Blog

LockBit Won't Die: 207 Victims in 2026 and What Ransomware Resilience Actually Looks Like

John Z Black Apr 15, 2026

Ransomware & Cybercrime #ransomware #lockbit #raas #local-government #critical-infrastructure #handala #iran #winona-county

Despite one of the most aggressive law enforcement operations in ransomware history, LockBit has claimed 207 victims in 2026. Winona County got hit twice in three months. The RaaS model is more durable than takedowns.

Law Enforcement Had a Good Week: At Least 6 Marketplaces Down, 213 Arrests, and a Historic Conviction

John Z Black Apr 15, 2026

Policy, Law & Governance #law-enforcement #dark-web #leakbase #crypto #csam #take-it-down-act #blockchain-forensics #doj #nca

At least six dark web marketplaces dismantled, LeakBase seized, $12M in crypto fraud frozen, and the first Take It Down Act conviction. Law enforcement capabilities are improving. It's worth saying so.

China Is Running Two Operations Against Taiwan at Once

John Z Black Apr 15, 2026

Threat Intelligence #china #taiwan #nation-state #influence-operations #lucidrook #lua-malware #cognitive-warfare #ngo #uat-10362

Cisco Talos found Lua-based malware targeting Taiwanese NGOs and universities. Taiwan's intelligence service identified 13,000 AI-amplified influence accounts and 860,000 posts. These are not separate stories.

The AI Espionage Playbook: How a Hacker Used Claude and GPT-4.1 to Steal 415 Million Records

John Z Black Apr 15, 2026

AI Security #ai-security #nation-state #espionage #llm-abuse #openai #anthropic #claude #data-breach #mexico

A threat actor used Claude Code and GPT-4.1 to automate a government-scale data breach in Mexico, exfiltrating 415 million records through 5,317 AI-generated commands. This is the first documented case of AI coding tools used as a nation-state espionage engine.

The Attack Isn't Coming From a Stranger. It's Coming From Your GitHub Notifications.

John Z Black Apr 14, 2026

Threat Intelligence #apt37 #north-korea #phishing #github #jira #social-engineering #pushpaganda #google-discover

Four active campaigns documented today share one design principle: the attack arrives from something the target already trusts. APT37 builds friendships on Facebook first. Attackers abuse GitHub and Jira notifications to deliver phishing links that pass SPF, DKIM, and DMARC. A fake rocket alert app spies on people in a conflict zone. AI-generated articles seed Google Discover with scareware.

Two Breaches Today. One Was Careful. One Was a Unlocked Door. Both Were Catastrophic.

John Z Black Apr 14, 2026

Incidents & Breaches #rockstar #shinyhunters #data-breach #snowflake #alinto #supply-chain #third-party-risk

ShinyHunters dumped 78.6 million Rockstar records after the ransom deadline expired. They never touched Rockstar directly. They went through a cloud analytics vendor. Meanwhile, a French email provider left an Elasticsearch cluster open to the internet and exposed 40 million records across L'Oreal, Renault, and French government embassies.