Cybersecurity incidents not classified under a specific category
On April 1, 2026, UNC4736 (North Korean state-sponsored TraderTraitor group) executed a 12-minute, 31-transaction drain of $285 million from Drift Protocol, the largest Solana DeFi exploit in 2026 and …
In March 2026, an attacker exploited a vulnerability in Resolv Protocol — an Ethereum-based decentralised finance (DeFi) stablecoin protocol — to mint approximately $24 million in tokens without …
On March 20, 2026, attackers used compromised credentials to access Bitcoin Depot's digital asset settlement accounts and transfer 50.903 BTC (valued at approximately $3.665 million) from …
On March 11, 2026, the Iran-linked hacktivist group Handala (a persona of Void Manticore, affiliated with Iran's Ministry of Intelligence and Security) wiped between 80,000 and 200,000 employee …
In early 2026, Bithumb — South Korea's largest cryptocurrency exchange with approximately $1 billion in daily trading volume and over 8 million registered users — suffered a cybersecurity incident …
In March 2026, US federal law enforcement seized four web domains associated with Handala's Iranian online leak infrastructure, days after Handala published materials it claimed to have stolen during …
On February 17, 2026, the FBI began investigating abnormal activity in an unclassified system — DCS-3000 (known as Red Hook), part of its Digital Collection System Network (DCSNet) — used to manage …
In early 2026, security researchers and government agencies disclosed a new cyberespionage campaign by hackers tied to Russia's GRU military intelligence agency (Fancy Bear / APT28 / Unit 26165) that …
Hackers breached Mixpanel, a third-party analytics vendor used by OpenAI to track user behavior on its API platform, on November 26, 2025. The breach exposed data belonging to OpenAI API platform …
In early November 2025, the US Congressional Budget Office (CBO) detected and confirmed a cyberattack by a suspected foreign actor. US officials briefed CNN that Chinese state-backed hackers are …
SK Telecom (South Korea's largest mobile carrier, ~27 million subscribers) officially confirmed a breach on April 19, 2025, after detecting malware on April 18 targeting its Home Subscriber Server …
CVE-2025-22457 is a stack-based buffer overflow in Ivanti Connect Secure. Ivanti initially classified it as a low-risk DoS-only vulnerability and patched it 11 February 2025 in version 22.7R2.6. …
Opexus, a Thoma Bravo-owned software company providing records management services to nearly every US federal agency, was compromised by twin brothers Muneeb and Suhaib Akhter who had prior criminal …
By 2025-2026, documented evidence shows AI is systematically accelerating cyberattack timelines and lowering barriers to entry for attackers, while defenders face structural disadvantages in AI …
By 2025-2026, AI-powered identity theft had emerged as a major and growing threat category, representing a structural shift in how identity fraud and credential theft are conducted at scale. Key …
By 2025-2026, documented case studies from Darktrace, CrowdStrike, Palo Alto Networks Unit 42, and Microsoft MSTIC demonstrate that the most advanced attackers are executing complete attack chains in …
CVE-2025-0282 is an unauthenticated stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways enabling remote code execution. Mandiant identified zero-day exploitation …
From 22 October 2024, Midnight Blizzard targeted thousands of users across 100+ organizations in government, academia, defense, and NGOs in UK, Europe, Australia, and Japan. Emails used AWS and Zero …
American Water Works, the largest regulated water and wastewater utility in the United States (serving 14+ million people across 14 states), detected unauthorized activity in its IT networks on …
The London subsidiary of the Industrial and Commercial Bank of China (ICBC), the world's largest bank by assets and a Chinese state-owned financial institution, was attacked by Hunters International …
Scattered Spider attacked Transport for London on 31 August 2024, ultimately exposing data of approximately 10 million customers — one of the largest breaches in British history. Stolen data included …
On 19 July 2024, CrowdStrike released a faulty content configuration update (Channel File 291) to Windows systems running the CrowdStrike Falcon endpoint detection and response sensor, causing …
CVSS 10.0. Threat actor UTA0218 exploited zero-day in PAN-OS GlobalProtect feature allowing unauthenticated OS command execution as root. Affected PAN-OS 10.2, 11.0, 11.1 with GlobalProtect enabled. …
In January 2024, Russian hackers affiliated with Sandworm (a GRU/Russian military intelligence cyber unit) infiltrated water treatment systems in Muleshoe, Texas, causing a water storage tank to …
By 2025-2026, healthcare vendor supply chain attacks had become the dominant breach vector in US healthcare, with HHS OIG and OCR reporting that third-party vendor incidents accounted for over 60% of …
By 2025-2026, international law enforcement agencies had significantly shifted their approach to ransomware disruption — moving from reactive arrests after the fact to proactive infiltration and …
CISA issued an urgent advisory on 11 April 2024 warning Sisense customers to immediately rotate all credentials used with the platform. Sisense (a business intelligence/analytics SaaS serving critical …
Chinese nexus APT UNC5221 exploited chained zero-days in Ivanti Connect Secure VPN gateways starting Dec 2023, publicly disclosed Jan 10 2024 by Volexity. CVE-2023-46805 (auth bypass) + CVE-2024-21887 …
Beginning 22 November 2023, CyberAv3ngers — a threat group affiliated with Iran's IRGC Cyber-Electronic Command — conducted attacks against Unitronics Vision Series PLCs at water and wastewater …
The US broker-dealer subsidiary of the Industrial and Commercial Bank of China (ICBC Financial Services) suffered a LockBit ransomware attack on November 8, 2023. The attack disrupted ICBC's ability …
On August 27, 2023, a Retool employee received a convincing smishing (SMS phishing) message claiming to be from Retool IT support regarding a benefits enrollment issue requiring action. After clicking …
In September 2024, the FBI and CISA announced the disruption of a botnet operated by Flax Typhoon, a Chinese state-sponsored threat actor (also tracked as RedJuliett/Ethereal Panda). The botnet, …
Storm-0558, a Chinese state-sponsored threat actor (attributed to MSS), acquired a Microsoft MSA consumer token signing key (method of acquisition still unclear as of CSRB review) and used it to forge …
Volt Typhoon (VOLTZITE per Dragos), a Chinese state-sponsored APT group, maintained persistent unauthorized access to the operational technology (OT) network of Littleton Electric Light and Water …
Salt Typhoon (China MSS) breached at least 9 US telecom carriers including AT&T, Verizon, T-Mobile, Lumen, Spectrum, Consolidated Communications, and Windstream. Active for 1-2 years before September …
Chinese MSS-affiliated APT Salt Typhoon (FamousSparrow) breached at least 9 US telecoms including AT&T, Verizon, T-Mobile starting ~late 2022/early 2023. Accessed CALEA lawful intercept systems, …
KILLNET is a Russian hacktivist collective (with suspected ties to Russian intelligence) that conducted a sustained wave of DDoS attacks against Western government and infrastructure targets …
On August 1, 2022, the Nomad cross-chain bridge was drained of approximately $190 million in a chaotic 'free-for-all' exploit. A recent routine upgrade had inadvertently set the 'trusted root' in …
On 8 July 2022, Rogers Communications — Canada's largest telecommunications company serving approximately 12 million wireless customers — suffered a massive network outage that lasted approximately 16 …
On April 8, 2022 — during Russia's full-scale military invasion of Ukraine — Sandworm (GRU Unit 74455) attempted to deploy an upgraded version of Industroyer malware (dubbed Industroyer2) against …
The 2022-2026 period fundamentally documented the integration of cyberattacks into modern armed conflicts as a standard component of military operations. Key documented cyber dimensions of armed …
On February 2, 2022, the Wormhole cross-chain bridge — which facilitates token transfers between Solana, Ethereum, and other blockchains — suffered a smart contract exploit resulting in the theft of …
On December 4, 2021, security firm PeckShield identified large unauthorized outflows from BitMart's hot wallets totaling approximately $196 million — approximately $100 million from its Ethereum hot …
Critical CVSS 10.0 RCE vulnerability in Apache Log4j 2 logging library. Publicly disclosed Dec 9 2021; patch released same day (2.15.0). Nation-state actors from China, Iran, North Korea, Russia …
BadgerDAO, a DeFi protocol allowing users to earn yield on Bitcoin via Ethereum-based vaults, suffered a frontend supply chain attack beginning approximately November 10, 2021, with the main theft …
On October 27, 2021, Cream Finance suffered its third exploit of the year (previous hacks in February 2021 for $37.5M and August 2021 for $18.8M). This third attack was the largest, draining …
ProxyShell is a chain of three Microsoft Exchange Server vulnerabilities — CVE-2021-34473 (SSRF/ACL bypass), CVE-2021-34523 (privilege escalation), and CVE-2021-31207 (arbitrary file write) — that can …
On August 10, 2021, an attacker exploited a critical vulnerability in Poly Network's cross-chain interoperability protocol to steal approximately $611 million across three blockchains — the largest …
On 9 August 2021, Wiz.io security researchers discovered a critical vulnerability chain in Microsoft Azure Cosmos DB — Microsoft's flagship globally distributed database service used by thousands of …
Chinese state-sponsored group Volt Typhoon (Bronze Silhouette) active since mid-2021, targeting US critical infrastructure sectors: communications, energy, transportation, water/wastewater. Uses …
On 28 April 2021, an attacker exploited a critical vulnerability in Uranium Finance — a decentralised exchange (DEX) and automated market maker (AMM) protocol built on Binance Smart Chain (BSC) — and …
On February 5, 2021, an unknown attacker gained remote access via TeamViewer to the HMI (Human Machine Interface) workstation of the City of Oldsmar, Florida's water treatment facility. While a plant …
Chinese state-sponsored group HAFNIUM exploited four zero-days in on-premises Microsoft Exchange starting Jan 3 2021. CVE-2021-26855 (SSRF auth bypass) chained with CVE-2021-27065 (file write) to …
In April 2021, Mandiant (FireEye) and CISA disclosed that at least two Chinese APT groups (tracked as UNC2630 and UNC2717, attributed to APT5 / MANGANESE) had been exploiting zero-day and N-day …
On October 26, 2020, Harvest Finance — a DeFi yield aggregator managing over $1 billion in assets — suffered a flash loan economic attack resulting in approximately $34 million in losses. The attacker …
On September 25, 2020, KuCoin detected large unauthorized outflows from its hot wallets across multiple blockchains including Bitcoin, Ethereum, Litecoin, XRP, Stellar, TRON, and Polkadot. The …
On 19-20 July 2020, GEDmatch — a popular free genealogy DNA comparison service with approximately 1.45 million registered users — suffered a cyberattack that changed the privacy settings of all user …
On May 7, 2019, Binance CEO Changpeng Zhao (CZ) announced that hackers had stolen 7,000 BTC (worth approximately $40 million) from the exchange's hot wallet in a single large transaction. The …
On August 11 and 13, 2018, Cosmos Co-operative Bank Ltd. of Pune, India — one of India's oldest cooperative banks — suffered a sophisticated two-weekend ATM cashout operation stealing approximately …
On May 24, 2018, Banco de Chile — Chile's largest bank — suffered a sophisticated coordinated attack combining a destructive cyber operation with financial fraud. Attackers deployed a custom …
In February 2018, the LA Times' Homicide Report website was discovered to be running Coinhive cryptocurrency mining code injected by attackers who had exploited a publicly writable Amazon S3 bucket. …
On December 6, 2017, NiceHash — a platform where users sell their computing power for cryptocurrency mining — halted operations after discovering that its internal payment system had been compromised …
TRITON (also known as TRISIS and HatMan) is the world's first known malware specifically designed to attack industrial Safety Instrumented Systems (SIS) — the last line of automated defense designed …
In the final hours before France's legally mandated media blackout ahead of the May 7, 2017 presidential election runoff, approximately 9GB of documents and emails allegedly stolen from Emmanuel …
On December 17, 2016, exactly one year after the first Ukraine power grid attack (BlackEnergy 2015), Russian military intelligence (GRU Sandworm team) deployed Industroyer against Ukraine's Pivnichna …
On 22 September 2016, Cloudflare deployed a change to its HTML parsing pipeline that introduced a buffer overread bug (named 'Cloudbleed' by researcher Tavis Ormandy, in reference to Heartbleed). The …
Between August 2016 and April 2017, a group known as 'The Shadow Brokers' released staged leaks of what they claimed were NSA cyberweapon repositories stolen from the NSA's elite Tailored Access …
On August 2, 2016, Bitfinex — at the time the world's largest USD-denominated Bitcoin exchange — announced that 119,756 BTC had been stolen from customer accounts, worth approximately $72 million at …
In 2016, two separate Russian GRU units conducted coordinated cyber intrusions against the Democratic Party and Clinton presidential campaign. APT29 (GRU Unit 29155 / Cozy Bear) first breached the DNC …
On the night of February 4–5, 2016, Lazarus Group (North Korean state-sponsored hackers) submitted 35 fraudulent SWIFT transfer instructions from Bangladesh Bank's account at the US Federal Reserve …
In February 2016, North Korea's Lazarus Group executed the most audacious central bank heist in history by compromising Bangladesh Bank's SWIFT messaging system and fraudulently transferring $951 …
FASTCash was a multi-year North Korean state-sponsored campaign (2016–ongoing) targeting bank payment switch servers — the AIX-based systems that approve or decline ATM transactions. The Lazarus Group …
On December 23, 2015, coordinated cyberattacks against three Ukrainian electricity distribution companies — Prykarpattyaoblenergo, Chernivtsioblenergo, and Kyivoblenergo — caused the first confirmed …
Between approximately April and May 2015, Russian military intelligence (GRU) APT28 (Fancy Bear) conducted a sophisticated intrusion into the German Federal Parliament (Bundestag) network, …
On January 12, 2015, individuals calling themselves 'CyberCaliphate' and claiming affiliation with the Islamic State (ISIS) hijacked the official Twitter and YouTube accounts of the U.S. Central …
On April 9, 2015, TV5Monde — France's international television network broadcasting to 200 million people in 160 countries — had all 11 of its TV channels knocked off the air simultaneously for …
On November 24, 2014, attackers identifying themselves as 'Guardians of Peace' (GOP) deployed the Destover destructive wiper malware across Sony Pictures' corporate network, wiping approximately 70% …
Code Spaces was a code hosting and project management platform (similar to GitHub) that operated entirely on AWS. On June 17, 2014, an attacker gained access to Code Spaces' AWS control panel (the EC2 …
CVE-2014-0160 (Heartbleed) was a critical vulnerability in OpenSSL's TLS/DTLS heartbeat extension, introduced in OpenSSL 1.0.1 (released March 2012) and present in all versions through 1.0.1f. The …
Attackers phished Fazio Mechanical (HVAC vendor) to steal Target network credentials in Nov 2013. Moved laterally from vendor-accessible HVAC network segment to POS environment due to lack of network …
Mt. Gox was once the world's largest Bitcoin exchange, handling over 70% of global BTC transactions at its peak. On February 7, 2014, Mt. Gox suspended all Bitcoin withdrawals without explanation. On …
In March 2011, RSA Security (division of EMC) suffered a breach when a spear-phishing email titled '2011 Recruitment Plan' was opened by an employee. The Excel attachment exploited CVE-2011-0609, an …
Operation Aurora was a sophisticated, coordinated nation-state cyber espionage campaign originating in China and targeting at least 30 major corporations, with Google being the most prominent. The …
Stuxnet is the first publicly known cyberweapon designed to cause physical destruction of industrial equipment. Jointly developed by the United States (NSA, CIA — under 'Operation Olympic Games' …
On October 4, 2005, security researcher Samy Kamkar launched the Samy worm — the first self-replicating cross-site scripting (XSS) worm in history. The worm exploited an XSS vulnerability in MySpace …
On October 4, 2005, Samy Kamkar released a self-propagating JavaScript worm on MySpace, the then-dominant social network. The worm exploited a stored XSS vulnerability in MySpace profile pages. When …
The Zotob worm emerged on August 13, 2005 — just four days after Microsoft released the MS05-039 security patch for a critical Plug and Play buffer overflow vulnerability in Windows 2000. The worm …
The Zotob worm emerged on August 13, 2005 — just four days after Microsoft released the MS05-039 patch for a critical Plug and Play buffer overflow vulnerability in Windows 2000. The worm spread …
MyDoom, discovered on January 26, 2004, remains the fastest-spreading email worm in recorded history — a record unbroken as of 2026. Within the first 36 hours, MyDoom was responsible for approximately …
SQL Slammer, also known as Sapphire, is the fastest-spreading computer worm in recorded history. Launched at 05:30 UTC on January 25, 2003, the 376-byte worm doubled the number of infected hosts every …
Nimda (released exactly one week after the September 11 attacks) became the most widespread internet virus in history within 22 minutes of release, surpassing Code Red. Its five simultaneous …
Code Red exploited a buffer overflow in the IDQ.DLL component of Microsoft IIS web server software (documented in MS01-033). The worm required no user interaction — it scanned random IP addresses and …
On May 4-5, 2000, the ILOVEYOU worm began spreading from the Philippines, where computer science student Onel de Guzman had released it via a stolen internet access account. The email exploited human …
On March 26, 1999, David Lee Smith of Aberdeen, New Jersey posted the Melissa macro virus to the alt.sex Usenet newsgroup using a stolen AOL account. The virus was embedded in a Word document claiming …
