In partnership with

|
FACT
|
BEC phishing infrastructure grew 1,380% year-over-year in 2026 as AI integration enabled criminal operators to automate account takeovers at scale, according to CyberScoop reporting on EvilTokens tracking data (July 2026).
|
|
Scattered Spider is methodically burning through U.S. insurance companies, and this week Aflac Japan confirmed ten days of undetected access. This edition also covers AI-powered BEC growing 1,380%, half a billion weekly downloads poisoned by a supply chain actor, and MSG’s celebrity risk files changing hands via vishing. The entry point stays the same: someone answered the phone.
PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
Data Breach / Insurance
Scattered Spider Is Burning Down the Insurance Sector. Aflac Japan Is the Latest.
Scattered Spider has a new favorite industry. Aflac Japan just confirmed the group was inside its systems for ten days before anyone noticed, the latest in an unbroken string of insurer breaches tied to the same threat actor.
What Happened
An unauthorized third party accessed Aflac Japan’s systems from June 15 through June 25, ten days of undetected intrusion before discovery. The breach exposed the data of 4.38 million customers: policy and coverage details, personal information, and bank account data. Aflac disclosed publicly on June 30 and says it is still investigating the full scope of what was taken.
Why It’s Important
Insurance companies store the trifecta most breach targets don’t: policy documents for impersonation, health records for extortion, and bank accounts for direct theft. Scattered Spider has figured this out. Erie Insurance and Philadelphia Insurance Companies (PHLY) were hit in the same wave. Aflac Japan won’t be the last.
The Other Side
Aflac has not confirmed Scattered Spider attribution. The article notes the breach had “all the signs” of their pattern, but no formal attribution has been made. U.S. operations were not affected, and Aflac says it moved quickly to contain the incident once discovered.
| |
👉 Takeaway
If you have a policy with any major insurer, the question isn’t whether your data was exposed in this wave. It’s whether your insurer has told you yet.
|
TL;DR: Scattered Spider (probably) spent ten days inside Aflac Japan and left with 4.38 million customers’ bank account and policy data.
|
| |
BEC / AI Crime
EvilTokens and ARToken have turned BEC into a tiered subscription service. Their infrastructure grew 1,380% in the past year. Subscribers pick a plan, point the kit at a target, and let automation handle token theft, session hijacking, and account takeover. The panel covers initial phishing through account access with no technical skill required.
→ BEC-as-a-service means the attack surface is now limited only by how many people will pay a subscription. That answer is: a lot of people.
|
| |
Cybercrime / Takedown
The DOJ seized cloud infrastructure behind Huione Guarantee, a Telegram-based marketplace for fencing stolen cards, running human trafficking escrow, and laundering cryptocurrency from romance scams. Treasury simultaneously sanctioned nine individuals and 26 entities tied to Cambodia’s Prince Group. The October 2025 operation severed the group from the U.S. financial system; this week’s action removed the technical backbone.
→ Huione is the logistics layer under a lot of Southeast Asia’s scam operations. Dismantling infrastructure doesn’t stop the scams, but it makes them more expensive to run.
|
| |
Data Breach
ShinyHunters confirmed Nissan employee data was compromised through the Oracle PeopleSoft zero-day the group has been using across enterprise targets. Nissan is the latest named company. ShinyHunters has been actively extorting victims and posting data as leverage.
→ If your organization runs Oracle PeopleSoft and hasn’t gone through full remediation, the question is not whether ShinyHunters will look your way. It’s when.
|
|
Join the Fin and AWS team on July 9 to see how you can scale customer support with AI. Save your spot.
| |
Supply Chain / AI
TeamPCP compromised over 1,000 open-source packages with 500 million combined weekly downloads. The new problem: AI coding agents automatically install dependencies without human review. “You have agents installing packages that haven’t been vetted,” Socket’s CEO told CyberScoop. Researchers at Wiz put the odds of any installed package triggering an active attack at roughly 1-in-10.
→ AI agents are collapsing the human review step that used to slow down supply chain infections. That is not a bug. It is a feature threat actors are deliberately exploiting.
|
| |
AI / Developer Security
Backslash Security found more than 30 security-relevant patches in Claude Code’s update logs between April and early June 2026, none announced publicly. Fixes covered arbitrary code execution, OAuth credential leaks, and a backdoor bug triggered by a single backslash in a deletion command. Claude Code shipped 16 versions in the first half of June alone.
→ If your team uses AI coding agents, you have a new patching surface that doesn’t look like one. Check your AI tool update policies.
|
|
| |
Takedown
US, Canadian, German, and Dutch authorities alongside Europol took down 106 servers and remediated 15,000 websites infected with SocGholish, Evil Corp’s initial access malware since 2017, used to drop LockBit, RansomHub, and DoppelPaymer. The infected sites were everyday businesses: restaurants, auto repair shops. Victims had no idea their sites were redirecting visitors into a malware pipeline.
→ SocGholish being disrupted doesn’t mean Evil Corp is done. It means they need a new delivery mechanism. Watch for a replacement in the next few months.
|
| |
Exploitation / Threat Intel
Attackers are actively exploiting two critical FortiSandbox vulnerabilities: CVE-2026-39808 (OS command injection) and CVE-2026-39813 (path traversal), patched in April. Defused confirmed 49 exploitation events from 11 IPs across 9 countries in just six days. A third CVE (CVE-2026-25089) is also under attack. Multiple independent operators, not a single campaign.
→ If you’re running FortiSandbox, the current activity is the warning shot. Patch all three CVEs and check for existing compromise before the heavier wave arrives.
|
|
| |
Vulnerability
Citrix patched CVE-2026-8451 in NetScaler, the same exploitation class as CitrixBleed. That breach taught a specific lesson: attackers planted code that survived after patching. Organizations that patched CitrixBleed without verifying existing compromise were still compromised. watchTowr published indicators to check for pre-patch access.
→ Patch CVE-2026-8451 now. Then run watchTowr’s indicators. Patching is not enough if the attacker already has a foothold.
|
|
Cut Lead Review From Hours To Minutes
Sign up for a free trial of Attio, the agentic CRM.
Ask Attio to build a daily workflow that surfaces the deals that need your attention today, like anything with a stage change, a recent reply, or a new signal in the last 24 hours.
Review your pipeline in Claude, synced live from Attio via MCP.
Strange but real
MSG Hackers Stole the Knicks’ Celebrity Risk Ratings
Madison Square Garden maintains internal risk classifications for every celebrity who shows up courtside to watch the Knicks. Someone vished a low-level employee and walked away with all of it.
What Happened
An attacker called a MSG employee, socially engineered their way past them, and exfiltrated 45 gigabytes of internal data. Hidden in that haul: the Knicks’ celebrity risk assessment spreadsheets, classifying arena-adjacent famous people as “Low Risk” or “High Risk” based on criteria MSG would very much prefer to keep private.
Why It’s Important
The celebrity risk management framework presumably exists to make sure the right people get courtside access and the wrong people don’t. Whoever made that call now knows exactly which Knicks-adjacent celebrities are flagged High Risk and why, and that is the kind of leverage that does not expire.
The Other Side
MSG hasn’t confirmed the full contents of the breach or independently verified which specific files were taken. The celebrity risk spreadsheets have been reported based on what the attackers published, but full authenticity hasn’t been confirmed by a third party.
| |
👉 Takeaway
Social engineering remains the most reliable attack vector in cybersecurity. One phone call to one employee with access is still all it takes. The celebrity risk ratings are a bonus.
|
TL;DR: A vishing call to one MSG employee yielded 45GB of data including the Knicks’ internal celebrity risk classifications for courtside regulars.
|