Post
May 20th – This Week’s Top Cybersecurity and Dark Web Stories
This week’s cybersecurity and dark web news stories discuss the INTERPOL led Operation Ramz leads to 201 arrests, Gentleman ransomware suffers data breach, and Shai-Hulud goes open source.
INTERPOL’s Operation Ramz Sends a Message Across the Middle East
For a region often overlooked in cybercrime headlines, the Middle East and North Africa just became the site of one of the most significant coordinated law enforcement actions in the history of international cybersecurity.
Operation Ramz, coordinated by INTERPOL across 13 countries between October 2025 and February 2026, resulted in 201 arrests, the identification of 382 additional suspects, the seizure of 53 servers, and the discovery of 3,867 victims. Critically, nearly 8,000 intelligence records were shared between the participating nations, making it the largest cybercrime operation INTERPOL has ever led in the MENA region.
The operation swept up cybercriminals running phishing campaigns, malware networks, and financial scams. Country by country, the picture is telling. In Qatar, devices were found unknowingly spreading malware, compromised machines whose owners had no idea they were being used as launchpads for attacks. In Jordan, authorities uncovered a fake investment fraud ring and found something grimmer underneath: workers who had been trafficked into running scam operations, their passports confiscated and their movement controlled. In Algeria, a phishing-as-a-service operation, complete with servers, tools, and a suspect in custody, was dismantled entirely. In Morocco, equipment linked to banking data theft was seized. In Oman, a malware-infected server sitting on critical infrastructure was taken offline before further damage could be done.
INTERPOL worked alongside private sector partners including Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and Trend Micro to trace the malicious infrastructure behind these operations.
What stands out here isn’t just the scale of the arrests, it’s the intelligence sharing. Cybercrime has always thrived on jurisdictional gaps. Operations like Ramz are a direct challenge to that model: a demonstration that cross-border cooperation, when it actually happens, can hit criminal networks where it hurts.
Ransomware group ‘The Gentlemen’ suffers internal breach, exposing operations
As reported by HackRead, the ransomware group known as The Gentlemen experienced a significant breach of its internal systems in May 2026, offering researchers an unprecedented look into the operational mechanics of a cybercriminal organization that had previously operated with a high degree of perceived anonymity.
The breach is believed to have stemmed from a compromise of 4VPS, a hosting provider the group used for its infrastructure. On May 4, the administrator acknowledged on underground forums that their internal backend database had been leaked. The following day, a forum account posted a listing on Cracked offering “The Gentlemen – Hacked Data for Sale” for $10,000 in Bitcoin.
Researchers obtained a portion of the data before it was removed: six months of internal Rocket.Chat logs, affiliate rosters, ransom negotiation transcripts, exploit path discussions covering Fortinet and Cisco edge appliances, and Bitcoin wallet addresses used for internal transactions. One detail stood out above the rest – evidence of chain-victimisation. In April 2026, the group breached a UK software consultancy, then used stolen credentials and client documentation from that attack to compromise one of the consultancy’s own clients in Turkey. The victim’s data became the key to the next victim’s door.
The leak also confirmed the group’s use of AI coding assistants, including the Chinese models DeepSeek and Qwen, to accelerate ransomware development, with the administrator reportedly building the entire RaaS admin panel this way.
The inside view of a ransomware operation’s working mechanics is rare, and defenders now have a detailed map of how The Gentlemen operates, entry points, tooling, tactics, and organisational structure. The group, meanwhile, has reportedly already partnered with a new version of BreachForums and shows no sign of slowing down.
Shai-Hulud goes Open Source
When a sophisticated offensive hacking framework gets leaked onto a cybercrime forum, the entire threat landscape shifts overnight. That’s exactly what happened in May 2026, when researchers monitoring underground forums including CrackedTo discovered that TeamPCP, the group responsible for a string of high-profile software supply chain attacks, had published the full source code for their Shai-Hulud framework to GitHub under the message: “Open Sourcing The Carnage.”
The repositories, posted under several likely compromised GitHub accounts with commit timestamps deliberately falsified to the year 2099, were pulled by GitHub relatively quickly. But not quickly enough: multiple forks had already spread across the platform, and the code had been captured, analysed, and as copycat attacks began emerging within days weaponised by independent threat actors.
So what exactly is Shai-Hulud? It’s a production-grade, modular offensive framework written in TypeScript/Bun, purpose-built to harvest credentials from developer environments and propagate itself through software supply chains. It targets CI/CD pipelines, developer workstations, npm package ecosystems, cloud infrastructure, and Kubernetes environments. It has a built-in Russian locale check, a standard CIS geographic kill-switch indicating Eastern European origins, and employs hybrid RSA/AES encryption for its exfiltration, making credential theft extremely difficult to intercept in transit.
One of the more alarming capabilities is its persistence via AI coding tool hooks. The framework modifies Claude Code’s settings.json file to run a malicious loader every time the tool is initialised in a repository. Developers who clone a compromised repository and open it in VS Code will similarly trigger the payload automatically on folder open, no further interaction needed.
The open-sourcing of Shai-Hulud has practical consequences for any organisation running developer tooling. If you use Claude Code, GitHub Actions, or npm, check for unexpected SessionStart hooks, rotate any developer credentials that may have been exposed in recent months, and audit your repositories for suspicious chore: update dependencies commits you didn’t make.
Related Content
Post
May 12th – This Week’s Top Cybersecurity and Dark Web Stories
News
Post
Close the 24-hour Security Gap with Continuous Vulnerability Scanning
ASM
Post
Shadow Exposure: Why Your Most Trusted Software Could Pose Your Biggest Threat
ASM Supply Chain
Post
How Attack Surface Management Tools Stop Cybersecurity Breaches Before They Happen
ASM
Post
May 4th – This Week’s Top Cybersecurity and Dark Web Stories
News
Post
Additional tooling added to the Stealth Browser
Product Updates
Post
Attack Surface Management Tools in 2026: Essential Market Trends for Security Leaders
ASM
Post