Posts

UK Cybercrime Journal: University of Nottingham Breached by ShinyHunters

Image
What Happened On 9 June 2026, the University of Nottingham was listed as a victim on the ShinyHunters Tor data leak site. The attackers leaked over 40GB of billing and payment records, student finance data, and campus portal exports from the University of Nottingham and its Malaysia and China campuses. The data stolen includes contact information, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, and other internal campus data. Further analysis of the leaked data by Have I Been Pwned revealed it also contained over 455,000 unique email addresses along with extensive personal information including ethnicities, disabilities, and passport numbers. On 10 June 2026, security researcher @nahamike01 uncovered an exposed server belonging to ShinyHunters and found them targeting Oracle PeopleSoft servers using MeshCentral agents. Plus, analysis the bash_history logs on the server uncovered SSH connections to the IP addre...

UK Cybercrime Journal: SMS Blaster Gang Convicted

Image
  What Happened Officers from the Dedicated Card and Payment Crime Unit (DCPCU), jointly run by the London Met Police and City of London Police, secured the conviction of a man who used an SMS Blaster device to send fraudulent text messages as part of an organised criminal operation in London. The conviction relates to an investigation that previously led to the sentencing of Ruichen Xiong in July 2025, who was apprehended while driving a vehicle in North London as the device was in operation. During that incident, officers in the vicinity received fraudulent text messages purporting to be from HMRC. Ruichen Xiong was a student from China who drove around London using the SMS Blaster between 22 and 27 March 2025, sending messages to tens of thousands of potential victims. Following Xiong’s arrest and subsequent conviction, enquiries identified another individual called Di Li who was a key organiser. Li facilitated Xiong’s involvement by arranging access to the device, assisting wit...

UK Cybercrime Journal: Argos Account Takeover Fraud

Image
What Happened On 3 June 2026, the City of London Police issued a warning stating Report Fraud has seen a significant increase in cases mentioning the retailer, reflecting how criminals are targeting well-known brands. Report Fraud, which is run by the City of London Police, warned that cybercriminals are using leaked credentials from historical data breaches to hijack Argos user accounts. Once on the account, the fraudsters order and then collect the goods in-person at a physical store. In some instances, the goods are paid for using payment details not connected to the victim of the compromised account. Notably, the goods from fraudulent orders are often claimed via Click & Collect option that Argos allows, enabling the threat actors to retrieve goods in store. In May, Report Fraud received 652 reports which mention Argos, a 323% increase compared to April, when 154 reports mentioning the retailer were made. Since the start of 2026, there have been 1,175 reports mentioning th...

UK Cybercrime Journal: Hargreaves Landsdown Extortion Attempt by Bashe

Image
What Happened Over the course of September 2025 to May 2026, Hargreaves Lansdown the UK-based investment platform has been the subject of IT glitches, hacker claims, and technical outages that have triggered rumours and customer concerns. On 11 September 2025, Hargreaves Lansdown customers reported discrepancies in the balances for their pension and ISA accounts, appearing as if huge sums had been mysteriously withdrawn. Customer began to fear they had been “hacked” after they logged onto their account and saw their life savings reduced. In less than 24 hours, Hargreaves Lansdown, however, swiftly responded that it was a temporary technical issue that only lasted 45 minutes and all client balances were restored. On 20 March 2026, Hargreaves Lansdown customers began experiencing technical issues that were affecting some parts of its website and app. The company apologised to customers over IT issues which left them unable to access their accounts during a period of heightened volatility...

UK Cybercrime Journal: Sustained DragonForce Campaign

Image
  What Happened Throughout May 2026, affiliates of the DragonForce ransomware-as-a-service (RaaS) platform claimed seven UK-based companies as its victims by posting them on their Tor data leak site. On 27 May 2026 alone, DragonForce ended the month by posting 22 victims from around the world, four of which were UK-based firms. DragonForce’s UK-based victims from May spanned a diverse range of industries: Professional Services & Talent:  Practicus (interim management/executive search) Financial & Tax Services:  WSM (UK tax advisory) Infrastructure & Logistics:  ERH (traffic management solutions) and Refreshment Systems (vending/logistics) Heavy Industry/Construction:  Arsenal Scaffold Technology & IT:  Helix International (managed enterprise software) Luxury Retail/Finance:  Cult Wines. Analyst Comment Active since late 2023, DragonForce remains a persistent cybercriminal threat particularly towards the UK. The recent flurry of disclosu...