Dark Web News

In this week’s edition of The Cyber Express weekly roundup, some interesting news and cybersecurity stories share an interesting shift in the cyber domain. Critical developments span space cybersecurity, AI vulnerabilities, mobile malware, and global regulatory enforcement, highlighting how digital threats are becoming more sophisticated and interconnected.   From government-led initiatives to strengthen national defense, to high-profile breaches impacting multinational enterprises, and the rise of AI-augmented attacks, this cybersecurity news digest provides a detailed snapshot of the challenges facing organizations, agencies, and individual users worldwide.  This weekly roundup from The Cyber Express emphasizes the urgent need for stakeholders across all sectors to stay informed, adapt strategies in real time, and anticipate new cyber threats before they escalate.  The Cyber Express Weekly Roundup  India Strengthens Space Cybersecurity  India has unveiled new space cybersecurity guidelines developed jointly by the Indian Computer Emergency Response Team (CERT-In) and SatCom Industry Association India (SIA-India). Announced at the DefSat Conference & Expo 2026 in New Delhi, the framework introduces risk-based, secure-by-design practices for satellites, ground systems, and supply chains. Read more…  Apple Devices Certified for NATO Restricted Data  Apple Inc. has become the first consumer device maker approved to handle NATO “restricted” classified information on standard iPhone and iPad devices running iOS 26 and iPadOS 26. Certification, granted following testing by Germany’s Federal Office for Information Security, allows personnel across NATO member states to use commercial devices without specialized security software. Read more…  OpenClaw Vulnerability Threatens Local AI Agents  Security researchers have discovered a critical flaw in the open-source AI agent OpenClaw, allowing any malicious website visited by a developer to hijack the locally running agent. The vulnerability, present in OpenClaw’s local WebSocket gateway, permitted password brute-forcing and administrative access without plugins or user interaction. Read more…  Cisco SD-WAN Zero-Day Exploitation Spans Three Years  Cisco Systems’ Catalyst SD-WAN controllers were compromised via a critical zero-day flaw (CVE-2026-20127) for at least three years, according to Cisco Talos. Threat actors exploited the authentication bypass to gain administrative access and insert rogue peers, chaining the exploit with an older vulnerability (CVE-2022-20775) to escalate privileges while avoiding detection. Read more…  U.S. Sanctions Russian Zero-Day Broker  The U.S. Department of State sanctioned Operation Zero, a Russia-linked cyber brokerage network, targeting Russian national Sergey Sergeyevich Zelenyuk and associated entities. Authorities allege Australian national Peter Williams stole eight classified exploits from a U.S. defense contractor between 2022 and 2025, selling them for $1.3 million in cryptocurrency. Read more…  X Appeals €120M EU Fine  Social media platform X has filed an appeal against a €120 million penalty under the EU Digital Services Act, challenging enforcement related to its paid verification system, advertising disclosures, and public data access for researchers. X claims procedural errors and misinterpretation of obligations, framing the case as a precedent-setting test for platform accountability, user trust, and regulatory compliance. Read more…  Weekly Takeaway  This week’s The Cyber Express weekly roundup highlights how cybersecurity risks are advancing across sectors, from national space programs to AI agents, mobile malware, and critical infrastructure. Organizations and regulators must adapt in real time, balancing innovation with governance, monitoring, and incident preparedness. As this cybersecurity news highlights, proactive measures remain essential in a complex digital environment. 

When the open-source AI agent for OpenClaw burst onto the scene, it did so with astonishing speed. In just five days, the project surpassed 100,000 stars on GitHub, becoming one of the fastest-growing open-source AI tools in history. Developers quickly embraced it as a personal assistant that could run locally, plug into calendars and messaging platforms, execute system commands, and autonomously manage workflows.  But beneath that meteoric rise, researchers uncovered the OpenClaw vulnerability, a weakness that allowed any website a developer visited to quietly seize control of the agent. Security researchers at Oasis Security identified what they describe as a complete vulnerability chain within OpenClaw’s core architecture. The chain enabled a malicious website to take over a developer’s AI agent without requiring plugins, browser extensions, or any form of user interaction. After receiving the disclosure, the OpenClaw team classified the issue as “High” severity and released a patch within 24 hours.  Decoding the OpenClaw Vulnerability  Originally launched under the names Clawdbot and later MoltBot, OpenClaw rapidly evolved into a defining example of modern open-source AI innovation. Its explosive popularity even drew attention from OpenAI. On February 15, OpenAI CEO Sam Altman announced that OpenClaw’s creator, Peter Steinberger, had joined the company, calling him “a genius with a lot of amazing ideas about the future of very smart agents.”  The tool’s appeal lies in its autonomy. Through a web dashboard or terminal interface, users can prompt OpenClaw to send messages, manage workflows across platforms, execute commands, and even participate in what some described as an emergent AI social network. It runs as a self-hosted agent, placing powerful capabilities directly on developers’ laptops.  Yet that power has already attracted abuse. Earlier in the month, researchers uncovered more than 1,000 malicious “skills” in OpenClaw’s community marketplace, ClawHub. These fake plugins posed as cryptocurrency utilities or productivity integrations but instead delivered info-stealing malware and backdoors. That episode was a classic supply-chain problem; malicious community contributions poisoning an otherwise legitimate ecosystem.  The OpenClaw vulnerability, however, was different. It did not rely on third-party plugins or marketplace downloads. Instead, the vulnerability chain lived in the bare OpenClaw gateway itself, operating exactly as documented. No user-installed extensions were required. No marketplace interaction was necessary. The flaw was embedded in the core system.  For many organizations, this incident highlights a broader issue: shadow AI. Tools like OpenClaw are frequently adopted directly by developers without formal IT oversight. They often run with deep access to local systems, credentials, messaging histories, and API keys, but without centralized governance or visibility.  How the Vulnerability Chain Enabled a Silent Website-to-Local Takeover  At the heart of OpenClaw’s architecture is the gateway, a local WebSocket server that functions as the system’s brain. The gateway manages authentication, chat sessions, configuration storage, and orchestration of the AI agent. Connected to it are “nodes,” which may include a macOS companion app, an iOS device, or other machines. These nodes register with the gateway and expose capabilities such as executing shell commands, accessing cameras, or reading contacts. The gateway can dispatch instructions to any connected node.  Authentication is handled via either a long token string or a password. By default, the gateway binds to localhost, operating under the assumption that local access is inherently trusted. That assumption proved to be the weak link in the vulnerability chain behind the OpenClaw vulnerability.  The attack scenario is deceptively simple. A developer has OpenClaw running locally, protected by a password and bound to localhost. While browsing the web, they land on a malicious or compromised site. That alone is enough to trigger the attack.  Because WebSocket connections to localhost are not blocked by standard browser cross-origin policies, JavaScript running on any visited webpage can open a WebSocket connection directly to the OpenClaw gateway. Unlike traditional HTTP requests, these cross-origin WebSocket connections proceed silently. The user sees no warnings.  Once connected, the malicious script exploits another flaw in the vulnerability chain: the gateway exempts localhost connections from rate limiting. Failed password attempts from localhost are neither throttled nor logged. In laboratory testing, researchers achieved hundreds of password guesses per second using only browser-based JavaScript. A list of common passwords could be exhausted in under a second. Even a large dictionary would fall within minutes. Human-chosen passwords offered little resistance.  After guessing the password, the attacker gains a fully authenticated session with administrative privileges. From there, the possibilities expand dramatically. The attacker can register as a trusted device, automatically approved because the gateway silently authorizes pairings from localhost. They can interact with the AI agent directly, dump configuration data, enumerate all connected nodes (including device platforms and IP addresses), and read application logs.  In practical terms, this means a malicious website could instruct the AI agent to comb through Slack conversations for API keys, extract private messages, exfiltrate sensitive files, or execute arbitrary shell commands on any connected device. For a typical developer heavily integrated with messaging platforms and AI provider APIs, exploitation of the OpenClaw vulnerability could amount to full workstation compromise, all initiated from a single browser tab.  Governing Open-Source AI After the OpenClaw Vulnerability  Researchers reported the issue with comprehensive technical documentation, root cause analysis, and proof-of-concept code. The OpenClaw team responded rapidly, issuing a fix in version 2026.2.25 and later within 24 hours, an impressive turnaround for a volunteer-driven open-source AI project.  Still, the broader lesson extends beyond a single patch. The rapid adoption of open-source AI tools means many organizations already have OpenClaw instances running on developer machines, sometimes without IT awareness. Security experts recommend four immediate steps. First, gain visibility into AI tooling across the organization. Inventory of which agents and local AI servers are operating within the developer fleet.   Second, update OpenClaw installations immediately to version 2026.2.25 or later, treating the OpenClaw vulnerability with the urgency of any critical security patch. Third, audit the credentials and permissions granted to AI agents, revoking unnecessary API keys and system capabilities. Finally, establish governance for non-human identities. AI agents authenticate, store credentials, and take autonomous actions; they must be managed with the same rigor as human accounts and service identities.  This includes implementing intent analysis before actions occur, deterministic guardrails for sensitive operations, just-in-time scoped access, and full audit trails linking human intent to agent activity. The researchers note that its Agentic Access Management platform was designed specifically to address this emerging challenge.  As open-source AI agents like OpenClaw become embedded in everyday developer workflows, the OpenClaw vulnerability serves as a cautionary tale. The future may indeed belong to autonomous agents, but without proper governance and oversight, a single overlooked vulnerability chain can turn groundbreaking open-source AI innovation into a serious enterprise risk. 

SURXRAT, an Android Remote Access Trojan (RAT), has come out as a commercially structured malware operation. Distributed under the branding “SURXRAT V5,” the malware is sold through a Telegram-based malware-as-a-service (MaaS) network that enables affiliates to generate customized builds while the core operator retains centralized infrastructure and oversight.  Cyble Research and Intelligence Labs (CRIL) have identified more than 180 related SURXRAT samples. The Telegram channel promoting SURXRAT was created in late 2024, suggesting that development likely began in early 2025. The suspected Indonesian threat actor regularly posts updates, feature announcements, and operational metrics designed to attract resellers and partners rather than directly execute attacks.  What is SURXRAT?  The commercialization model includes two licensing tiers under a “Ready Plan” framework. The Reseller Plan, offered for a one-time payment of 200k, provides permanent access, allows up to three builds per day, includes free server upgrades, and permits buyers to create and distribute SURXRAT builds within predefined pricing rules. The Partner Plan, priced at 500k as a permanent license, increases the daily build limit to ten accounts, maintains server upgrade privileges, and allows buyers to establish their own reseller networks. Both tiers emphasize a one-time payment structure (“anti pt pt”), eliminating recurring subscription fees.  SURXRAT V5 advertisement on Telegram Channel (Source: Cyble) In January 2026, the Telegram channel published operational statistics claiming “Bot Status: Active” and reporting 1,318 registered accounts within the system. While these figures cannot be independently verified, such disclosures are commonly used in underground markets to signal credibility and adoption.  Telegram post indicating the registered accounts (Source: Cyble) Code analysis strongly suggests that SURXRAT evolved from ArsinkRAT. References to ArsinkRAT appear directly in the source code, and structural similarities reinforce the connection. In January 2026, Zimperium reported increased activity linked to ArsinkRAT campaigns targeting Android devices.   The functional overlap indicates that SURXRAT likely reused and expanded the ArsinkRAT framework, accelerating development while introducing new capabilities. This reuse underscores how established Android RAT codebases, such as ArsinkRA,T continue to serve as foundations for newer threats like SURXRAT.  Expanding Capabilities Includes Conditional LLM Module Downloads  One of the most unusual developments in recent SURXRAT samples is the conditional download of a large LLM module exceeding 23GB from Hugging Face repositories. Deploying an LLM of this size on a mobile device is atypical and appears to be deliberately implemented rather than accidental.  Downloads LLM module from Hugging Face (Source: Cyble) The download is triggered when specific gaming applications are active on the infected device, including Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Fire x JUJUTSU KAISEN (com.dts.freefireth). Alternatively, the trigger conditions can be configured dynamically via commands received from the attacker-controlled backend.  Researchers assess that the LLM module may serve multiple experimental purposes. It could intentionally introduce device or network latency during gameplay, potentially supporting disruption or paid cheating services. It may also degrade system performance to conceal malicious background processes, leading victims to attribute abnormal behavior to device limitations rather than SURXRAT activity. Additionally, integration of an LLM suggests the potential for future AI-assisted automation, adaptive social engineering, or enhanced evasion strategies.  The deliberate and conditional deployment of an LLM module indicates that SURXRAT operators are experimenting with artificial intelligence as a means of expanding operational flexibility.  Surveillance, Remote Control, and Hybrid Monetization Beyond its evolving AI experimentation, SURXRAT operates as a full-featured surveillance and remote-control platform. Once installed, it prompts victims to grant high-risk permissions, including access to location data, contacts, SMS messages, and storage. It then encourages users to enable Android Accessibility Services, a commonly abused feature that allows malware to monitor screen activity and automate actions without continuous interaction.  After permissions are secured, SURXRAT connects to a Firebase Realtime Database at hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com, using a database reference labeled “arsinkRAT,” further reinforcing the developmental link to ArsinkRAT. The malware generates a random UUID to uniquely identify the device before initiating data exfiltration.  Collected data includes SMS messages, contact lists, call logs, Gmail account data, browser history, clipboard content, device brand and model, Android OS version, battery status, SIM details, network information, cellular intelligence, Wi-Fi history, and public IP address. This dataset enables credential harvesting, OTP interception, profiling, and preparation for financial fraud or account takeover.  SURXRAT maintains a persistent background service that synchronizes with its Firebase-based command-and-control (C&C) infrastructure, enabling near real-time execution of commands. Operators can record audio, capture camera images, enumerate files, retrieve installed app lists, send SMS messages, initiate phone calls, activate the flashlight, manipulate wallpapers, wipe storage, and unlock devices remotely.  The malware also includes a ransomware-style screen locker. When activated, it forces a persistent full-screen lock displaying an attacker-defined message and PIN requirement. Screen Locker activity (Source: Cyble) Incorrect PIN attempts are logged and transmitted to the backend, allowing real-time monitoring of victim behavior. The attacker can remove the lock remotely at any time. This feature enables SURXRAT operators to shift between surveillance, fraud, and direct extortion depending on the victim’s perceived value. 

A critical zero-day vulnerability, tracked as CVE-2026-22769, is being actively exploited in Dell Technologies’ RecoverPoint for Virtual Machines. According to Mandiant and Google Threat Intelligence Group (GTIG), the flaw carries a perfect score severity score of 10, and has been weaponized by a Chinese threat cluster, identified as UNC6201.  Dell RecoverPoint for Virtual Machines is designed to manage backup and disaster recovery for VMware virtual machines. However, exploitation of CVE-2026-22769 enables unauthenticated attackers to gain access to the underlying system and maintain root-level persistence through a hardcoded credential weakness. How CVE-2026-22769 Was Exploited  During multiple incident response engagements, Mandiant and GTIG determined that UNC6201 had been exploiting CVE-2026-22769 since at least mid-2024. The vulnerability stems from hardcoded default credentials embedded in configuration files associated with Apache Tomcat Manager on Dell RecoverPoint appliances.  Investigators found the credentials in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, attackers could authenticate to the Tomcat Manager interface and deploy malicious WAR files via the /manager/text/deploy endpoint. In observed cases, this resulted in the installation of a SLAYSTYLE web shell. Also read: Chinese Hackers Weaponize Claude AI to Execute First Autonomous Cyber Espionage Campaign at Scale Web logs stored in /home/kos/auditlog/fapi_cl_audit_log.log revealed suspicious requests to /manager, particularly PUT /manager/text/deploy?path=/<MAL_PATH>&update=true. Uploaded WAR files were typically located in /var/lib/tomcat9, with compiled artifacts found in /var/cache/tomcat9/Catalina. Analysts were advised to investigate Tomcat logs under /var/log/tomcat9/, including Catalina events such as org.apache.catalina.startup.HostConfig.deployWAR.  The earliest confirmed exploitation of CVE-2026-22769 dates back to mid-2024.  UNC6201’s Malware Evolution: From BRICKSTORM to GRIMBOLT  The campaign tied to UNC6201 shows a notable evolution in tooling. Initially, attackers deployed BRICKSTORM malware. However, in September 2025, investigators observed older BRICKSTORM binaries being replaced with a newly identified backdoor called GRIMBOLT.  GRIMBOLT, written in C# and compiled using native ahead-of-time (AOT) compilation, represents a tactical shift. Unlike traditional .NET software that relies on just-in-time (JIT) compilation, native AOT binaries are compiled directly to machine code. Introduced to .NET in 2022, this method enhances performance on resource-constrained appliances like Dell RecoverPoint systems and complicates static analysis by eliminating common intermediate language (CIL) metadata.  GRIMBOLT was also packed with UPX and provided remote shell capabilities while using the same command-and-control infrastructure previously associated with BRICKSTORM. Investigators could not determine whether the shift to GRIMBOLT was pre-planned or a reaction to incident response efforts by Mandiant and other industry partners.  Persistence mechanisms were established by modifying a legitimate shell script, /home/kos/kbox/src/installation/distribution/convert_hosts.sh, which executes at boot via rc.local. The attackers appended the backdoor path to this script to ensure continued access.  Broader VMware Pivoting and New Tactics  Beyond exploiting CVE-2026-22769 in Dell RecoverPoint, UNC6201 expanded its operations into VMware environments. Although the initial access vector was not confirmed, the actor is known to target edge appliances such as VPN concentrators.  Mandiant documented the creation of “Ghost NICs,” temporary network interfaces added to virtual machines on ESXi servers. These interfaces enabled stealthy pivoting into internal and SaaS infrastructure.  In compromised vCenter appliances, analysts recovered iptables commands executed via the SLAYSTYLE web shell. These commands implemented Single Packet Authorization (SPA) by:  Monitoring port 443 for a specific hexadecimal string  Adding the source IP to an approved list  Allowing connections to port 10443 if the IP was listed  Redirecting traffic from port 443 to 10443 for 300 seconds  This redirection mechanism facilitated covert access while limiting exposure.  Indicators of Compromise Linked to CVE-2026-22769 and UNC6201  Several malware samples and network indicators were tied to the campaign:  GRIMBOLT Files  support — SHA256: 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c  out_elf_2 — SHA256: dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591  SLAYSTYLE  default_jsp.java — SHA256: 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a  BRICKSTORM Samples SHA256: aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878  splisten — SHA256: 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df  Additional hashes:  320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759  90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035  45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830  Network Indicators  C2 Endpoint: wss://149.248.11.71/rest/apisession  C2 IP: 149.248.11.71  YARA rules released by GTIG include:  G_APT_BackdoorToehold_GRIMBOLT_1  G_Hunting_BackdoorToehold_GRIMBOLT_1  G_APT_BackdoorWebshell_SLAYSTYLE_4 

As February 2026 progresses, this week’s The Cyber Express Weekly Roundup examines a series of cybersecurity incidents and enforcement actions spanning Europe, Africa, Australia, and the United States.   The developments include a breach affecting the European Commission’s mobile management infrastructure, a ransomware attack disrupting Senegal’s national identity systems, a landmark financial penalty imposed on an Australian investment firm, and the sentencing of a fugitive linked to a multimillion-dollar cryptocurrency scam.  From suspected exploitation of zero-day vulnerabilities to prolonged breach detection failures and cross-border financial crime, these cases highlights the operational, legal, and systemic dimensions of modern cyber risk.   The Cyber Express Weekly Roundup  European Commission Mobile Infrastructure Breach Raises Supply Chain Questions  The European Commission reported a cyberattack on its mobile device management (MDM) system on January 30, potentially exposing staff names and mobile numbers, though no devices were compromised, and the breach was contained within nine hours. Read more…  Ransomware Disrupts Senegal’s National Identity Systems  In West Africa, a major cyberattack hit Senegal’s Directorate of File Automation (DAF), halting identity card production and disrupting national ID, passport, and electoral services. While authorities insist no personal data was compromised, the ransomware group. The full extent of the breach is still under investigation. Read more…  Australian Court Imposes Landmark Cybersecurity Penalty  In Australia, FIIG Securities was fined AU$2.5 million for failing to maintain adequate cybersecurity protections, leading to a 2023 ransomware breach that exposed 385GB of client data, including IDs, bank details, and tax numbers. The firm must also pay AU$500,000 in legal costs and implement an independent compliance program. Read more…  Crypto Investment Scam Leader Sentenced in Absentia  U.S. authorities sentenced Daren Li in absentia to 20 years for a $73 million cryptocurrency scam targeting American victims. Li remains a fugitive after fleeing in December 2025. The Cambodia-based scheme used “pig butchering” tactics to lure victims to fake crypto platforms, laundering nearly $60 million through U.S. shell companies. Eight co-conspirators have pleaded guilty. The case was led by the U.S. Secret Service. Read more…  India Brings AI-Generated Content Under Formal Regulation  India has regulated AI-generated content under notification G.S.R. 120(E), effective February 20, 2026, defining “synthetically generated information” (SGI) as AI-created content that appears real, including deepfakes and voiceovers. Platforms must label AI content, embed metadata, remove unlawful content quickly, and verify user declarations. Read More…  Weekly Takeaway  Taken together, this weekly roundup highlights the expanding attack surface created by digital transformation, the persistence of ransomware threats to national infrastructure, and the intensifying regulatory scrutiny facing financial institutions.  From zero-day exploitation and supply chain risks to enforcement actions and transnational crypto fraud, organizations are confronting an environment where operational resilience, compliance, and proactive monitoring are no longer optional; they are foundational to trust and continuity in the digital economy. 

In the past six months, Taiwan’s government agencies have reported 637 cybersecurity incidents, according to the latest data released by the Cybersecurity Academy (CSAA). The findings, published in its Cybersecurity Weekly Report, reveal not just the scale of digital threats facing Taiwan’s public sector, but also four recurring attack patterns that reflect broader global trends targeting government agencies. For international observers, the numbers are significant. Out of a total of 723 cybersecurity incidents reported by government bodies and select non-government organizations during this period, 637 cases involved government agencies alone. The majority of these—410 cases—were classified as illegal intrusion, making it the most prevalent threat category. These cybersecurity incidents provide insight into how threat actors continue to exploit both technical vulnerabilities and human behaviour within public institutions. Illegal Intrusion Leads the Wave of Cybersecurity Incidents Illegal intrusion remains the leading category among reported cybersecurity incidents affecting government agencies. While the term may sound broad, it reflects deliberate attempts by attackers to gain unauthorized access to systems, often paving the way for espionage, data theft, or operational disruption. The CSAA identified four recurring attack patterns behind these incidents. The first involves the distribution of malicious programs disguised as legitimate software. Attackers impersonate commonly used applications, luring employees into downloading infected files. Once installed, these malicious programs establish abnormal external connections, creating backdoors for future control or data exfiltration. This tactic is particularly concerning for government agencies, where employees frequently rely on specialized or internal tools. A single compromised endpoint can provide attackers with a foothold into wider networks, increasing the scale of cybersecurity incidents. USB Worm Infections and Endpoint Vulnerabilities The second major pattern behind these cybersecurity incidents involves worm infections spread through portable media devices such as USB drives. Though often considered an old-school technique, USB-based attacks remain effective—especially in environments where portable media is routinely used for operational tasks. When infected devices are plugged into systems, malicious code can automatically execute, triggering endpoint intrusion and abnormal system behavior. Such breaches can lead to lateral movement within networks and unauthorized external communications. This pattern underscores a key reality: technical sophistication is not always necessary. In many cybersecurity incidents, attackers succeed by exploiting routine workplace habits rather than zero-day vulnerabilities. Social Engineering and Watering Hole Attacks Target Trust The third pattern involves social engineering email attacks, frequently disguised as administrative litigation or official document exchanges. These phishing emails are crafted around business topics highly relevant to government agencies, increasing the likelihood that recipients will open attachments or click malicious links. Such cybersecurity incidents rely heavily on human psychology. The urgency and authority embedded in administrative-themed emails make them particularly effective. Despite years of awareness campaigns, phishing remains one of the most successful entry points for attackers globally. The fourth pattern, known as watering hole attacks, adds another layer of complexity. In these cases, attackers compromise legitimate websites commonly visited by government officials. During normal browsing, malicious commands are silently executed, resulting in endpoint compromise and abnormal network behavior. Watering hole attacks demonstrate how cybersecurity incidents can originate from seemingly trusted digital environments. Even cautious users can fall victim when legitimate platforms are weaponized. Critical Infrastructure Faces Operational Risks Beyond government agencies, cybersecurity incidents reported by non-government organizations primarily affected critical infrastructure providers, particularly in emergency response, healthcare, and communications sectors. Interestingly, many of these cases involved equipment malfunctions or damage rather than direct cyberattacks. System operational anomalies led to service interruptions, while environmental factors such as typhoons disrupted critical services. These incidents highlight an important distinction: not all disruptions stem from malicious activity. However, the operational impact can be equally severe. The Cybersecurity Research Institute (CRI) emphasized that equipment resilience, operational continuity, and environmental risk preparedness are just as crucial as cybersecurity protection. In an interconnected world, digital security and physical resilience must go hand in hand. Strengthening Endpoint Protection and Cyber Governance In response to the rise in cybersecurity incidents, experts recommend a dual approach—technical reinforcement and management reform. From a technical perspective, endpoint protection and abnormal behavior monitoring must be strengthened. Systems should be capable of detecting malicious programs, suspicious command execution, abnormal connections, and risky portable media usage. Enhanced browsing and attachment access protection can further reduce the risk of malware downloads during routine operations. From a governance standpoint, ongoing education is essential. Personnel must remain alert to risks associated with fake software, social engineering email attacks, and watering hole attacks. Clear management policies regarding portable media usage, software sourcing, and external website access should be embedded into cybersecurity governance frameworks. The volume of cybersecurity incidents reported in just six months sends a clear message: digital threats targeting public institutions are persistent, adaptive, and increasingly strategic. Governments and critical infrastructure providers must move beyond reactive responses and build layered defenses that address both technology and human behavior.

As the first week of February 2026 concludes, The Cyber Express weekly roundup examines the developments shaping today’s global cybersecurity landscape. Over the past several days, governments, technology companies, and digital platforms have confronted a wave of cyber incidents ranging from disruptive attacks on public infrastructure to large-scale data exposures and intensifying regulatory scrutiny of artificial intelligence systems.  This week’s cybersecurity reporting reflects a broader pattern: rapid digital expansion continues to outpace security maturity. High-profile breaches, misconfigured cloud environments, and powerful AI tools are creating both defensive opportunities and significant new risks.   The Cyber Express Weekly Roundup  Cyberattack Disrupts Spain’s Ministry of Science Operations  Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more..  OpenAI Expands Controlled Access to Advanced Cyber Defense Models  OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more..  French Authorities Escalate Investigations Into X and Grok AI  French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more..  AI-Generated Platform Moltbook Exposes Millions of Credentials  Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more..  Substack Discloses Breach Months After Initial Compromise  Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more..  Weekly Takeaway  This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.

The 30-year prison sentence handed to Rui-Siang Lin, the operator of the infamous Incognito Market, is more than just another darknet takedown story. Lin, who ran Incognito Market under the alias “Pharaoh,” oversaw one of the largest online narcotics operations in history, generating more than $105 million in illegal drug sales worldwide before its collapse in March 2024. Platforms like Incognito Market are not clever experiments in decentralization. They are industrial-scale criminal enterprises, and their architects will be treated as such. How Incognito Market Became a Global Narcotics Hub Launched in October 2020, Incognito Market was designed to look and feel like a legitimate e-commerce platform, only its products were heroin, cocaine, methamphetamine, MDMA, LSD, ketamine, and counterfeit prescription drugs. Accessible through the Tor browser, the dark web marketplace allowed anyone with basic technical knowledge to buy illegal narcotics from around the globe. At its peak, Incognito Market supported over 400,000 buyer accounts, more than 1,800 vendors, and facilitated 640,000 drug transactions. Over 1,000 kilograms of cocaine, 1,000 kilograms of methamphetamine, and fentanyl-laced pills were likely sold, the authorities said. This was not a fringe operation—it was a global supply chain built on code, crypto, and calculated harm. Also read: “Incognito Market” Operator Arrested for Running $100M Narcotics Marketplace “Pharaoh” and the Business of Digital Drug Trafficking Operating as “Pharaoh,” Lin exercised total control over Incognito Market. Vendors paid an entry fee and a 5% commission on every sale, creating a steady revenue stream that funded servers, staff, and Lin’s personal profit—more than $6 million by prosecutors’ estimates. The marketplace had a very professional-looking modus operandi from branding, customer service, vendor ratings, and even its own internal financial system—the Incognito Bank—which allowed users to deposit cryptocurrency and transact anonymously. The system was designed to remove trust from human relationships and replace it with platform-controlled infrastructure. This was not chaos. It was corporate-style crime. Fentanyl, Fake Oxycodone, and Real Deaths In January 2022, Lin explicitly allowed opiate sales on Incognito Market, a decision that proved deadly. Listings advertised “authentic” oxycodone, but laboratory tests later revealed fentanyl instead. In September 2022, a 27-year-old man from Arkansas died after consuming pills purchased through the platform. This is where the myth of victimless cybercrime collapsed. Incognito Market did not just move drugs—it amplified the opioid crisis and directly contributed to loss of life. U.S. Attorney Jay Clayton stated that Lin’s actions caused misery for more than 470,000 users and their families, a figure that shows the human cost behind the transactions. Exit Scam, Extortion, and the Final Collapse When Incognito Market shut down in March 2024, Lin didn’t disappear quietly. He stole at least $1 million in user deposits and attempted to extort buyers and vendors, threatening to expose their identities and crypto addresses. His message was blunt: “YES, THIS IS AN EXTORTION!!!” It was a fittingly brazen end to an operation built on manipulation and fear. Judge Colleen McMahon called Incognito Market the most serious drug case she had seen in nearly three decades, labeling Lin a “drug kingpin.” The message from law enforcement is unmistakable: dark web platforms, cryptocurrency, and blockchain are not shields against justice.