@BushidoToken Threat Intel

  What Happened Throughout May 2026, affiliates of the DragonForce ransomware-as-a-service (RaaS) platform claimed seven UK-based companies as its victims by posting them on their Tor data leak site. On 27 May 2026 alone, DragonForce ended the month by posting 22 victims from around the world, four of which were UK-based firms. DragonForce’s UK-based victims from May spanned a diverse range of industries: Professional Services & Talent:  Practicus (interim management/executive search) Financial & Tax Services:  WSM (UK tax advisory) Infrastructure & Logistics:  ERH (traffic management solutions) and Refreshment Systems (vending/logistics) Heavy Industry/Construction:  Arsenal Scaffold Technology & IT:  Helix International (managed enterprise software) Luxury Retail/Finance:  Cult Wines. Analyst Comment Active since late 2023, DragonForce remains a persistent cybercriminal threat particularly towards the UK. The recent flurry of disclosu...

  Introduction This blog is a focused update on the latest updates to the  Ransomware Tool Matrix (RTM)  and the  Ransomware Vulnerability Matrix (RVM)  covering three groups that I have published profiles for to help defenders home in on the threats most relevant to them: TheGentlemen, DragonForce, and WarLock. Rather than write another broad ecosystem summary, the goal of this post is to introduce these profiles, briefly explain why each group matters right now, and give readers direct links to them so defenders can pivot straight into hunting, detection engineering, and patch prioritisation. For anyone new to the projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at  BSides London . Why these three groups? Each of the three groups added in this update represents a different slice of the current ransomware ecosystem: TheGentlemen TheGentlemen is a newer operation that has matured quickly, with a large and...

  What Happened: On 10 May 2026, the UK-based firm Arup Group was listed as a victim on the Tor data leak site of FulcrumSec.   On their Tor data leak site, FulcrumSec stated that they have exposed 700GB of GitHub repos and 2TB of Azure and AWS S3 cloud, plus database backups. Other types of data the adversary claims to have stolen includes Neuron BMS client databases, Odoo ERP data, A66 landowner files, Apple code-signing certificates with plaintext passwords, a Google Cloud Platform (GCP) project with production payment gateway credentials, and the source code of ArupCompute and Oasys.   The FulcrumSec operators also claimed to have spent over half a year analysing the data and went through “email correspondence” with the company before publishing the stolen data. On the victim post, FulcrumSec wrote a detailed incident breakdown. In it, they stated they gained initial access in September 2025 via a GitHub personal access token found hardcoded in a JavaScript file on a ...

  What Happened: On 3 May 2026, ShinyHunters, the English-speaking adolescent cybercrime collective, claimed they breached Instructure by listing them on their Tor data leak site. Instructure is a US-based software provider behind the widely adopted Canvas Learning Management System (LMS).   ShinyHunters reportedly exfiltrated 3.65 terabytes of data, spanning 275 million global records from up to 9,000 institutions, before posting extortion messages across university login portals demanding Bitcoin. The outage forced prominent UK higher education institutions, including the University of Liverpool, Queen’s University Belfast, and the University of Manchester, to take systems offline and hastily rewrite their end-of-year exam submission schedules. Instructure confirmed the affected data includes names, student ID numbers, email addresses, and private student-instructor messages. Instructure also confirmed no passwords, financial data, or government IDs were pilfered. When the i...

  What Happened On 5 May 2026, new data revealed that British romance scam victims were defrauded of a staggering £102 million last year, representing a 29% surge in reported cases. The figures come from information  gathered  by Report Fraud (f.k.a ActionFraud), which is a City of London Police-run service that logged 10,784 romance scam reports in 2025. According to the data, cybercriminals are reportedly pocketing roughly £280,000 everyday by exploiting online relationships, with individual losses averaging £9,500 and in extreme cases, reaching up to £1 million per victim.  This wave of scam victims is part of the growing trend where scammers blend emotional manipulation with fake cryptocurrency investment schemes, heavily weaponising AI-generated profiles, and focusing on lonely victims aged 55 to 74. Analyst Comment  When analysing fraud statistics, it is important to remember that underreporting is very common, with many victims staying silent out of shame...