// CRIMINAL ECONOMY
Cybercrime
Ransomware operations, threat-actor profiles, breach economics, and the criminal markets that fund all of it.
- XSS forum: from DaMaGeLaB to the 2025 takedownInside XSS.is, the Russian cybercrime forum seized in 2025. A data-led profile from 123,241 leaked messages: what it traded, who ran it, its place in the ransomware kill chain, and a searchable country IoC table.
- 1.16 billion attacks: how the FortiBleed crew broke FortiGateInside the FortiBleed operation: 1.16 billion FortiGate brute-force attempts, a 45-GPU cracking cluster, and the full attack chain, mapped step by step.
- FortiBleed: exposed firewalls are a ransomware early warningWe cross-checked 73,932 exposed FortiGate firewalls against stealer-log and ransomware-leak data. The overlap is a measurable early warning for breaches.
- Novo Nordisk hit by FulcrumSec: the stealer logs saw it comingFulcrumSec says it stole 1.3 TB from Novo Nordisk, including internal AI models and clinical-trial data, and wants $25M. We pulled the leak-site listing and the stealer logs. The credentials were leaking for months.
- The Gentlemen ransomware: 483 victims and a leaked playbookThe Gentlemen RaaS has listed 483 victims across 66 countries since 2025. A leaked chat log, live tracker data, and infostealer records show how the crew scaled.
- Ransomware runs office hours: what 16,699 leak posts revealWe analysed 16,699 ransomware leak-site posts from 200 groups over 24 months. The data shows ransomware now runs on a workweek calendar: 84% of leaks land Monday to Friday, half of all activity happens in 8 UTC hours, October is open season, and the ecosystem is growing not consolidating. Here is the full timing picture.
- 62% of database ransom wallets were never paidA 5-year census of 65,907 exposed databases found 30,515 carry a ransom or wipe marker. Of 512 attacker wallets we traced on-chain, 318 received nothing. The 9.78 BTC ($753K) that did move concentrates into the top 10 wallets, which captured 43% of receipts. Mass database extortion is industrial, automated, and mostly failing.
- Ransomware ditched encryption in May 2026 — here’s whyInside the May 2026 pivot to encryption-less extortion. The ShinyHunters–Instructure breach, Nitrogen’s hit on Foxconn, EDR killers as standard tooling, and what a 28% payment rate means for defenders.
- Initial Access Brokers 2026: ransomware’s supply chainInitial Access Brokers (IABs) are the middlemen of the modern ransomware economy — specialists who break into corporate networks and resell that access to ransomware operators. We break down the marketplaces, the pricing tiers, the dominant brokers of 2026, and how to disrupt the chain.
- How initial access brokers price corporate access in 2026: an explainer for defendersA field guide to the 2026 initial-access-broker market — how IABs source access, how they price it, who buys, and what the listings look like under the hood.
- How to investigate a phishing kit: tutorial with urlscan.io, PhishTank, and Sublime SecurityA practitioner’s tutorial for investigating a suspicious URL safely — fingerprinting the kit, attributing it to a campaign, and reporting it to takedown services. Real tools, step-by-step, no enterprise budget required.
- Tracing crypto laundering: tutorial with Chainabuse, OXT, Walletexplorer, and EtherscanA 2026 tutorial for following ransomware and fraud proceeds across the blockchain using free tools — Chainabuse for tagged wallets, OXT for BTC clusters, Walletexplorer for entity heuristics, and Etherscan for ETH/USDT.
- Why double extortion isn’t enough anymore: the rise of triple and quadruple extortionEncrypt the data, leak the data — that’s not enough leverage anymore. A 2026 look at how operators stack additional extortion vectors when the basic playbook stops getting paid.
- BEC vs ransomware: which is more profitable per attack in 2026?A side-by-side look at the per-attack economics of business email compromise vs ransomware in 2026. Hint: the louder threat isn’t the bigger one.
- Bulletproof hosting in 2026: where attackers actually run their infrastructureBulletproof hosting providers — the ones that ignore abuse complaints and law-enforcement requests — remain a foundation of the cybercrime stack. Here’s where they live in 2026 and how the takedown calculus has shifted.
- Inside a money mule recruitment thread on TelegramA first-person look at how money mule recruitment threads on Telegram actually operate — the pitch, the vetting, the cash-out workflow, and the legal jeopardy facing recruits who don’t fully understand what they’re signing up for.
- Crypto laundering pipelines after the 2025 mixer takedownsMixer takedowns reshaped the laundering landscape. A 2026 view of where ransomware and fraud proceeds actually flow now — DEXes, cross-chain bridges, privacy coins, and the residual mixers still standing.
- The 2026 cybercrime economy by the numbersA 2026 view of the cybercrime economy by the numbers — ransomware payments, BEC losses, fraud volumes, and the structural trends that shape the next year of threats.
- The economics of AI agent jailbreaks: who profits when an LLM goes off-railsEvery successful jailbreak prompt has a price. A look at the underground market for AI agent bypasses in 2026 — who builds them, who buys them, and how the profit motive shapes the threat landscape.
- The Telegram Stealer-Log Economy: How Stolen Credentials Are SoldTelegram has become the dominant marketplace for stealer-log distribution. Channels with hundreds of thousands of subscribers drop fresh logs continuously, with payment processed in cryptocurrency and a tiered access model that mirrors the SaaS industry. Here is how that economy works.
- How Stealer Logs Power Modern Ransomware AttacksA dollar-per-log credential-theft economy now feeds the multi-million-dollar ransomware economy. The pipeline from a teenager’s pirated game download to enterprise extortion is shorter than most security teams realise.
- Redline, Lumma, Vidar, Raccoon: The Major Infostealer Families of 2026A handful of malware-as-a-service operations supply the bulk of the world’s stealer logs. Knowing which families are active, what they steal, and how they have changed in response to law-enforcement pressure is foundational threat-intelligence work.
- What Are Stealer Logs? A Field Guide to the Credential-Theft EconomyInfostealer malware quietly extracts saved passwords, session cookies, and crypto wallets from infected machines, packages them into “logs”, and sells them on Telegram for a few dollars. Here is what those logs actually contain, who buys them, and why they have become the dominant precursor to modern breaches.
- Play: The Closed-Shop Ransomware Brand Quietly Hitting Cities, Schools, and Critical InfrastructurePlay — also known as PlayCrypt — does not run an open RaaS. It runs a closed shop with vetted affiliates, an unusual aesthetic, and a steady cadence of attacks against cities, schools, and managed service providers. Quietly, it has become one of the most prolific operators of the post-LockBit era.























