@BushidoToken Threat Intel

  What Happened On 5 May 2026, new data revealed that British romance scam victims were defrauded of a staggering £102 million last year, representing a 29% surge in reported cases. The figures come from information  gathered  by Report Fraud (f.k.a ActionFraud), which is a City of London Police-run service that logged 10,784 romance scam reports in 2025. According to the data, cybercriminals are reportedly pocketing roughly £280,000 everyday by exploiting online relationships, with individual losses averaging £9,500 and in extreme cases, reaching up to £1 million per victim.  This wave of scam victims is part of the growing trend where scammers blend emotional manipulation with fake cryptocurrency investment schemes, heavily weaponising AI-generated profiles, and focusing on lonely victims aged 55 to 74. Analyst Comment  When analysing fraud statistics, it is important to remember that underreporting is very common, with many victims staying silent out of shame...

  What Happened: On 11 May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Water £963,900 after the Cl0p ransomware group lurked completely undetected in its network for nearly two years. Initial access reportedly occurred via a malicious phishing email in September 2020, which downloaded Cl0p’s Get2Loader malware and their SDBBOT backdoor to establish persistence. The breach itself, however, was only discovered two years later in July 2022 when staff began investigating IT performance slowdowns and  ultimately found out that 4.1 terabytes of data was exfiltrated and the personal data of 633,887 customers and employees being published in August 2022 on Cl0p’s Tor data leak site. The ICO’s investigation also revealed a staggering list of systemic failures, such as  South Staff’s outsourced Security Operations Center (SOC) was blind to 95% of the network and that they conducted zero internal or external vulnerability scans over an 18-month win...

Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach.  The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others. BLUF Incident Impact Summary: Capita was attacked by BlackBasta ransomware in March 2023 Over six million individual’s records were exfiltrated from Capita’s systems A £14 million fine was issued to Capita by the ICO Capita said in May 2023, the incident cost up to £20 million to recover Important context about Capita The Capita Group is a business process outsourcing (BPO) and professional servic...

  Introduction The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this. What are Community Reports? Individuals can now share what tools they have seen various ransomware groups, affiliates, or initial access brokers (IABs) use via the new Community Report Template. The level of detail provided is the contributor's choice. The more verifiable information shared, the increased level of reliability and credibility. You can view the current list of Community Reports on GitHub  here . Why the need for Community Reports? Most of the sources of CTI about ransomware TTPs comes from open source reports by organisation...

Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM) .  Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be.  It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around.  For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London . Background on the current ransomware ecosystem as of May 2025 Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual.  The e...