Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews

Cybercrime

// CRIMINAL ECONOMY

Cybercrime

Ransomware operations, threat-actor profiles, breach economics, and the criminal markets that fund all of it.

  • The fall of XSS: Operation Ratatouille and 21 years of DaMaGeLaB, Ransomnews investigation cover
    XSS forum: from DaMaGeLaB to the 2025 takedownJune 29, 2026
    Inside XSS.is, the Russian cybercrime forum seized in 2025. A data-led profile from 123,241 leaked messages: what it traded, who ran it, its place in the ransomware kill chain, and a searchable country IoC table.
  • FortiBleed: 1.16 billion attacks on FortiGate, neon investigation cover
    1.16 billion attacks: how the FortiBleed crew broke FortiGateJune 19, 2026
    Inside the FortiBleed operation: 1.16 billion FortiGate brute-force attempts, a 45-GPU cracking cluster, and the full attack chain, mapped step by step.
  • Neon world map of exposed FortiGate firewalls with a cracked firewall shield leaking data
    FortiBleed: exposed firewalls are a ransomware early warningJune 18, 2026
    We cross-checked 73,932 exposed FortiGate firewalls against stealer-log and ransomware-leak data. The overlap is a measurable early warning for breaches.
  • Neon poster of the Novo Nordisk charging bull logo cracked and leaking data, title Novo Nordisk Breached, 1.3 TB stolen by FulcrumSec, 25M refused
    Novo Nordisk hit by FulcrumSec: the stealer logs saw it comingJune 17, 2026
    FulcrumSec says it stole 1.3 TB from Novo Nordisk, including internal AI models and clinical-trial data, and wants $25M. We pulled the leak-site listing and the stealer logs. The credentials were leaking for months.
  • The Gentlemen ransomware 2026: 483 victims, infostealer-fed RaaS access pipeline
    The Gentlemen ransomware: 483 victims and a leaked playbookJune 13, 2026
    The Gentlemen RaaS has listed 483 victims across 66 countries since 2025. A leaked chat log, live tracker data, and infostealer records show how the crew scaled.
  • Ransomware office hours: 16,699 leak posts, 200 groups, 84 percent weekday, peak hour 16:00 UTC
    Ransomware runs office hours: what 16,699 leak posts revealJune 1, 2026
    We analysed 16,699 ransomware leak-site posts from 200 groups over 24 months. The data shows ransomware now runs on a workweek calendar: 84% of leaks land Monday to Friday, half of all activity happens in 8 UTC hours, October is open season, and the ecosystem is growing not consolidating. Here is the full timing picture.
  • Database ransom census dashboard: 62% of 514 traced wallets received zero BTC, 30,515 databases ransomed, 9.78 BTC moved ($753K), top 10 wallets captured 43% - Ransomnews Research
    62% of database ransom wallets were never paidMay 26, 2026
    A 5-year census of 65,907 exposed databases found 30,515 carry a ransom or wipe marker. Of 512 attacker wallets we traced on-chain, 318 received nothing. The 9.78 BTC ($753K) that did move concentrates into the top 10 wallets, which captured 43% of receipts. Mass database extortion is industrial, automated, and mostly failing.
  • Ransomware encryption-less extortion shift May 2026
    Ransomware ditched encryption in May 2026 — here’s whyMay 22, 2026
    Inside the May 2026 pivot to encryption-less extortion. The ShinyHunters–Instructure breach, Nitrogen’s hit on Foxconn, EDR killers as standard tooling, and what a 28% payment rate means for defenders.
  • Initial Access Brokers 2026 — Ransomnews cover
    Initial Access Brokers 2026: ransomware’s supply chainMay 16, 2026
    Initial Access Brokers (IABs) are the middlemen of the modern ransomware economy — specialists who break into corporate networks and resell that access to ransomware operators. We break down the marketplaces, the pricing tiers, the dominant brokers of 2026, and how to disrupt the chain.
  • Abstract dark auction illustration with raised bidding paddles in shadow and rising green price ladders
    How initial access brokers price corporate access in 2026: an explainer for defendersMay 10, 2026
    A field guide to the 2026 initial-access-broker market — how IABs source access, how they price it, who buys, and what the listings look like under the hood.
  • A magnifying glass scanning a fake login page with red warning indicators visible
    How to investigate a phishing kit: tutorial with urlscan.io, PhishTank, and Sublime SecurityMay 7, 2026
    A practitioner’s tutorial for investigating a suspicious URL safely — fingerprinting the kit, attributing it to a campaign, and reporting it to takedown services. Real tools, step-by-step, no enterprise budget required.
  • A network of cryptocurrency wallet icons with one traced through intermediaries to an exchange
    Tracing crypto laundering: tutorial with Chainabuse, OXT, Walletexplorer, and EtherscanMay 7, 2026
    A 2026 tutorial for following ransomware and fraud proceeds across the blockchain using free tools — Chainabuse for tagged wallets, OXT for BTC clusters, Walletexplorer for entity heuristics, and Etherscan for ETH/USDT.
  • A central victim figure surrounded by four pulsing red pressure points representing different extortion vectors
    Why double extortion isn’t enough anymore: the rise of triple and quadruple extortionMay 2, 2026
    Encrypt the data, leak the data — that’s not enough leverage anymore. A 2026 look at how operators stack additional extortion vectors when the basic playbook stops getting paid.
  • A balanced scale comparing a wire-transfer envelope icon against a ransomware lock icon with floating dollar signs
    BEC vs ransomware: which is more profitable per attack in 2026?May 2, 2026
    A side-by-side look at the per-attack economics of business email compromise vs ransomware in 2026. Hint: the louder threat isn’t the bigger one.
  • A globe with bulletproof hosting hubs highlighted in red, with network connections fanning out to attack targets
    Bulletproof hosting in 2026: where attackers actually run their infrastructureMay 2, 2026
    Bulletproof hosting providers — the ones that ignore abuse complaints and law-enforcement requests — remain a foundation of the cybercrime stack. Here’s where they live in 2026 and how the takedown calculus has shifted.
  • Telegram chat interface showing anonymous money mule recruitment thread with bank card icons
    Inside a money mule recruitment thread on TelegramMay 2, 2026
    A first-person look at how money mule recruitment threads on Telegram actually operate — the pitch, the vetting, the cash-out workflow, and the legal jeopardy facing recruits who don’t fully understand what they’re signing up for.
  • Cryptocurrency laundering pipeline with broken mixer icons and alternate routing through DEX and privacy coins
    Crypto laundering pipelines after the 2025 mixer takedownsMay 2, 2026
    Mixer takedowns reshaped the laundering landscape. A 2026 view of where ransomware and fraud proceeds actually flow now — DEXes, cross-chain bridges, privacy coins, and the residual mixers still standing.
  • A dashboard with large numerical figures and bar charts representing cybercrime economy metrics
    The 2026 cybercrime economy by the numbersMay 2, 2026
    A 2026 view of the cybercrime economy by the numbers — ransomware payments, BEC losses, fraud volumes, and the structural trends that shape the next year of threats.
  • A marketplace stall where a hooded figure trades glowing jailbreak prompt cards for cryptocurrency
    The economics of AI agent jailbreaks: who profits when an LLM goes off-railsApril 30, 2026
    Every successful jailbreak prompt has a price. A look at the underground market for AI agent bypasses in 2026 — who builds them, who buys them, and how the profit motive shapes the threat landscape.
  • Stylised cascade of chat bubbles representing the Telegram stealer log marketplace
    The Telegram Stealer-Log Economy: How Stolen Credentials Are SoldApril 27, 2026
    Telegram has become the dominant marketplace for stealer-log distribution. Channels with hundreds of thousands of subscribers drop fresh logs continuously, with payment processed in cryptocurrency and a tiered access model that mirrors the SaaS industry. Here is how that economy works.
  • Pipeline of nodes from infection to ransomware showing the credential supply chain
    How Stealer Logs Power Modern Ransomware AttacksApril 27, 2026
    A dollar-per-log credential-theft economy now feeds the multi-million-dollar ransomware economy. The pipeline from a teenager’s pirated game download to enterprise extortion is shorter than most security teams realise.
  • Five distinct glowing virus cells representing infostealer malware families
    Redline, Lumma, Vidar, Raccoon: The Major Infostealer Families of 2026April 27, 2026
    A handful of malware-as-a-service operations supply the bulk of the world’s stealer logs. Knowing which families are active, what they steal, and how they have changed in response to law-enforcement pressure is foundational threat-intelligence work.
  • Glowing key dissolving into password fragments representing stealer logs
    What Are Stealer Logs? A Field Guide to the Credential-Theft EconomyApril 27, 2026
    Infostealer malware quietly extracts saved passwords, session cookies, and crypto wallets from infected machines, packages them into “logs”, and sells them on Telegram for a few dollars. Here is what those logs actually contain, who buys them, and why they have become the dominant precursor to modern breaches.
  • City skyline silhouette with scattered glowing red windows symbolising Play ransomware municipal attacks
    Play: The Closed-Shop Ransomware Brand Quietly Hitting Cities, Schools, and Critical InfrastructureApril 26, 2026
    Play — also known as PlayCrypt — does not run an open RaaS. It runs a closed shop with vetted affiliates, an unusual aesthetic, and a steady cadence of attacks against cities, schools, and managed service providers. Quietly, it has become one of the most prolific operators of the post-LockBit era.
Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.