10 July 2026

7 min read

UK Government credentials surface on the dark web | Cyber Intelligence Briefing – 10 July 2026

July 2026
UK Government credentials surface on the dark web | Cyber Intelligence Briefing – 10 July 2026 placeholder thumbnail

Top news stories this week

  1. Fresh FortiBlood. UK Government credentials surface on the dark web.  
  2. Disrupted.  Authorities close in on criminal cyber networks.
  3. Consultants, compromised. Accenture confirms cyber incident after stolen data listed for sale. 
  4. Vibe probing. Threat actors observed using AI tools.
  5. Vault breach. Deutsche Bank investigates supplier after stolen data surfaces on the dark web.
  6. Road to Data Breach. AssuranceAmerica confirms data breach that includes sensitive data. 

1. UK Government credentials surface on the dark web

Russian-linked threat actors reportedly compromised email accounts belonging to UK government officials and Foreign Office personnel as part of the Fortibleed campaign, which exploited vulnerable Fortinet infrastructure to obtain valid credentials. The stolen credentials allegedly provide access to systems supporting government operations, critical national infrastructure, healthcare services, and national supply chains, with access being advertised for sale on dark web forums for up to GBP 44,000.

So what?

The sale of legitimate credentials significantly increases the risk of follow-on attacks. Organisations should ensure monitoring and detection capabilities are in place to identify misuse of compromised credentials and sensitive data exposure at the earliest opportunity.

[Researcher: Tlhalefo Dikolomela]  


2. Authorities close in on criminal cyber networks

Canada’s Communications Security Establishment (CSE) conducted state-authorised cyber operations against multiple criminal groups, including a ransomware gang. The operations disrupted their infrastructure and deleted stolen ransomware data advertised on the dark web.

Separately, Spain's National Police have arrested a man suspected of being an active member of several pro-Russian hacktivist groups, including at least one that has been linked to a Russian state-backed threat actor. The groups are believed to be responsible for multiple cyberattacks targeting critical infrastructure across the United States and Europe.

So what?

Because arresting and prosecuting cyber criminals remains difficult, authorities target the infrastructure, recruitment, communications and revenue streams that enable these networks to operate at scale.

[Researcher: Milda Petraityte]  


3. Accenture confirms cyber incident after stolen data listed for sale

IT Consulting giant Accenture has confirmed a cybersecurity incident after a threat actor offered allegedly stolen company data for sale on a cybercrime forum. While Accenture described the breach as an “isolated matter” with limited impact, the threat actor claims the data includes internal documents, credentials, and project information. The scope of the alleged breach remains unconfirmed.

So what?

Cybersecurity practitioners are encouraged to use short-lived credentials, rotate frequently, and securely store these secrets. Even security-focused technology providers can become targets and are not immune to these threat vectors. 

[Researcher: Steve Ross]


Zywave Cyber Incident Response Team of the Year Vote - 2026

 

4. Threat actors observed using AI tools

A 15-year old was arrested in Japan for allegedly using a ChatGPT-assisted program to carry out a sustained cyberattack against a media streaming service, gaining unauthorised access to member accounts and forcing account deletions at scale. Separately, a new phishing-as-a-service (PHaaS) operation was revealed to have combined adversary-in-the-middle (AiTM) attacks with AI-assisted lure generation.

SO WHAT? 

AI-assisted tooling is lowering the skill threshold for attacks and continues to improve the apparent authenticity of phishing lures.

[Researcher: Lester Lim]


5. Deutsche Bank investigates supplier after dark web leak claim

The Unsafe ransomware group listed Deutsche Bank on its dark web leak site and published samples of allegedly stolen data. The exposed information reportedly included employee email addresses, password hashes, physical addresses and internal records. Deutsche Bank stated there was no indication its internal systems had been compromised and attributed the incident to a third-party provider operating a marketing platform for sales partners.

So What?

Organisations should validate such claims, assess potential exposure, and maintain strong oversight of suppliers that hold sensitive data

[Researcher: Gabriella Nolan]


6. Data breach at AssuranceAmerica exposes personal information such as driving licences

AssuranceAmerica disclosed a data breach that exposed the personal information of approximately 6.9 million individuals, including driver’s license numbers and other sensitive data. The incident occurred in mid-March, when unauthorized access to internal systems was discovered after attackers gained access through employee’s credentials likely through phishing or infostealer malware.

SO WHAT? 

Credential theft is a commonly used initial access vector; the incident reinforces the need for strong identity security controls such as MFA, credential monitoring, and user awareness training. 

[Researcher: Lena Krummeich]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.