The artificial intelligence start-up raised another $30 billion, and its valuation more than doubled since its last funding round in September.

© Karsten Moran for The New York Times

Anthropic and OpenAI now have their own well-funded political groups that will square off in the midterm elections over artificial intelligence safety and regulation.

© Karsten Moran for The New York Times

Young tech entrepreneurs in San Francisco are hoping to cash in, even as they wonder how artificial intelligence will affect society.

© Danielle Amy for The New York Times

Young tech entrepreneurs in San Francisco are hoping to cash in, even as they wonder how artificial intelligence will affect society.

© Danielle Amy for The New York Times

The billionaire’s decision to merge his A.I. start-up with his rocket company will test investors’ interest in giant combinations of unalike businesses.

© Meridith Kohut for The New York Times

OpenAI’s discussions with Microsoft, Nvidia, Middle Eastern sovereign wealth funds and others could value it at $750 billion or more.

© Aaron Wojack for The New York Times

Ricursive Intelligence, founded by two former Google researchers and valued at $4 billion, is among several efforts to automate the creation of artificial intelligence.

© Cayce Clifford for The New York Times

Defections, secret conversations, deal talks that fizzled and a battle for control: The turmoil at Thinking Machines Lab is the artificial intelligence industry’s latest drama.

© Jim Wilson/The New York Times

The UK’s National Cyber Security Centre (NCSC) has issued a fresh alert warning that Russian-aligned hacktivist groups continue to target British organisations with disruptive cyberattacks. The advisory, published on 19 January 2026, highlights a sustained campaign aimed at taking websites offline, disrupting online services, and disabling critical systems, particularly across local government and national infrastructure. The NCSC warning on hacktivist attacks urges organisations to strengthen their defences against denial-of-service (DoS) incidents, which, while often low in technical sophistication, can still cause widespread operational disruption. Officials say the activity is ideologically driven, reflecting geopolitical tensions linked to Western support for Ukraine, rather than financial motivations.

Persistent Threat from Russian-Aligned Hacktivist Groups

According to the NCSC, Russian-aligned hacktivist groups have been conducting cyber operations against UK and global organisations for several years, with activity intensifying since the Russian invasion of Ukraine. In December 2025, the NCSC co-sealed an international advisory warning that pro-Russian hacktivists were targeting government and private sector entities in NATO member states and other European countries perceived as hostile to Russia’s geopolitical interests. One group named in the advisory, NoName057(16), has been active since March 2022 and has repeatedly launched distributed denial-of-service (DDoS) attacks against public and private sector organisations. The group has targeted government bodies and businesses across Europe, including frequent DDoS attempts against UK local government services. NoName057(16) primarily operates through Telegram channels and has used GitHub and other repositories to host its proprietary DDoS tool, known as DDoSia. The group has also shared tactics, techniques, and procedures (TTPs) with followers to encourage participation in coordinated disruption campaigns. The NCSC said this activity reflects an evolution in the threat landscape, with attacks increasingly extending beyond traditional IT systems to include operational technology (OT) environments. As a result, the agency is encouraging all OT owners to review mitigation measures and harden their cyber defences.

NCSC Warning on Hacktivist Attacks and Resilience Measures

The NCSC warning on hacktivist attacks stresses that organisations, particularly local authorities and operators of critical national infrastructure, should review their DoS protections and improve resilience. While DoS attacks are often technically simple, a successful incident can overwhelm key websites and online systems, preventing access to essential services and causing significant operational and financial strain. NCSC Director of National Resilience Jonathon Ellison said: “We continue to see Russian-aligned hacktivist groups targeting UK organisations and although denial-of-service attacks may be technically simple, their impact can be significant. By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day.” He urged organisations to act quickly by reviewing and implementing the NCSC’s guidance to protect against DoS attacks and related cyber threats.

Guidance to Mitigate Denial-of-Service Attacks

As part of its advisory, the NCSC outlined practical steps organisations can take to reduce their exposure to DoS incidents. These include understanding where services may be vulnerable to resource exhaustion and clarifying whether responsibility for protection lies with internal teams or third-party suppliers. Organisations are encouraged to strengthen upstream defences by working closely with internet service providers and cloud vendors. The NCSC recommends understanding the DoS mitigations already in place, exploring third-party DDoS protection services, deploying content delivery networks for web-based platforms, and considering multiple service providers for critical functions. The agency also advises building systems that can scale rapidly during an attack. Cloud-native applications can be automatically scaled using provider APIs, while private data centres can deploy modern virtualisation, provided spare capacity is available.

Preparing for and Responding to Attacks

The advisory highlights the importance of a clear response plan that allows services to continue operating, even in a degraded state. Recommended measures include graceful degradation, retaining administrative access during an attack, adapting to changing attacker tactics, and maintaining scalable fallback options for essential services. Testing and monitoring are also central to resilience. The NCSC encourages organisations to test their defences to understand the volume and types of attacks they can withstand, and to deploy monitoring tools that can detect incidents early and support real-time analysis.

Broader Context and Ongoing Threat

This is not the first time the NCSC has called out malicious activity from Russian-aligned groups. In 2023, it warned of heightened risks from state-aligned adversaries following Russia’s invasion of Ukraine. The agency says the latest activity remains ideologically motivated and is carried out outside direct state control. Organisations are also being encouraged to engage with the NCSC’s heightened cyber threat reporting and information-sharing channels. Officials say building resilience now is critical as Russian-aligned hacktivist groups continue to test the UK’s digital infrastructure through persistent and disruptive campaigns.

Founded by researchers from Anthropic, Google and xAI, the new company, Humans&, is already valued at $4.48 billion.

© Christie Hemm Klok for The New York Times

Billions of dollars are trading hands on sites like Polymarket and Kalshi, where people bet on everything from Taylor Swift’s wedding date to election outcomes.

© Mojo Wang

If SpaceX, OpenAI and Anthropic go public, they will unleash gushers of cash for Silicon Valley and Wall Street.

© Filippo Fontana

Regulators said they would look at whether the deal for Manus, a Singapore start-up with Chinese roots, complied with China’s export and investment rules.

© Jason Henry for The New York Times

The funding is part of an A.I. frenzy, as investors aggressively plow enormous sums into fast-growing start-ups at sky-high valuations.

© Kenny Holston/The New York Times

Companies like Kairos Power are building new types of reactors with the encouragement of the Trump administration, but their success is far from assured.

© Ramsay de Give for The New York Times

Just like past tech booms, the latest frenzy has produced a group of billionaires — at least on paper — from smaller start-ups.

© Kimberly White/Getty Images for Wired

Companies like Phoenix Tailings, which recently began producing metal in New Hampshire, are using new processing methods to compete with Chinese suppliers.

© Tony Luong for The New York Times

Trump Media plans to merge with a company developing nuclear fusion technology, putting the president’s financial interests in competition with other energy companies over which his administration holds sway.

© Pete Marovich for The New York Times

Factorial, the start-up, said the listing would provide money that would help it bring new solid-state batteries to market as soon as 2027.

© Tony Luong for The New York Times

A boundary-pushing array of new crypto ventures have reached the stock market, enticing investors and leading to more risk taking.

© Illustration by Mark Harris; Photographs by Getty Images, iStock photo

Lightspeed Venture Partners, a Silicon Valley venture firm, has amassed more than $9 billion to invest in artificial intelligence. That is its biggest haul.

© Gabriela Hasbun for The New York Times

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.

Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company.

SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).

Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.

Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.

On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.

“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said.

Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.

WHO IS REY?

According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password.

The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.

“Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.”

In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.

O5TDEV

Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: cybero5tdev@proton.me. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA).

Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.

A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.

“Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”

The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog].

‘I’M A GINTY’

Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.

Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.”

Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.

The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.

MEET SAIF

The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.

Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.

“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”

Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group.

“Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said.

He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.”

Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.

“I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.”

Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.

“A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”

Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.

“I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said.