Cyber incidents span ransomware, data leaks, hacktivism, and exposed AI systems
A broad set of cyber incidents affected critical infrastructure, consumer platforms, public institutions, and emerging AI services. The most disruptive case cited was a ransomware attack that crippled the largest gas pipeline in the United States, while other breaches exposed user data at firms including Upstox, IIMJobs, and the World Anti-Doping Agency. In another case, an exposed Moltbook database reportedly allowed anyone to take control of any AI agent on the site, highlighting how insecure backend systems can turn application flaws into full account or service compromise.
The references also describe politically motivated and opportunistic attacks alongside evolving malware activity. Hackers reportedly defaced airport screens in Iran with anti-government messages, and Anonymous-linked hacktivists leaked 1TB of data from a Russian law firm. Separately, a new Mirai variant, Murdoc_Botnet, was reported exploiting IoT devices to build a botnet for DDoS attacks, while Hong Kong moved to revive privacy legislation that would require companies to report data breaches, reflecting regulatory pressure created by the steady drumbeat of intrusions and leaks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Hong Kong moves to revive mandatory data breach reporting law
Hong Kong authorities were reported to be planning revival of a privacy law that would require firms to report data breaches. The move marked a policy development aimed at strengthening breach disclosure obligations.
Exposed Moltbook database allowed takeover of any AI agent
Researchers or reporters disclosed that an exposed Moltbook database could let anyone seize control of any AI agent on the platform. The issue represented a serious access-control and data exposure vulnerability affecting the site.
Murdoc_Botnet Mirai variant launches IoT-based DDoS attacks
A new Mirai variant dubbed Murdoc_Botnet was reported conducting DDoS attacks by exploiting vulnerable IoT devices. The disclosure highlighted fresh technical activity and exploitation methods tied to the botnet.
Anonymous hacktivists leak 1TB of Russian law firm data
Anonymous-affiliated hacktivists reportedly released 1TB of data stolen from a prominent Russian law firm. The leak represented a major politically motivated data exposure tied to the Russia-related hacktivist campaign.
Ransomware attack disrupts Colonial Pipeline operations
A major ransomware attack hit Colonial Pipeline, described as the largest gas pipeline operator in the United States, severely disrupting operations. The incident became a significant critical infrastructure cyber event in the U.S.
ShinyHunters leaks partial database from Upstox
The ShinyHunters group reportedly dumped part of the database belonging to Indian broker firm Upstox. The event marked a public disclosure of stolen customer-related data from the company.
Indian job portal IIMJobs hacked and database leaked
IIMJobs was reported hacked, with its database exposed online. The disclosure indicated a breach affecting user data from the Indian job portal.
Hackers deface airport screens in Iran with anti-government messages
Attackers reportedly took over airport display screens in Iran and replaced normal content with anti-government messages. The incident was disclosed as a politically motivated defacement affecting airport systems.
WADA website hacked and thousands of accounts leaked
The World Anti-Doping Agency's site was reportedly compromised, and thousands of user accounts were exposed. The incident was publicly reported as a website hack involving leaked account data.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site
404media.co
Open sourceNew Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
hackread.com
Open sourceAnonymous Hacktivists Leak 1TB of Top Russian Law Firm Data
hackread.com
Open sourceMajor ransomware attack cripples largest gas pipeline in the US
hackread.com
Open sourceShinyHunters dump partial database of broker firm Upstox
hackread.com
Open sourceIndian job portal IIMJobs hacked; database leaked online
hackread.com
Open sourceHackers deface Airport screens in Iran with anti-government messages
hackread.com
Open sourceWorld Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
High-Profile Cyber Incidents Expose Weak Security and Disrupt Critical Services
A series of high-profile cyber incidents disrupted major online platforms, exposed weak security practices, and highlighted the broad impact of both criminal and activist hacking. A global ransomware outbreak later identified as **WannaCry** spread rapidly across organizations before a security researcher slowed it by registering a domain used as a kill switch, while a separate attack briefly knocked major websites offline through distributed denial-of-service activity. In another major case, hackers compromised prominent US Twitter accounts and used them to promote a Bitcoin scam, demonstrating how access to trusted platforms can be weaponized at scale. Other incidents underscored persistent failures in account security and access control. Equifax faced scrutiny after an Argentine employee portal was reportedly protected with the username and password **`admin`**, adding to concerns around the company’s security posture. Apple said some user accounts had been compromised while denying a broader breach of its systems, and the celebrity photo leak known as **“the fappening”** showed how attackers could exploit personal account weaknesses. Separately, US authorities linked Julian Assange to alleged conspiracy with Anonymous-affiliated hackers, activist campaigns targeted recording industry websites, and the Colonial Pipeline ransomware case showed how an intrusion into a critical fuel operator could trigger widespread operational disruption even when attackers later claimed they had not intended such consequences.
May 25, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026
AI-driven shifts in cybersecurity: agentic AI risks, AI-assisted offensive tradecraft, and evolving cybercriminal ecosystems
Security reporting and research highlighted how **AI and automation are reshaping both attacker tradecraft and defender operations**, while introducing new enterprise risk. ZDNET described research findings that **agentic AI implementations** from *ServiceNow* and *Microsoft* can be **exploitable**, warning that broadly permissioned agents could enable **lateral movement and privilege escalation** across systems of record if an attacker compromises an agent or chains between agents with different access levels; a **least-privilege** posture for agents was emphasized. Dark Reading separately reported that **AI agents are increasingly augmenting—and in some cases supplanting—human penetration testing** for “low-hanging” vulnerabilities, but that **false positives and the need for human oversight** remain material constraints as agentic testing matures. Threat-intelligence coverage also underscored the **industrialization of cybercrime** and the ecosystems enabling it. CloudSEK detailed the evolution of the English-speaking cybercriminal milieu known as **“The COM,”** tracing its roots in OG-handle trading communities and forum migrations into a service-oriented underground linked to groups such as **Lapsus$**, **ShinyHunters**, **Scattered Spider (UNC3944)**, and **Silent Ransom Group**, and associated activity spanning breaches, extortion, SIM swapping, ransomware, and crypto fraud. SC Media’s commentary similarly described a cyber underground where criminals can readily buy capabilities (credentials, tooling, automation), calling out techniques including **carding** and **ClickFix** social engineering that tricks users into running copied commands to install infostealers. Separately, Dark Reading reported allegations that the **Chronus Group** posted **2.3TB** of purported Mexican government data affecting up to **36 million** people, while Mexico’s **ATDT** disputed it as largely **repackaged data from prior breaches** and said no new sensitive accounts were identified and that impacted systems were primarily **obsolete, third-party-administered** state-level platforms.
Mar 21, 2026