Cybersecurity incidents have surged in March 2026, with high-profile attacks ranging from state-sponsored espionage to ransomware assaults.
Iran’s Crypto Exchange Ariomex Linked to Sanctions Evasion
A leaked database from Ariomex, an Iran-based cryptocurrency exchange, has revealed potential sanctions evasion and large-scale money laundering activities. The dataset, spanning 2022–2025, includes 11,826 user records, chat logs, KYC data, and transaction details. While most users appeared to use the platform to hedge against Iran’s inflation and currency devaluation, a subset of accounts exhibited high-risk behavior, including unusually large transfers and incomplete KYC. The report by US cybersecurity firm Resecurity highlights Ariomex’s role as a shadow financial channel, offering services like P2P transfers and fiat on/off ramps—mechanisms previously exploited by Iran’s Islamic Revolutionary Guard Corps (IRGC).
This leak follows a series of similar incidents involving Iranian crypto exchanges. Resecurity linked 700 crypto wallets to identifiable individuals and found 27 potential matches with the US OFAC sanctions list. The report also highlights Ariomex’s role as a shadow financial channel, offering services like P2P transfers and fiat on/off ramps—mechanisms previously exploited by Iran’s Islamic Revolutionary Guard Corps (IRGC).
The leaked data includes substantial evidence of large-scale money laundering. Some users sought to move $1M–$5M daily, far exceeding typical retail activity. Examples include requests to transfer $19M (Zahra Khazaei), $20M (Ebrahim Ghazvini), and $5M (Ramin Lak). High-value accounts often lacked proper identification, raising red flags for Anti-Money Laundering (AML) compliance. 70% of transactions involved USDT or TRON, aligning with Iran’s strategy to circumvent US sanctions.
This incident underscores the broader trend of cryptocurrency’s role in sanctions evasion. The Central Bank of Iran’s $507M USDT purchase in January 2026 is a notable example. Ariomex’s activities suggest a similar purpose, with privileged accounts and layered transactions facilitating covert fund movement. The revelations from Ariomex align with the broader trend of cryptocurrency’s role in sanctions evasion. The Central Bank of Iran’s $507M USDT purchase in January 2026 is a notable example. Ariomex’s activities suggest a similar purpose, with privileged accounts and layered transactions facilitating covert fund movement.
Iran’s Crypto Exchange Ariomex Linked to Sanctions Evasion
A leaked database from Ariomex, an Iran-based cryptocurrency exchange, has revealed potential sanctions evasion and large-scale money laundering activities, as reported by The420. The dataset, spanning 2022–2025, includes 11,826 user records, chat logs, KYC data, and transaction details. While most users appeared to use the platform to hedge against Iran’s inflation and currency devaluation, a subset of accounts exhibited high-risk behavior, including unusually large transfers and incomplete KYC. The report by US cybersecurity firm Resecurity highlights Ariomex’s role as a shadow financial channel, offering services like P2P transfers and fiat on/off ramps—mechanisms previously exploited by Iran’s Islamic Revolutionary Guard Corps (IRGC).
The leaked data showed several accounts with unusually large transactions, such as Zahra Khazaei transferring $19M and Ebrahim Ghazvini moving $20M. These activities align with Iran’s strategy to circumvent US sanctions, as seen in the June 2025 cyberattack on Nobitex, where hackers linked to Israel’s Predatory Sparrow stole $90M. Resecurity’s findings suggest Ariomex may serve a similar purpose, with privileged accounts and layered transactions facilitating covert fund movement. The leaked data also highlights the need for stricter regulatory oversight and better AML/KYC enforcement to prevent such activities.
Ransomware Attack on Colombian Logistics Firm Gerleinco
On March 6, 2026, the TheGentlemen ransomware group claimed responsibility for breaching Gerleinco, a leading Colombian logistics company specializing in container control and multimodal transport. The threat actors threatened to leak sensitive data unless Gerleinco initiates negotiations. This attack underscores the growing targeting of critical infrastructure and supply chain entities by ransomware syndicates.
The attack on Gerleinco exemplifies a broader trend where ransomware groups are increasingly targeting Latin American firms, exploiting regional cybersecurity gaps. TheGentlemen, known for their double-extortion tactics, first encrypt the victim’s data and then threaten to leak it unless a ransom is paid. This method has been particularly effective in coercing organizations to comply, as the potential exposure of sensitive information can have severe consequences.
In response to these escalating threats, organizations must take proactive measures. Conducting a compromise assessment to identify infiltration vectors, exfiltrated data, and persistence mechanisms is crucial. Ensuring offline, encrypted backups can mitigate the impact of ransomware encryption. Integrating threat intelligence platforms like DeXpose can help monitor dark web chatter and leaked credentials. Regular phishing simulations and enforcing multi-factor authentication (MFA) are essential for employee training.
Engaging cybersecurity experts before communicating with ransomware groups is recommended. This approach ensures that organizations are prepared to handle negotiations and data recovery processes effectively.
The breach at Gerleinco highlights the need for vigilance and proactive defense strategies in the face of evolving cyber threats. As ransomware groups continue to innovate their tactics, organizations must stay ahead by implementing robust security measures and maintaining a state of readiness.
For more details on the attack, refer to DeXpose.
Cyber Fraud in India Using Fake I4C Notices
The Kerala Police issued a warning on March 7, 2026, about a cyber fraud scheme involving fake notices from the Indian Cyber Crime Coordination Centre (I4C). Fraudsters are sending threatening emails/WhatsApp messages accusing recipients of illegal activities and demanding money to avoid arrest or legal action. The modus operandi includes luring victims with claims of registered cases, demanding payments via UPI, bank transfers, or cryptocurrency, and spoofing law enforcement agencies.
The scheme exploits the trust people have in governmental notices. Victims receive messages claiming they have been implicated in serious crimes such as foreign currency transactions or accessing child exploitation content. The urgency created by a 24-hour deadline to respond increases the likelihood of victims complying.
Mitigations include verifying sources, as government agencies do not send threats or demand payments via WhatsApp/email. Reporting immediately through India’s National Cyber Crime Reporting Portal or calling 1930 (cyber helpline) is crucial. The Golden Hour Rule emphasizes reporting within 2 hours of the fraud to increase the chances of fund recovery.
This fraud highlights the growing trend of cyber scams exploiting public fear and trust. It underscores the need for vigilance and swift action to counter such threats.
Final words
The cybersecurity landscape in early March 2026 is marked by geopolitical tensions, financial crime, and opportunistic fraud. Organizations and individuals must prioritize proactive defenses, including threat intelligence integration, employee training, and rapid incident reporting. Regulators face the challenge of balancing innovation with compliance in an era of digital warfare.