In partnership with
☀️ Good morning. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Two cybersecurity professionals got 4 years in prison for secretly acting as the ransomware gang they were hired to fight, a Scattered Spider member was arrested in Finland trying to board a flight to Tokyo, CrowdStrike documented two new Com-affiliated groups running the Scattered Spider playbook against enterprise SaaS with swatting as their escalation tactic, CISA gave federal agencies 48 hours to patch a critical cPanel flaw already exploited in the wild, and Europol's annual crime report confirmed that cybercriminals are now innovating faster than law enforcement can respond.
🔥 Top Stories
01 — Ransomware Negotiators Sentenced: Sygnia and DigitalMint Employees Get 4 Years for Acting as BlackCat Affiliates
Ransomware
Ryan Goldberg, a former incident response manager at Sygnia, and Kevin Martin, a ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison for conspiracy to obstruct commerce by extortion. Between May and November 2023, both men operated as BlackCat affiliates — breaching victim networks, deploying ransomware, and in some cases being hired by those same victims to negotiate with the attackers they had themselves deployed. A third accomplice, Angelo Martino, pleaded guilty in April and awaits sentencing.
The case is the most significant confirmed instance of incident response professionals acting as ransomware affiliates against their own clients. The IR industry's trust model — where responding firms receive full network access, internal documentation, and sensitive operational data — is now a documented attack surface in federal court.
02 — Scattered Spider Member "Bouquet" Arrested in Finland — Peter Stokes, 19, Charged with Four Intrusions Starting at Age 16
Cyber Crime
Peter Stokes, 19, a dual US-Estonian citizen operating as "Bouquet," was arrested at Helsinki Airport on April 10 while attempting to board a flight to Tokyo. US prosecutors have charged Stokes with wire fraud, conspiracy, and computer intrusion across at least four Scattered Spider attacks since March 2023 — the first conducted when he was 16. In May 2025 he allegedly helped breach a luxury retailer via IT helpdesk vishing, claimed 100GB of data, and demanded $8 million in ransom. Two 2TB hard drives were seized at the time of arrest.
The arrest adds to an accelerating prosecution wave: Tyler "Tylerb" Buchanan pleaded guilty earlier in April and faces sentencing in August. Finnish authorities detained Stokes before he boarded — indicating active law enforcement surveillance of The Com ecosystem, not reactive investigation.
03 — Cordial Spider and Snarky Spider: Two New Com-Affiliated Groups Running the Scattered Spider Playbook at Scale
Threat Intelligence
CrowdStrike documented two new financially motivated threat clusters — Cordial Spider and Snarky Spider — running high-speed vishing and SSO phishing campaigns against enterprise SaaS since at least October 2025. The attack chain deploys no malware: a phone call directs targets to fake SSO login pages, credentials and session tokens are harvested via AiTM interception, an attacker-owned device is registered in Microsoft Entra ID, and the authenticated session is used to traverse the victim's entire SaaS ecosystem — SharePoint, Salesforce, Google Workspace, HubSpot — searching for files tagged "confidential," "SSN," and "contracts." Seven-figure ransom demands follow.
Snarky Spider adds swatting as a formal escalation step — making false emergency calls to trigger armed police responses at executives' homes when victims refuse to pay. CrowdStrike's Adam Meyers called them "the new generation of Scattered Spider." The same helpdesk vishing technique. No new tools required.
04 — CISA Orders Federal Agencies to Patch Critical cPanel Authentication Bypass CVE-2026-41940 by Sunday
Vulnerabilities
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1 and issued a binding operational directive requiring all federal civilian agencies to patch by May 3 — a 48-hour window. The critical authentication bypass in cPanel and WHM grants full host takeover upon exploitation. Rapid7 confirmed successful exploitation in the wild. A 48-hour federal mandate is one of the shortest timelines CISA issues and signals that exploitation is already active and widespread.
In shared hosting environments — where a single cPanel instance manages hundreds or thousands of customer domains — a single compromise exposes every site, email account, and database on that server. Private sector organizations are not bound by the mandate but should treat the 48-hour window as their own deadline.
05 — Europol IOCTA 2026: AI, Encryption, and Cybercrime-as-a-Service Are Widening the Velocity Gap
Threat Intelligence
Europol's annual Internet Organised Crime Threat Assessment warns that cybercrime has industrialized. AI tools, encrypted infrastructure, and the cybercrime-as-a-service model now allow low-skilled actors to execute sophisticated attacks at scale — while the gap between criminal innovation speed and law enforcement response capability continues to widen. Key figures: 120+ active ransomware variants in 2025, global cybercrime costs projected to exceed $10.5 trillion in 2026. The report documents a structural shift in the ransomware model — away from encryption toward pure data theft extortion — and confirms that nation-state actors are increasingly using criminal proxy networks for disruptive operations.
The velocity gap is not a law enforcement problem alone. AI-accelerated attacks that complete in hours compress the detection and response window to the point where human-speed incident response is structurally inadequate.
📊 By The Numbers
4 years — Federal prison sentence handed to both Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint) for acting as BlackCat affiliates
4 — Scattered Spider intrusions Peter Stokes allegedly committed starting at age 16, including an $8M ransom demand
$8 million — Ransom demanded by Stokes after a luxury retailer helpdesk vishing attack in May 2025
120+ — Active ransomware variants documented by Europol in 2025
48 hours — Time CISA gave federal agencies to patch the critical cPanel CVE-2026-41940 authentication bypass
⚡ The Signal
The Goldberg-Martin sentencing and the Cordial/Snarky Spider report share a detail that is worth holding together: neither attack required breaking anything.
Goldberg and Martin walked into victim networks using their professional credentials — IR managers and ransomware negotiators have legitimate access to everything an attacker needs. Cordial and Snarky Spider walk into enterprise SaaS environments using session tokens harvested by phone. No exploit, no payload, no malicious file. Just trust, abused.
Europol's velocity gap framing is the right lens for all of it. Criminals are innovating faster than defenders are adapting — not because the techniques are new, but because the structural vulnerabilities they exploit are old and persistent. Helpdesk verification gaps. Trusted vendor access. Session token exposure. These have been documented as attack surfaces for years. The groups operating against them in 2026 are simply doing so faster, at higher volume, and with better tooling than their predecessors.
The question for security leaders this week: which of your trusted relationships — vendors, IR firms, negotiators, helpdesk staff — could be turned against you with no technical barrier at all?
🔍 What You May Have Missed
PyTorch Lightning Compromised in Supply Chain Attack — Malware Steals Credentials Automatically on Import — Versions 2.6.2 and 2.6.3 were backdoored — executing credential-stealing malware on import with no additional user action. Targets SSH keys, cloud credentials, GitHub tokens, and crypto wallets. Version 2.6.1 is the last clean baseline. Any environment that imported the compromised versions should be treated as fully compromised.
France Arrests 15-Year-Old "breach3d" for Hacking ANTS National ID Agency — 11.7 Million Accounts Exposed — A 15-year-old was arrested nine days after listing 11.7 million French national ID, passport, and driver's license records for sale on criminal forums. ANTS also manages France's age-verification app designed to protect minors online — the irony is not lost on French authorities.
FBI Warns Cyber-Enabled Cargo Theft Surged to $725M in 2025 — Hackers Are Hijacking Freight Before It Leaves the Dock — Confirmed incidents rose 18% and the average value per theft jumped 36% to $273,990 as criminal groups systematically targeted high-value loads via fraudulent load board listings. Named threat group Diesel Vortex operated dozens of spoofed freight carrier domains.
📅 What to Watch
Shadow-Earth-053 full Trend Micro report — Trend Micro's full technical attribution confirmed journalists and activists as targets alongside governments. Watch for Mandiant, CrowdStrike, and Microsoft to publish overlapping cluster attribution within 2-3 weeks.
Europol Operation PowerOFF — 75,000 warning letters sent to identified DDoS-for-hire customers. Watch for follow-up enforcement action as law enforcement works through the 3 million criminal accounts seized from booter infrastructure.
Huge Networks / Brazilian ISP botnet — CEO Erick Nascimento claims a competitor planted the attack code using his stolen SSH keys. Watch for a formal law enforcement response from Brazilian authorities following the Krebs disclosure.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsors
⭐️ The AI Report
Your competitors already read this every morning.
The AI Report keeps 400,000+ executives ahead of every major AI move — in 5 minutes a day. Trusted by leaders at the world's top companies. The question isn't whether AI is changing your industry. It's whether you'll see it coming.
⭐️ Norton NEO
Fast browsing. Faster thinking.
Your browser gets you to a page. Norton Neo gets you to the answer. The first safe AI-native browser built by Norton moves with you from idea to action without slowing you down. Magic Box understands your intent before you finish typing. AI that works inside your flow, not beside it. No prompting. No copy-pasting. No switching apps.
Built-in AI, instantly and for free. Privacy handled by Norton. Built-in VPN and ad blocking protect you by default. No configuration. No extra apps. Nothing to think about.
Fast. Safe. Intelligent. That's Neo.