="attachment_108748" align="aligncenter" width="946"] sectors and regions targeted by threat actors in 2025 (Source: Cyble)[/caption] The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors.  Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year. 

Ransomware Growth and Structural Expansion 

Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined.  The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement. 

Affiliate Mobility and Repeat Victimization 

One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once.  [caption id="attachment_108750" align="aligncenter" width="945"] Ransomware attack trends between 2020 and 2025 (Source: Cyble)[/caption] This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes.  Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape. 

Law Enforcement Pressure and Criminal Countermoves 

Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang.  These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active. 

Tactical Shifts Toward Extortion-Only Models 

Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads.  [caption id="attachment_108751" align="aligncenter" width="291"] Rebranded ransomware groups reported in 2025 (Source: Cyble)[/caption] The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter. 

Victimology and Sector Impact 

Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67).  Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information. Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure. 

Supply Chain Exploitation and Infrastructure Risk 

Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms.  Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes. 

High-Impact Incidents and Strategic Targeting 

Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales.  Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers.  Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths.   The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis.  Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI. 

The second week of 2026 continues to fetch new cybersecurity issues that affect national security, public stability, business operations, and technology governance. Developments this week ranged from senior intelligence leadership appointments and nationwide internet shutdowns to data breaches, new cybercrime services, and regulatory pressure on generative AI platforms.  Across regions and sectors, the incidents reflect how cyber risks now extend beyond technical environments into policy decisions, civil rights, financial systems, and public trust. Governments, enterprises, and technology providers faced challenges tied to resilience, accountability, and threat escalation, reinforcing cybersecurity’s role as a strategic issue rather than a purely operational one. 

The Cyber Express Weekly Roundup 

X Tightens Grok AI Restrictions 

X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more… 

NSA Appoints Timothy Kosiba as Deputy Director 

The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more… 

Iran Enters Fourth Day of Nationwide Internet Blackout 

Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more… 

Dr. Amit Chaubey Warns of Expanding “Business Blast Radius” 

In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more… 

Endesa Data Breach Affects Energía XXI Customers 

Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more… 

New Android Banking Malware deVixor Identified 

Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more… 

Microsoft Disrupts RedVDS Cybercrime Platform 

Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more… 

Weekly Roundup Takeaway 

This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone. 

Romania's National Directorate for Cyber Security disclosed that on Saturday a ransomware attack compromised approximately 1,000 IT systems belonging to the nation's water authority - known as Administrația Națională Apele Române. The attack impacted 10 of the country's 11 regional water basin administrations including Oradea, Cluj, Iași, Siret, and Buzău.

The attackers exploited BitLocker—a legitimate Windows encryption mechanism—for malicious purposes to lock files across the infrastructure and deliver a ransom note demanding contact within seven days.

The incident affected multiple critical systems including Geographical Information System (GIS) application servers, database servers, Windows workstations, Windows Server systems, email and web servers, and Domain Name Servers. Despite the extensive IT compromise, operational technologies remained unaffected, allowing normal operations to continue.

Hydrotechnical Structures Remain Secure

The Romanian water authority clarified that the operation of hydrotechnical structures continues solely through dispatch centers using voice communications. Hydrotechnical constructions remain secure and are operated locally by specialized personnel coordinated through dispatch centers.

The organization stressed that despite the IT infrastructure compromise, water management operations including dam control, flood management, and water distribution systems continue functioning normally through manual oversight and voice coordination protocols developed for such contingencies.

BitLocker Weaponized for Malicious Encryption

Following an initial technical evaluation, investigators determined attackers exploited BitLocker, a legitimate encryption mechanism for Windows operating systems, using it maliciously to produce file blocking through encryption across affected systems. This technique represents an evolution in ransomware tactics where threat actors leverage built-in security tools rather than deploying custom malware.

The attackers transmitted a ransom note demanding contact within seven days. The National Directorate for Cyber Security reiterated its strict policy and recommendation that ransomware attack victims will not contact or negotiate with cyber attackers to avoid encouraging and financing this criminal ecosystem.

The Cyber Express reached out to the media center of the DNSC to understand what data was compromised and which group had claimed responsibility of the attack but authorities recommended that IT teams at the National Administration of Romanian Waters or regional water administrations should not be contacted, allowing them to concentrate on restoring IT services without distraction from media inquiries or external pressure.

Also read: Russia-Linked Hybrid Campaign Targeted 2024 Elections: Romanian Prosecutor General

Infrastructure Not Protected by National Cyber Defense System

The investigation revealed that Romanian water authority infrastructure was not currently protected through the national protection system for IT infrastructures with critical importance for national security against threats from cyberspace.

Necessary procedures have now been initiated to integrate this infrastructure into systems developed by the National Cyber Intelligence Center for ensuring cyber protection of both public IT infrastructures and private ones with critical importance for national security through use of cyber intelligence technologies.

Technical teams from the Directorate, National Administration Romanian Waters, the National Cyber Intelligence Center within the Romanian Intelligence Service, affected entities, and other state authorities with competencies in cybersecurity are actively involved in investigating and limiting the impact of the cyber incident.

This is an evolving story and will be updated as and when latest updates arrive.

The FBI E-Note cryptocurrency exchange takedown marks a major international law enforcement action against financial infrastructure allegedly used by transnational cybercriminal groups. The U.S. Department of Justice confirmed on Wednesday that the FBI, working with partners in Germany and Finland, disrupted and seized the online infrastructure of E-Note, a cryptocurrency exchange accused of laundering illicit funds linked to ransomware attacks and account takeovers. According to the United States Attorney’s Office for the Eastern District of Michigan, the coordinated operation targeted websites and servers used to operate E-Note, which allegedly provided cash-out services for cybercriminals targeting U.S. healthcare organizations and critical infrastructure. [caption id="attachment_107893" align="aligncenter" width="1024"] Source: https://www.justice.gov/[/caption] “The United States Attorney’s Office for the Eastern District of Michigan announced today a coordinated action with international partners and the Michigan State Police to disrupt and take down the online infrastructure used to operate E-Note, a cryptocurrency exchange that allegedly facilitated money laundering by transnational cyber-criminal organizations,” the Justice Department said.

E-Note Allegedly Laundered Over $70 Million in Illicit Funds

Investigators say the FBI E-Note cryptocurrency exchange takedown follows years of financial tracking by federal authorities. Since 2017, the FBI identified more than $70 million in illicit proceeds transferred through the E-Note payment service and its associated money mule network. These funds were allegedly tied to ransomware attacks and account takeovers, including proceeds stolen or extorted from victims in the United States. “Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network,” the DOJ stated. Authorities believe the exchange played a key role in converting cryptocurrency into various cash currencies, allowing cybercriminals to move funds across international borders while avoiding detection.

Russian National Charged in Money Laundering Conspiracy

As part of the operation, U.S. prosecutors unsealed an indictment against Mykhalio Petrovich Chudnovets, a 39-year-old Russian national. Chudnovets is charged with one count of conspiracy to launder monetary instruments, an offense that carries a maximum sentence of 20 years in prison. According to court documents, Chudnovets began offering money laundering services to cybercriminals as early as 2010. Prosecutors allege that he controlled and operated the E-Note payment processing service until law enforcement seized its infrastructure. “Until this seizure by law enforcement, Chudnovets offered money laundering services via the E-Note payment processing service, which he controlled and operated,” the DOJ said. Investigators allege that Chudnovets worked closely with financially motivated cybercriminals to transfer criminal proceeds internationally and convert cryptocurrency into cash.

Servers, Websites, and Apps Seized in Coordinated Action

During the FBI E-Note cryptocurrency exchange takedown, U.S. and international authorities seized servers hosting the operation, as well as related mobile applications. Law enforcement also took control of the websites “e-note.com,” “e-note.ws,” and “jabb.mn.” U.S. authorities separately obtained earlier copies of Chudnovets’ servers, which included customer databases and transaction records, providing investigators with detailed insight into the alleged laundering activity. The Justice Department confirmed that the action was carried out with support from the German Federal Criminal Police Office, the Finnish National Bureau of Investigation, and the Michigan State Police Michigan Cyber Command Center (MC3).

Investigation Led by FBI Detroit Cyber Task Force

The case is being investigated by the FBI Detroit Cyber Task Force, with Assistant U.S. Attorney Timothy Wyse prosecuting. The announcement was made jointly by United States Attorney Jerome F. Gorgon, Jr. and Jennifer Runyan, Special Agent in Charge of the FBI’s Detroit Division. Authorities emphasized that individuals who believe their funds were laundered through E-Note should contact law enforcement. “Any individual who believes he/she is a victim whose funds were laundered through Chudnovets should reach out to law enforcement via email address e-note-information@fbi.gov,” the DOJ said. The Justice Department also noted that the indictment remains an allegation. “An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.”

Venezuela’s state-run oil company, Petróleos de Venezuela (PDVSA), has confirmed that a cyberattack on PDVSA’s administrative systems caused widespread disruptions, even as the company publicly claimed that oil operations were unaffected. The Venezuela oil cyberattack  or PDVSA cyberattack comes at a time of escalating political and military tensions between Caracas and Washington, following recent U.S. actions against Venezuelan oil shipments. PDVSA announced the incident in a statement on Monday, blaming the attack on the United States and describing it as part of a broader strategy to seize control of Venezuela’s oil resources. However, cybersecurity experts and company sources cited by Reuters have found no evidence linking the PDVSA cyberattack to the U.S. government.

PDVSA Blames US for Cyberattack on Venezuela’s Oil Company

In its statement, PDVSA accused the United States of coordinating the PDVSA cyberattack as part of what it called an aggressive campaign against Venezuela’s energy sovereignty. “This attempt at aggression adds to the public strategy of the U.S. government to take over Venezuelan oil by force and piracy,” PDVSA said. The company claimed the cyberattack was carried out by foreign interests working with domestic actors to undermine Venezuela’s right to develop its energy sector independently. Venezuela’s oil ministry echoed these accusations, stating that the attack aligned with U.S. efforts to control the country’s oil through “force and piracy.” Despite these claims, PDVSA provided no technical details about the attack or evidence supporting the allegations.

Ransomware Attack Suspected as PDVSA Systems Go Down

While PDVSA said it had recovered from the cyberattack, multiple sources told Reuters that the PDVSA ransomware attack was far more damaging than officials admitted. According to four sources, the company’s administrative systems remained down, forcing a halt to oil cargo deliveries. “There’s no delivery of cargoes, all systems are down,” one PDVSA source told Reuters, adding that workers internally described the incident as a ransomware attack. Sources said PDVSA detected the attack days earlier. In attempting to resolve the issue, antivirus software reportedly disrupted the company’s entire administrative network. As a result, workers were forced to keep handwritten records after systems failed to restart. Although oil production, refining, and domestic fuel distribution were reportedly unaffected due to PDVSA cyberattack, export logistics were severely disrupted. A shipper involved in Venezuelan oil deals confirmed that all loading instructions for export markets remained suspended.

Oil Exports Impacted as PDVSA Limits System Access

As the Venezuela cyberattack on PDVSA continued, the company reportedly ordered administrative and operational staff to disconnect from internal systems. Access for indirect workers was also restricted, according to sources. PDVSA’s website remained offline as of Tuesday afternoon, adding to concerns about the scale of the disruption. Despite official claims of recovery, sources said the effects of the cyber incident were ongoing.

PDVSA Cyberattack Follows US Seizure of Venezuelan Oil Tanker

The PDVSA cyberattack occurred just one week after U.S. military forces seized a PDVSA tanker carrying nearly 1.85 million barrels of Venezuelan heavy crude in the Caribbean. The seizure drew strong condemnation from Cuba, which described it as an act of piracy and a violation of international law. Cuban officials said the tanker was believed to be transporting oil destined for Cuba, a country that relies heavily on Venezuelan oil supplies. Following the seizure, Reuters reported that Venezuelan oil exports fell sharply, with some tankers turning back due to fears of further U.S. action. U.S. officials have indicated that more tanker seizures could follow in the coming weeks.

Geopolitical Pressure Intensifies Around Venezuela’s Oil Industry

The PDVSA cyberattack has unfolded amid a broader U.S. military buildup in the Caribbean, U.S. strikes on alleged drug trafficking boats, and renewed sanctions targeting Venezuelan shipping and individuals linked to President Nicolás Maduro. The Venezuelan government maintains that the United States is seeking regime change to gain access to the country’s vast oil reserves. PDVSA, which plays a key role in Venezuela’s financial ties with China, Russia, Iran, and Cuba, remains central to that struggle. As tensions rise, the PDVSA cyberattack highlights how digital attacks, sanctions, and military pressure are increasingly converging around Venezuela’s oil sector, with significant implications for global energy markets and regional stability.