• NAIC confirmed a cyberattack exploiting an Oracle PeopleSoft zero‑day, with ShinyHunters claiming theft of 3.1TB of data
• Stolen cache allegedly includes insurer filings, credit rating files, AWS logs, configs, and PII; NAIC says only financial reports and technical data were taken
• Incident spotted June 11, disclosed June 17; files leaked online suggest NAIC did not pay ransom, as ShinyHunters continues exploiting the zero‑day across 100+ organizations

The National Association of Insurance Commissioners (NAIC) confirmed suffering a cyberattack that resulted in the stolen data being leaked on the dark web. While the company did not name the group responsible, or mentioned the size of the stolen cache, the infamous ShinyHunters claimed responsibility and stated they snatched around 3.1TB of information.

In a security notice published on the NAIC website, it was explained that the attackers managed to exploit a zero-day vulnerability in Oracle PeopleSoft. This is an enterprise resource planning (ERP) software suite, designed to help businesses manage employees, finances, supply chains, and more. Citing Google Mandiant, Cybernews says ShinyHunters first started exploiting the zero-day on May 27, and managed to compromise more than 100 organizations and 300 individuals, before Oracle finally pushed an emergency update on June 10.

Among the victims, as we now know, is NAIC, whose PeopleSoft environment was compromised, and used to obtain credentials and move laterally to internal data storage locations.

ShinyHunters step forward

Based on NAIC’s investigation, the stolen information includes publicly available statutory financial reports, insurer investment credit rating data, and some technical information such as outdated logs and configuration files. There is no evidence that personal information, banking information, or payment data was accessed, it said.

NAIC spotted the attack on June 11 and immediately launched its incident response protocol, which includes notifying law enforcement, blocking malicious actors, and bringing in third-party security experts. The Commission disclosed the incident on June 17, a day before ShinyHunters went public.

The notorious ransomware gang claims to have taken more than 264,000 insurer regulatory filing documents, 2,000 customer and bulk orders containing personally identifiable information, some 45,000 files from major credit rating agencies, statutory annual and quarterly financial statements submitted by insurers, production AWS infrastructure logs, cloud configuration files, and workload automation data, and SQL scripts.

Since the files were seemingly leaked online, it’s safe to assume that NAIC did not (want to) pay the ransom demand.

Via Cybernews

• Polymarket prediction platform was hacked via a compromised third‑party vendor dependency, injecting malicious scripts into its frontend
• Around $3M in crypto stolen from ~11 users, according to PeckShield; Polymarket is refunding victims in full while removing the affected dependency
• Community reactions on X were critical, with some blaming prior “taunting hackers”; one victim speculated the breach may have involved Xorek Cloud’s VPS

Polymarket, a prediction platform where people trade on the likelihood of different real-world events, got hacked and allegedly lost around $3 million in user funds. The company is now refunding the victims in full.

In a short post published on X earlier this week, Polymarket confirmed the news, saying it discovered that a third-party vendor had been compromised. Through that compromise, the attackers injected a malicious script “into our frontend for some users.”

Since then, Polymarket said it contained the incident and removed the affected dependency but did not say which dependency it was. It did not say which third-party vendor was compromised. Furthermore, it said it is currently contacting impacted users and refunding them in full, but did not state how many people were affected, or how much money is involved.

Context-dependent vulnerabilities

In its write-up, TechCrunch cited blockchain monitoring firm PeckShield, which claims that around $3 million in cryptocurrency was stolen in the attack. The publication also reported that around 11 people were affected. Polymarket allows its users to be paid in crypto.

X users who left comments on Polymarket’s announcement seem utterly unsurprised by the breach. “I spent weeks telling you this and you ignored it,” one person said. “The next time l find a vulnerability, l will sell it to criminal gangs.” Three users suggested Polymarket deserved what had happened for “taunting hackers” in the past. One made a sly joke saying, “how did you not predict this?”

Polymarket did not say which third-party vendor was compromised, but one of the users who lost funds in this attack speculates it happened through Xorek Cloud’s VPS:

“I recently bought a VPS from Xorek Cloud and stored my private key on it,” they said on X. “I'm not sure how the compromise happened, but that's the only possible security risk I can think of.”

Via TechCrunch

• ExtraHop’s Global Threat Landscape Report shows 49% of ransomware victims only detected attacks after data theft, up from 31% last year
• Average dwell time before detection is 2.5 weeks; attackers exploit encrypted channels, valid accounts, and alert fatigue to evade defenses
• Ransom payments fell from $3.6M to $2.8M, but payment frequency rose sharply, with 83% of surveyed victims paying in 2026 vs. 70% in 2025

Criminals are getting better at hiding within their victims’ infrastructure, lurking and stealing files without triggering any alarms whatsoever.

Earlier today, network detection and response experts ExtraHop released the “Global Threat Landscape Report”, based on a survey of more than 1,800 IT and security leaders worldwide. In it, it is said that roughly half (49%) of organizations that were struck by ransomware did not detect the threat until after the data was stolen.

This is up from 31% a year ago, ExtraHop stressed, showing the improvement criminals made within just 12 months.

Several factors

On average, cybercriminals have 2.5 weeks of quiet time before being spotted in ransomware incidents, the report stated. Furthermore, 14% of victims were unaware of an attack until receiving a ransom demand, which is also up from 6% a year ago.

“Prolonged dwell times often parallel a highly complex threat environment where critical alerts are obscured,” ExtraHop said in a press release shared with TechRadar Pro. The researchers uncovered several factors that led to delays in investigating critical alerts, including attackers using encrypted channels (41%), attacker activity mirroring legitimate workflows and processes (38%), using valid, high-privilege account permissions (34%), and alert fatigue (30%). Undermined baseline behavior also enabled anomalous actions to fly under the radar (27%).

The good news is that the average ransom payment dropped year-on-year, from $3.6 million down to $2.8 million. However, the bad news is that the payment frequency spiked. While in 2025 70% of respondents paid a ransom, this year 83% have done the same, at least among ExtraHop’s respondents.

When Chainalysis ran a similar survey recently, it said that in 2025 the number of successful ransomware attacks grew, while the number of payments remained relatively flat, meaning that in absolute numbers - there were fewer companies paying ransomware attackers.

• Airbnb scams have surged 30x since 2023, including a sharp rise this year
• Criminals hijack legitimate host accounts to to trick holidaymakers
• Staying safe isn't so straightforward as threats evolve

Airbnb-related scam activity has increased 30x since the first half of 2023, according to new research from Saily and NordStellar, confirming that cybercriminals continue to go after holidaymakers seeking the best deals amid rising prices.

The report ultimately concludes that attackers are now targeting the trust built by larger platforms, saving them from having to build new identities from scratch.

And to top it all off, the nature of scams is also changing, as instead of using suspicious websites to obtain victim payments or information, criminals are now targeting legitimate Airbnb host accounts which have spent years amassing positive reviews and high ratings.

Exploiting legitimate accounts and hijacking trust

While the end goal remains high volumes of vulnerable consumers, scammers have added an extra layer of victim in their pipeline. Verified Airbnb hosts are now valuable assets for criminals because they already have identity verifications, positive reviews, booking histories, years of activity and established credibility.

Once the verified account is compromised, attackers can then go on to scam higher volumes of unsuspecting victims by posting – and charging for – fake property listings.

“Travelers are getting better at spotting obvious scams,” Saily Head of Product Matas Cenys said. “Criminals know this, so they are increasingly trying to steal trust instead of building fake trust from scratch.”

Where this type of attack differs from others, though, is that the victims never leave the platform. Rather than falling victim to phishing attacks and being redirected to malicious external sites, they interact fully with supposed legitimate hosts on the Airbnb platform.

While Airbnb attacks have seen a 30x increase in around three years and a sharp rise in the last year alone, they reflect a much broader trend of attackers compromising existing trusted accounts.

The recent ramp-up in attacks could also be tied to the summer season, with holidaymakers looking to book last-minute deals in the run-up to the summer season. Urgency and pressure to keep costs low also adds to criminals’ success.

“Everything looks normal until they arrive at their destination and discover the accommodation never existed," Cenys added.

How to protect yourself from booking scams

Saily is recommending that all communication stays within the booking platform and that customers avoid payment methods suggested outside of official channels. Unusually attractive listings in high-demand destinations could also be taken with a pinch of salt, and savvy shoppers may choose to reverse image search a property to double check its authenticity.

“As travel booking becomes increasingly digital, trust becomes one of the most valuable currencies in the travel ecosystem,” Cenys warned.

As for abusing victim trust, researchers also argue that AI has aided attacks by allowing criminals to produce better fake listings more quickly.

More generally, Airbnb revealed that two in five Americans have fallen victim for an online scam, with the average loss totalling nearly $2,000. The company has introduced measures to remind its users how to avoid scams, including introducing identity verification and reminders not to leave the platform, but account takeovers can still slip under the radar.

Airbnb also holds guest payments until 24 hours after check-in to ensure that everything is as described. Anti-fraud tech also prevented around 265,000 suspicious listings from appearing on the platform in 2025, the company boasted.

The company posted a comprehensive eight-step list of how to avoid scams on its platform online, calling out pressure tactics and unusual deals.

• Microsoft warns of “Crypto Clipper,” a worm spreading via malicious .LNK files on USB drives
• Malware maintains persistence, connects to Tor C2, enables remote code execution, and steals clipboard crypto data
• It swaps wallet addresses, exfiltrates seed phrases/private keys, and uploads screenshots to assess target value

Microsoft is warning of an ongoing campaign targeting cryptocurrency owners with a clipboard-jacking worm.

In a new in-depth report published late last week, Microsoft’s security researchers explained that they recently analyzed a thumb drive that contained seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced with Windows shortcut (.LNK) files which actually launched a piece of malware called Crypto Clipper.

This malware does a couple of things. First, it spreads by creating malicious .LNK files on USB drives and other removable media. It also sets up scheduled tasks to maintain persistence and automatically infect newly connected USB devices. Second, it behaves like a backdoor by regularly contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands to have the malware download and execute attacker-supplied code on the infected system, as well.

Stealing wallet data

Finally, Crypto Clipper acts as a clipboard clipper by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it spots a wallet address, it can replace it with a different one, owned by the attackers, so that any tokens sent by the victim go to the attacker, instead. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load a victim's crypto wallet on a separate device.

To help attackers assess the value of a target, the malware periodically captures screenshots of the victim's screen and uploads them through the Tor network.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” Microsoft said. “The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.”

Microsoft did not say if the malware targeted any specific countries or regions, nor did it discuss the number of victims.

Via Ars Technica