✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Law Enforcement
Breach intelligence, attack campaigns, and threat reports targeting the Law Enforcement sector.
Explore Other Sectors
Law Enforcement Threat Reports
Russia's Continued Use of Cellebrite Tools Raises Concerns
In June 2021, Russian authorities utilized Cellebrite's Universal Forensic Extraction Device (UFED) to access the iPhone of detained human rights activist Andrey Pivovarov. This occurred despite Cellebrite's public announcement in March 2021 that it had ceased all sales and services to Russian government agencies. The extracted data reportedly included communications from encrypted messaging apps, which were subsequently used to surveil other dissidents. This incident underscores the challenges technology companies face in controlling the use of their tools post-sale, especially when they are employed for political repression. The case highlights the need for robust mechanisms to prevent the misuse of surveillance technologies by authoritarian regimes, even after contractual relationships have been terminated.
22 hours ago
Kill Chain
FBI Issues Warning on New Cryptocurrency Scam Involving In-Person Couriers
In June 2026, the FBI issued a warning about a new tactic in cryptocurrency investment scams, commonly referred to as 'pig butchering' or 'romance baiting.' Fraudsters initiate contact through social media, dating sites, and messaging apps, building trust with victims before introducing them to fake investment schemes. When traditional financial institutions block suspicious transactions, these scammers dispatch couriers to collect cash directly from victims, often using agreed-upon passwords or specific dollar bill serial numbers for identification. Victims are led to believe their investments are growing, but when they attempt to withdraw funds, they are prompted to provide additional cash for fraudulent taxes and penalties, perpetuating the cycle. This incident underscores the evolving nature of cryptocurrency scams, highlighting the shift towards in-person interactions to circumvent financial safeguards. The FBI's alert serves as a critical reminder for individuals to exercise caution when approached with unsolicited investment opportunities, especially those involving direct cash transactions facilitated by couriers.
1 week ago
Kill Chain
Unveiling App.MenuItem: A New Forensic Artifact in macOS Tahoe 26
In June 2026, researchers identified a new artifact in macOS Tahoe 26, named App.MenuItem, which logs specific menu selections made by users across the operating system. This artifact provides a detailed record of user actions, such as compressing files or emptying the trash, offering critical context for forensic investigations. Located at ~/Library/Biome/streams/restricted/App.MenuItem/local, the artifact contains SEGB-encapsulated protobuf entries that require specific tools to parse. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/?_wpnonce=c8aaaf1bea&lg=en&pdf=download&utm_source=openai)) The discovery of App.MenuItem is significant for digital forensics, as it allows examiners to reconstruct user workflows with greater precision. By capturing exact menu choices and timestamps, investigators can gain insights into user intent and actions, enhancing the accuracy of forensic analyses. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/?_wpnonce=c8aaaf1bea&lg=en&pdf=download&utm_source=openai))
1 week ago
Kill Chain
Russian Hackers Exploit WinRAR Vulnerability CVE-2025-8088
In mid-2025, Russian state-sponsored threat groups, including RomCom (also known as Storm-0978), exploited a critical vulnerability in WinRAR (CVE-2025-8088) to target Ukrainian military and government organizations. The flaw, a path traversal vulnerability, allowed attackers to execute arbitrary code by delivering specially crafted RAR archives via spear-phishing emails. These campaigns led to unauthorized access, data theft, and potential disruption of critical operations within the targeted entities. Despite the release of WinRAR version 7.13 in July 2025, which addressed this vulnerability, many systems remained unpatched due to the software's lack of an automatic update mechanism. This oversight has enabled continued exploitation by various threat actors, underscoring the importance of timely software updates and robust cybersecurity practices to mitigate such risks.
2 weeks ago
Kill Chain
Meta Thwarts NSO Group's Latest WhatsApp Phishing Scheme
In June 2026, Meta identified and disrupted spear-phishing attempts linked to the Israeli spyware vendor NSO Group. These attacks aimed to deceive users into clicking malicious links, redirecting them to external websites outside of WhatsApp. Meta also discovered that NSO Group had created test accounts and groups on WhatsApp, which were subsequently removed. This activity violated a permanent injunction issued in 2025 that barred NSO from targeting WhatsApp and its users. In response, Meta filed a federal court contempt order against NSO Group for breaching this injunction. ([about.fb.com](https://about.fb.com/news/2026/06/fighting-spyware-an-update-from-whatsapp/?utm_source=openai)) This incident underscores the persistent threat posed by spyware vendors like NSO Group, who continue to develop and deploy sophisticated attacks against communication platforms. The recurrence of such activities highlights the need for ongoing vigilance and robust security measures to protect user privacy and maintain platform integrity.
2 weeks ago
Kill Chain
Dark Web Vendor Sentenced to Over 26 Years for Drug Trafficking
In June 2026, Darren Hughes, a 39-year-old from San Jose, California, was sentenced to over 26 years in federal prison for trafficking fentanyl and methamphetamine via the dark web platform Nemesis Market. Hughes operated a vendor store on Nemesis Market, offering free samples of methamphetamine to attract clients. Between 2023 and 2024, he sold methamphetamine and fentanyl pills to undercover law enforcement agents on five occasions, accepting cryptocurrency as payment. His arrest in June 2024 led to the seizure of approximately 672 grams of methamphetamine and a loaded 9mm 'ghost gun' without a serial number. This case underscores the persistent threat posed by dark web marketplaces in facilitating the global distribution of illegal narcotics. Despite the takedown of Nemesis Market in March 2024, similar platforms continue to emerge, highlighting the ongoing challenges law enforcement faces in combating online drug trafficking.
2 weeks ago
Kill Chain
Iran's MOIS Expands Handala Brand to Physical Threats in 2026
In early 2026, Iran's Ministry of Intelligence (MOIS) expanded its 'Handala' brand to include physical threat operations targeting U.S. and Israeli interests. This expansion introduced the Handala Popular Resistance Front (HPRF), a persona soliciting individuals to conduct physical attacks and espionage for financial rewards. Concurrently, three influence operations networks—'VIPEmployment,' 'MOISIRAN,' and 'Brave Israel'—were identified as MOIS personas, amplifying the reach of these operations. ([recordedfuture.com](https://www.recordedfuture.com/research/iran-handala-physical-threats?utm_source=openai)) This development signifies a strategic shift in MOIS's external operations, integrating cyber, physical, and influence tactics under the Handala brand. The coordinated use of these personas likely enhances the effectiveness of MOIS's campaigns, posing increased risks to U.S. and Israeli law enforcement, military, intelligence agencies, and critical infrastructure sectors. ([recordedfuture.com](https://www.recordedfuture.com/research/iran-handala-physical-threats?utm_source=openai))
3 weeks ago
Kill Chain
Spain Arrests Minor for Leaking Sensitive Government Data
In May 2026, Spanish authorities arrested a minor in Granada for leaking sensitive personal data of members from critical state institutions, including the National Cybersecurity Institute (INCIBE), the State Attorney General's Office, the National Police, the Civil Guard, and the National Security Council. The individual disseminated this information online, posing significant national security risks. The arrest followed an urgent investigation initiated after the mass dissemination of this data was detected, leading to a search of the suspect's residence and the seizure of electronic devices for forensic analysis. This incident underscores the growing threat of doxing, where personal information is maliciously published online, targeting government officials and institutions. The case highlights the need for robust cybersecurity measures and the importance of protecting sensitive data to prevent potential threats to national security.
3 weeks ago
Kill Chain
Tennessee Man Indicted for Child Exploitation Linked to Extremist Group '764'
In May 2026, Zachary Sweeney, a 30-year-old from Columbia, Tennessee, was indicted on multiple counts of child sexual exploitation. Sweeney allegedly groomed and coerced minors into producing child sexual abuse material (CSAM), which he distributed and, in some cases, sold. His activities, dating back to at least 2022, included traveling across several states to meet victims in person, where he reportedly drugged, raped, and filmed sexual acts with minors. Sweeney's involvement with the nihilistic violent extremist group '764' underscores the group's exploitation of vulnerable individuals to further their agenda of societal destabilization. ([justice.gov](https://www.justice.gov/usao-mdtn/pr/nashville-man-connected-nihilistic-violent-extremist-nve-group-indicted-sexual?utm_source=openai)) This case highlights the persistent and evolving threat posed by online extremist networks that exploit digital platforms to perpetrate and disseminate CSAM. The intersection of violent extremism and child exploitation necessitates heightened vigilance and coordinated efforts among law enforcement agencies to combat these multifaceted crimes.
3 weeks ago
Kill Chain
Instructure Canvas Breach: A Wake-Up Call for Educational Cybersecurity
In May 2026, Instructure, the company behind the Canvas learning management system, suffered a significant data breach orchestrated by the hacking group ShinyHunters. The attackers exploited vulnerabilities to access and exfiltrate approximately 3.65 terabytes of data, affecting nearly 275 million individuals across 8,809 educational institutions worldwide. The compromised information included names, email addresses, student ID numbers, and private messages between students and staff. Following the initial breach, ShinyHunters escalated their attack by defacing Canvas login portals, disrupting access during critical academic periods and demanding a ransom to prevent the public release of the stolen data. This incident underscores the escalating threat posed by cybercriminal groups targeting educational institutions, highlighting the critical need for robust cybersecurity measures and incident response strategies. The breach also raises concerns about the effectiveness of paying ransoms, as Instructure's decision to negotiate with the attackers has sparked debate over best practices in handling such extortion attempts.
1 month ago
Kill Chain
Alleged Dream Market Administrator Indicted for Money Laundering
In May 2026, Owe Martin Andresen, the alleged main administrator of the defunct darknet marketplace Dream Market, was indicted in the United States on multiple counts of money laundering. Andresen, known by the alias "Speedstepper," is accused of accessing dormant cryptocurrency wallets containing millions of dollars in commission payments from Dream Market, which operated from 2013 until its shutdown in 2019. He allegedly transferred these funds into new cryptocurrency wallets and converted them into gold bars, directing shipments to his residence in Germany. German authorities arrested Andresen on May 7, 2026, under separate charges of concealment money laundering. ([justice.gov](https://www.justice.gov/usao-ndga/pr/german-citizen-charged-laundering-funds-linked-prominent-darknet-marketplace-dream?utm_source=openai)) This case underscores the persistent challenges law enforcement faces in tracking and prosecuting cybercriminals who exploit digital currencies and anonymized platforms to launder illicit proceeds. The indictment highlights the importance of international cooperation in addressing cybercrime and the evolving tactics used by threat actors to obfuscate their activities.
1 month ago
Kill Chain
Authorities Dismantle Rebooted Crimenetwork Marketplace in 2026
In May 2026, German authorities, in collaboration with international partners, dismantled the rebooted version of the illicit online marketplace 'Crimenetwork' and arrested its 35-year-old German administrator in Mallorca, Spain. This platform, which emerged shortly after the original Crimenetwork was shut down in December 2024, facilitated the sale of stolen data, drugs, and counterfeit documents, amassing over 22,000 users and generating approximately €3.6 million in revenue. The operation led to the seizure of assets worth around €194,000 and extensive user and transaction data to aid further investigations. ([finanznachrichten.de](https://www.finanznachrichten.de/nachrichten-2026-05/68437271-darknet-plattform-crimenetwork-erneut-abgeschaltet-003.htm?utm_source=openai)) This incident underscores the persistent challenge posed by the rapid re-emergence of dismantled cybercriminal platforms. Despite law enforcement's efforts, the swift reconstruction of such marketplaces highlights the need for continuous vigilance and adaptive strategies to combat cybercrime effectively.
1 month ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports