Cybersecurity incidents continue to rise, with recent events highlighting AI-powered phishing, ransomware arrests, and financial fraud. This report covers key incidents from April 6 to April 8, 2026, spanning various sectors and global regions.
AI-Powered Device Code Phishing Campaign Targets Organizations
Microsoft Defender Security Research Team uncovered a sophisticated AI-enabled device code phishing campaign that leverages automation and dynamic code generation to bypass traditional security measures. The campaign, linked to the EvilTokens phishing-as-a-service (PhaaS) toolkit, marks a significant escalation in threat actor sophistication compared to earlier attacks like Storm-2372 (February 2025). Key innovations include:
- Backend automation: Threat actors used platforms like Railway.com to deploy short-lived polling nodes, bypassing signature-based detection. The infrastructure supported real-time device code generation and post-compromise activities.
- Hyper-personalized lures: Generative AI crafted targeted emails (e.g., RFPs, invoices) tailored to victims’ roles, increasing interaction rates. AI-driven personalization is a growing trend in cyber threats.
- Dynamic code generation: Codes were generated at the moment of user interaction, circumventing the 15-minute expiration window for Microsoft’s device authentication flow.
- Reconnaissance and persistence: Automated enrichment techniques identified high-value targets (e.g., executives), enabling data exfiltration via malicious inbox rules and Microsoft Graph API reconnaissance.
The attack chain exploited the OAuth 2.0 device authorization grant flow, originally designed for devices with limited interfaces (e.g., smart TVs). Threat actors inserted themselves into this process, tricking users into authorizing malicious sessions. Mitigation strategies include blocking device code flow where unnecessary, educating users, and implementing Conditional Access policies to revoke compromised tokens. For full technical details, refer to the Microsoft Security Blog.
Ransomware and Cybercrime Arrests
Germany’s Federal Criminal Police Office (BKA) identified two key suspects linked to the REvil and GandCrab ransomware gangs:
- Daniil Shchukin (alias: UNKN), a 31-year-old Russian national alleged to have led both operations.
- Anatoly Kravchuk, a 43-year-old Ukraine-born Russian developer for the groups.
The suspects are believed to be in Russia and are wanted internationally for ~24 ransomware attacks generating $2.3 million in extorted payments and $40 million in economic damage. Both groups operated under a ransomware-as-a-service (RaaS) model, where developers leased malware to affiliates in exchange for a cut of profits. REvil, dismantled in 2021, targeted high-profile victims like Lady Gaga’s law firm, Kaseya, and former U.S. President Donald Trump. For context, see The Record’s coverage.
The FBI’s Internet Crime Complaint Center (IC3) released its 2025 annual report, revealing a 26% increase in cybercrime losses to $20.9 billion—up from $4.2 billion in 2020. Key findings include:
- Top threats: Investment fraud ($8.65B), business email compromise ($3.05B), and tech support scams ($2.1B).
- Primary payment methods: Cryptocurrency (investment/tech scams) and wire transfers (BEC).
- Demographics: Victims aged 60+ filed 201,000 complaints, accounting for 37% of total losses ($7.75B).
- Ransomware: 3,600 complaints reported, with Akira, Qilin, and BianLian as top variants. Targeted sectors included healthcare, manufacturing, and financial services.
The FBI urged vigilance against AI-driven threats and emphasized reporting crimes to IC3. Full report details are available via CyberScoop.
Educational Sector Disruptions
A cyberattack on the C2K network, which supports IT systems for Northern Ireland schools, forced pupils to return during the Easter break to reset passwords in person. The attack disrupted access to GCSE and A-Level study materials, prompting schools like Cross and Passion College (Ballycastle) and St Louis Grammar School (Ballymena) to reopen for password resets. The Education Authority confirmed no evidence of data breaches but engaged the Information Commissioner’s Office for further investigation. Parents expressed frustration over the timing, given upcoming exams. For updates, see The Irish News.
Financial Scams and Fraud
The Nebraska Judicial System alerted residents to a text/email scam claiming recipients had unpaid traffic fines. Messages threatened penalties unless victims clicked a link to pay. Authorities clarified that Nebraska courts never send automated texts for fines and advised verifying fines via the official online payment system. Scams like these aim to steal personal/financial data. Report suspicious messages to local law enforcement. Details: Nebraska.tv.
In Thailand, the Anti Cyber Scam Centre (ACSC) reported a 176-case increase in weekly online scams (March 29–April 4, 2026), though total losses dropped 94% to $1.24M due to faster fund freezes. Online job scams emerged as the top financial threat, with fraudsters using two tactics:
- Fake goods scams: Victims lured with “free/cheap” products were added to Line groups, assigned fake tasks, and coerced into advance payments before scammers vanished.
- High-paying job scams: Scammers built trust with small payments for simple tasks (e.g., liking posts), then persuaded victims to “invest” larger sums, which became unrecoverable.
The ACSC arrested 16 suspects (14 Thais, 2 foreigners) and seized $52,000 in cash. Authorities advised using escrow payment systems (e.g., TikTok Shop, Lazada) and avoiding Line group “side tasks. More: VietnamPlus.
In South Korea, TV personality Jee Seok-jin shared a personal anecdote about voice phishing (vishing) on Netflix’s Late-Blooming Student Ji. His wife received a call claiming her bank account was tied to a crime, a common vishing tactic. Criminal profiler Professor Kwon Il-yong warned about AI-driven scams using DeepVoice and deepfake technologies, which mimic voices or create fake identities. The episode underscored the need for skepticism toward unsolicited calls.
The FBI IC3’s 2025 report (covered in Section 2) underscored the evolution of cyber threats, with AI, ransomware, and investment fraud driving losses. The report noted:
- 3,000 daily complaints received by IC3.
- Sextortion cases: 75,000 reports, with 5,700 referred to the National Center for Missing & Exploited Children.
- Critical infrastructure: All 16 sectors reported ransomware attacks, with healthcare and manufacturing most targeted.
The FBI called for public-private collaboration to disrupt cybercriminal networks. Read the full report via CyberScoop.
Latoya Nicole McCray (39) of Montgomery, AL, received a 10-year prison sentence for conspiring to steal mail (credit cards, checks, PII) and commit bank fraud. McCray and accomplices forged checks and made unauthorized purchases, causing $150,000 in losses. The case was investigated by the FBI and USPIS. DOJ Press Release.
Final words
The past 72 hours have seen a diverse array of cyber threats, from AI-powered phishing to ransomware arrests and educational disruptions. Key takeaways include:
- Phishing remains the top threat, with AI amplifying its scale and sophistication.
- Ransomware operators continue to evade justice, though international cooperation is making progress.
- Financial scams exploit trust and urgency, requiring public awareness campaigns.
- Critical infrastructure remains vulnerable, necessitating proactive cybersecurity measures.
Stay informed by monitoring updates from Microsoft Defender, FBI IC3, and local cybersecurity agencies.