Executive Summary
Over the 30-day period from 2026-06-01 to 2026-07-01, a total of 3,515 cyber incidents were recorded globally across monitored sources. This represents a −5.7% week-on-week decline from the prior window's 3,727 incidents, suggesting a modest reduction in overall volume, though the absolute level of activity remains operationally significant and consistent with 2026's elevated baseline.

The United States remained the single most targeted nation, with 649 incidents, followed by France (242) and Thailand (169), with the top ten countries collectively accounting for the substantial majority of observed global activity.
The threat landscape this period was shaped by three dominant attack modalities: Data Leak / Exfiltration (1,441 incidents), Ransomware (1,286 incidents), and DDoS (724 incidents), together accounting for over 98% of all categorised activity.
The finance sector recorded 170 dedicated incidents during the period, with hacktivist-aligned DDoS groups and financially motivated ransomware operators both contributing meaningfully to its threat load. The most active threat actor globally was NoName057(16), a prolific pro-Russion hacktivist group, with 228 incidents, with ransomware operators The Gentlemen (103) and Qilin/qilin (157 combined) rounding out the top tier.
From a sector perspective, Public Administration and Defence (industry code P) dominated with 682 incidents, followed by Manufacturing (C) 309, Mining/Industry (B) 295, Real Estate/Professional Services (L) 260, and Wholesale/Retail Trade (G) 239. The finance sector (code K), 212 incidents placed sixth overall, a consistent pattern underscoring the sustained interest threat actors have in financial infrastructure, both for data exfiltration and disruptive DDoS campaigns.
Strategic Context
The June 2026 threat picture reflects a geopolitical environment in which hacktivism and state-aligned disruption campaigns continue to intersect with financially motivated cybercrime. The heavy DDoS burden on Israel (148 of 168 total incidents) is consistent with the persistent operational tempo of pro-Palestinian and Iran-aligned hacktivist collectives, a dynamic that mirrors the broader pattern noted by researchers linking kinetic Middle East tensions to increased cyber operations.
Meanwhile, the dominance of NoName057(16) across France, the United Kingdom, and Israel reinforces the well-established correlation between pro-Russian hacktivist tasking and European political events, including NATO-adjacent government activities and diplomatic signalling.
In the financial sector specifically, after a brief reprieve driven by law enforcement pressure on dominant groups, direct ransomware attacks on financial institutions rebounded sharply, with incidents climbing from 156 in 2024 to 202 in 2025. Early 2026 data recordings show 65 finance-sector incidents in Q1 alone, a 76% increase over Q1 2025.
The supply chain vector remains particularly acute: by gaining access to a single managed service provider, Qilin used standing privileged credentials to move laterally into 32 South Korean financial institutions without breaching each independently, extracting over one million files and more than 2 terabytes of data. This structural vulnerability, well-defended primary institutions undermined by lower-maturity vendors, is now the defining attack path in the sector.
For banks, the most material cyber threat in 2026 is the combination of identity compromise, ransomware-driven data extortion, and third-party technology exposure.
Figure 1: Top 8 most-targeted countries by cyberattack incidents, June 2026.
Recent Headlines
- Tata Electronics Confirms June 2026 Ransomware Incident Involving 200,000+ Files: Tata Electronics confirmed a June 2026 cybersecurity incident after the World Leaks ransomware group published over 200,000 alleged company files, totalling 630.4 GB, on its dark web leak site on 12 June 2026.
- Klue OAuth Supply Chain Breach Exposes Salesforce CRM Data Across Multiple Enterprises: Klue confirmed a June 2026 supply chain breach after attackers used compromised legacy credentials to access its integration environment and obtain OAuth tokens connected to customer platforms, with the attack unfolding between 11–12 June 2026 and enabling unauthorised access to Salesforce CRM data across multiple customer environments.
- France's Government Messaging Platform Tchap Breached in June 2026: France's interministerial digital directorate DINUM disclosed a breach of Tchap, the French government's sovereign messaging platform, on 8 June 2026.
- ShinyHunters Claims 5.2 Million Record Theft from American Tower Corporation: American Tower Corporation became a target of a ransomware attack carried out by the ShinyHunters group, which claimed to have stolen over 5.2 million records, including customer and landowner PII, asset records, GPS data, and access codes.
- Black Kite Report: Finance-Sector Ransomware at Multi-Year High as Vendor Risk Surges: 109 of 140 core finance vendors have critical-level patch management failures, and one compromised MSP cascaded into 32 financial institutions and over 2 TB of stolen data, with the Marquis Software breach exposing up to 1.35 million customers across 74+ US institutions.
June 2026 Cyberattack Statistics by Country and Sector
| Metric | Value |
|---|---|
| Total Incidents (Period) | 3,515 |
| Prior Period Incidents | 3,727 |
| Week-on-Week Change | −5.7% |
| Top Threat Actor | NoName057(16), 228 incidents |
| Top Targeted Country | United States, 649 incidents |
| Top Targeted Sector | Public Administration and Defence (P), 682 incidents |
| Top Attack Category | Data Leak / Exfiltration, 1,441 incidents |
| Finance Sector Incidents | 170 incidents |
| Reporting Period (Days) | 30 |
Cyber Attacks by Country
United States
Total Incidents: 649
| Category | Count |
|---|---|
| Ransomware | 407 |
| Data Leak / Exfiltration | 210 |
| DDoS | 20 |
| Cyber Incident | 4 |
| Malware | 1 |
Top Industries: Arts/Entertainment/Recreation (R), 70; Mining/Industry (B), 69; Administrative and Support Services (N), 64; Real Estate/Professional (L), 54; Finance and Insurance (K), 53
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| Qilin | 40 |
| akira | 32 |
| The Gentlemen | 31 |
| qilin | 30 |
| ShinyHunters | 24 |
Notable Targeted Organisations: NASA, Prince George County, AT&T, NASCO, DISCORD, SYSCO, APOLLO.IO, Federal Bureau of Investigation (FBI)
The United States remains by far the most targeted country in the dataset, accounting for 18.5% of all global incidents. Ransomware dominates the US threat profile, 407 of 649 incidents, with Qilin (combined 70 incidents across both case variations) and Akira driving the majority of enterprise-level intrusions. The targeting of high-profile entities such as NASA, AT&T, and the FBI highlights the breadth of attacker interest, spanning critical infrastructure, telecommunications, and federal agencies.
France
Total Incidents: 242
| Category | Count |
|---|---|
| Data Leak / Exfiltration | 138 |
| DDoS | 64 |
| Ransomware | 34 |
| Phishing | 1 |
| Unauthorised Access | 1 |
Top Industries: Public Administration (P), 53; Government/Defence (G), 38; Mining/Industry (B), 21; Manufacturing (C), 15; Health and Social Work (Q), 13
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| NoName057(16) | 48 |
| ChimeraZ | 23 |
| misere | 20 |
| 0xSec | 12 |
| Dark Storm Team | 11 |
Notable Targeted Organisations: Bouygues Telecom, Propriétés Privées, HOP!, City of Dunkirk, French Mutual Insurance Company, Prefect of Haute-Savoie, EVAD, State Services in French Polynesia
France is the second most targeted country globally, with a threat profile skewed toward data exfiltration and hacktivist DDoS. NoName057(16)'s 48 incidents underline continued pro-Russian targeting of French public administration and government institutions, a pattern consistent with France's prominent role in European NATO coordination and its outspoken political stance on the Ukraine conflict.
Thailand
Total Incidents: 169
| Category | Count |
|---|---|
| DDoS | 93 |
| Data Leak / Exfiltration | 48 |
| Ransomware | 28 |
Top Industries: Public Administration (P), 61; Health and Social Work (Q), 26; Manufacturing (C), 23; Government/Defence (G), 10; Arts/Recreation (R), 6
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| NXBB.SEC | 49 |
| ZxS3C | 44 |
| EagleGodSEC | 12 |
| NIKK BOSS | 9 |
| ZAHER INFINITY | 6 |
Notable Targeted Organisations: Ministry of Tourism and Sports, Ministry of Public Health, Department of Alternative Energy Development and Efficiency, National Health Security Office, VISTA, Songkhla Rajabhat University
Thailand's position as the third most targeted country, driven predominantly by DDoS (93 incidents), is a notable finding this period. Activity is concentrated against public administration and health sector entities. The leading threat actors, NXBB.SEC and ZxS3C, appear to be regional hacktivist collectives targeting government digital infrastructure, reflecting Thailand's growing exposure as a developing digital economy.
Israel
Total Incidents: 168
| Category | Count |
|---|---|
| DDoS | 148 |
| Data Leak / Exfiltration | 19 |
| Ransomware | 1 |
Top Industries: Public Administration (P), 30; Mining/Industry (B), 18; Real Estate/Professional (L), 17; Finance and Insurance (K), 16; Government/Defence (G), 15
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| RipperSec | 33 |
| BD Anonymous | 25 |
| Elite Squad | 24 |
| YEMEN CYBER GROUP | 20 |
| Dark Storm Team | 19 |
Notable Targeted Organisations: Yad Tabenkin, Internet Binat, Elco Ltd, Nefesh B'Nefesh, First International Bank of Israel, Israel Discount Bank Ltd, Jet Fiber, NetFree
Israel's threat profile is almost entirely defined by DDoS (148 of 168 incidents), and the actor composition, RipperSec, BD Anonymous, YEMEN CYBER GROUP, Dark Storm Team, reflects the well-documented hacktivist coalition that operates in alignment with pro-Palestinian and Iran-adjacent objectives. Notably, two Israeli banks (First International Bank of Israel and Israel Discount Bank Ltd) appear in the targeted organisations list, underscoring the financial sector's exposure to politically motivated disruption campaigns.
Indonesia
Total Incidents: 130
| Category | Count |
|---|---|
| Data Leak / Exfiltration | 112 |
| DDoS | 11 |
| Ransomware | 7 |
Top Industries: Public Administration (P), 76; Health and Social Work (Q), 19; Real Estate/Professional (L), 9; Mining/Industry (B), 5; Manufacturing (C), 4 |
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| MatxCysec | 16 |
| KNOK666X | 15 |
| JAX7 | 9 |
| DigitalStormSec | 8 |
| B4d0kAhay | 7 |
Notable Targeted Organisations: Tanjungpinang City Government, National Nutrition Agency, Desa Dangin Puri Kelod, Sustainable Pulp and Paper Company, Indonesia Re
Indonesia's incident profile is dominated by data exfiltration (86% of all incidents), concentrated heavily against public administration entities. The threat actors observed are lower-profile hacktivist or data-broker collectives operating regionally, with the targeting of the National Nutrition Agency and multiple city governments indicating a broad opportunistic sweep across less-hardened public sector systems.
United Kingdom
Total Incidents: 128
| Category | Count |
|---|---|
| DDoS | 74 |
| Ransomware | 32 |
| Data Leak / Exfiltration | 20 |
| Malware | 1 |
Top Industries: Public Administration (P), 43; Mining/Industry (B), 15; Manufacturing (C), 10; Transport and Storage (H), 10; Wholesale/Retail (G), 7
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| NoName057(16) | 48 |
| Dark Storm Team | 17 |
| BD Anonymous | 4 |
| ANUBIS | 2 |
| qilin | 2 |
Notable Targeted Organisations: Conwy County Borough Council, Salford City Council, East Cambridgeshire District Council, BT Group, Sky-Drones, Bradford Council, YU Energy, Belfast Harbour
The UK's profile mirrors France's, with hacktivist DDoS (NoName057(16), 48 incidents; Dark Storm Team, 17) dominating a landscape that also sees a meaningful ransomware tail. The repeated targeting of local councils, Conwy, Salford, East Cambridgeshire, Bradford, suggests systematic exploitation of known weaknesses in UK municipal digital infrastructure. BT Group's appearance reinforces the continued targeting of telecommunications assets.
Mexico
Total Incidents: 118
| Category | Count |
|---|---|
| Data Leak / Exfiltration | 98 |
| Ransomware | 20 |
Top Industries: Public Administration (P), 44; Health and Social Work (Q), 26; Arts/Recreation (R), 11; Real Estate/Professional (L), 5; Agriculture (A), 4
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| EXILIADOS #555 | 9 |
| cenfecracked | 8 |
| MagoSpeak | 8 |
| Black0ut_Exi | 6 |
| Chronus leaks | 6 |
Notable Targeted Organisations: YOREMIA, Centro Nacional de Trasplantes, Instituto de Educación Digital del Estado de Puebla, Sistema de Atención Ciudadana, Hospital Angeles, SIDEPAT Cuauhtémoc, Santander México, Judiciary of the State of Colima
Mexico's profile is almost exclusively data-exfiltration driven, with no DDoS incidents recorded. The actor landscape is fragmented among numerous lower-profile groups. The targeting of Santander México within the financial sector and the Centro Nacional de Trasplantes and Hospital Angeles within healthcare reflects a pattern of data brokering against high-value PII repositories in Latin American public and semi-public entities.
Germany
Total Incidents: 105
| Category | Count |
|---|---|
| Ransomware | 78 |
| Data Leak / Exfiltration | 20 |
| Cyber Incident | 3 |
| Unauthorised Access | 1 |
| Data Breach / Exfiltration | 1 |
Top Industries: Manufacturing (C), 23; Administrative and Support Services (N), 17; Mining/Industry (B), 14; Wholesale/Retail (G), 7; Public Administration (P), 5
Top Threat Actors:
| Threat Actor | Incidents |
|---|---|
| The Gentlemen | 9 |
| qilin | 6 |
| SAFEPAY | 6 |
| safepay | 6 |
| thegentlemen | 6 |
Notable Targeted Organisations: Zalando, MAIKI, District of Schleswig-Flensburg, Gies Dienstleistungen GmbH, Hemmersbach, Immling Festival, Primed Halberstadt Medizintechnik GmbH, FIL Fondsbank GmbH
Germany stands apart from other top-ten countries in that ransomware is overwhelmingly the primary attack category (74% of incidents). Manufacturing (C) is the top targeted sector, consistent with Germany's industrial export economy and the known appetite of groups such as The Gentlemen and SafePay for enterprise-grade victims with production dependencies. The presence of FIL Fondsbank GmbH in the victim list highlights ongoing financial sector exposure.
Threat Actor Activity
Global Threat Actor Rankings, Top 10
| Rank | Threat Actor | Incidents | Primary Modality |
|---|---|---|---|
| 1 | NoName057(16) | 228 | DDoS (Hacktivist) |
| 2 | The Gentlemen / thegentlemen | 168 (combined) | Ransomware |
| 3 | Qilin / qilin | 157 (combined) | Ransomware |
| 4 | Dark Storm Team | 97 | DDoS (Hacktivist) |
| 5 | Aquahack | 66 | DDoS / Data Leak |
| 6 | akira | 63 | Ransomware |
| 7 | NXBB.SEC | 50 | DDoS (Regional Hacktivist) |
| 8 | LOCKBIT 5.0 | 48 | Ransomware |
Finance Sector, Top Threat Actors
| Threat Actor | Finance Incidents |
|---|---|
| elazo2 | 20 |
| Exchange Markets | 17 |
| NoName057(16) | 11 |
| Dark Storm Team | 5 |
| GORZ ROSTAM | 5 |
Total Finance Sector Incidents: 170
Top Threat Actor Profile, NoName057(16)
NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 and has since established itself as the most persistently active DDoS campaign group in the global threat landscape. With 228 incidents recorded this period, the group's activity is concentrated against Western European and NATO-aligned nations, with France (48 incidents) and the United Kingdom (48 incidents) bearing the heaviest targeting load. The group employs dual-extortion tactics combining data theft with file encryption, advanced evasion and persistence techniques, and conducts targeted attacks across multiple industries and geographic regions. NoName057(16) is known to coordinate campaigns through Telegram and to task affiliate volunteers via its DDoSia tool, enabling crowd-sourced disruption of government portals, financial institutions, and transport infrastructure across target nations. In the financial sector this period, NoName057(16) contributed 11 of 170 total finance incidents, targeting banks and financial services primarily in France and Israel.
Analyst Notes
- DDoS remains the dominant hacktivist instrument against Western Europe and Israel. NoName057(16) and Dark Storm Team together accounted for the majority of DDoS incidents in France, the UK, and Israel. Organisations in these countries, particularly public administration, telecoms, and financial services, should maintain DDoS mitigation postures commensurate with sustained, politically-motivated campaign activity rather than isolated incidents.
- Qilin and The Gentlemen are the ransomware operators to watch. Combined, Qilin/qilin recorded 157 incidents and The Gentlemen/thegentlemen 168, placing them ahead of legacy brands in raw volume. The Gentlemen ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. Both groups should be prioritised in threat modelling exercises for enterprise environments.
- Financial sector supply-chain risk is at a structural inflection point. The finance sector recorded 170 incidents this period. Early 2026 data shows 65 finance-sector ransomware incidents in Q1 alone, a 76% increase over Q1 2025. The attack path of choice is vendor compromise: the gap between heavily regulated financial institutions and the vendors that serve them, who face no comparable compliance pressure, has become the most exploitable seam in the threat landscape. Third-party risk programmes must be treated as a first-order control.
- Indonesia and Thailand signal expanding attacker interest in Southeast Asian public infrastructure. Both countries entered the top-five most targeted nations primarily on the back of data exfiltration and DDoS campaigns against government ministries and health agencies. This is consistent with a broader trend of threat actors broadening their footprint into developing digital economies with lower defensive maturity.
- LOCKBIT 5.0 warrants close monitoring. The re-emergence of the LockBit brand under the "5.0" designation, recording 48 incidents in this period, suggests operational reconstitution following prior law enforcement disruption. If this trajectory continues into Q3 2026, it may indicate a sustained rebuild of the RaaS affiliate model that previously made LockBit the most prolific ransomware operator globally.

Threat Intelligence Reports
Our custom cyber threat intelligence reporting delivers strategic, operational, and tactical insights tailored to your organisation's unique needs. We help organisations understand and address specific threat landscapes across industries and geographies through detailed, actionable reports, enabling informed decisions to safeguard operations at all levels.
Insights

Global Cyber Threat Briefing: June 2026 Attack Statistics and Trends
Stay ahead of the curve with Cyber Series, your essential update on the evolving threat landscape.

The DENIC Disruption and NIS2: Critical Infrastructure Under New Rules
Stay ahead of the curve with Cyber Series, your essential update on the evolving threat landscape.

US is Most Attacked Nation, Driven by Ransomware and Data Exfiltration
Stay ahead of the curve with Cyber Series, your essential update on the evolving threat landscape.

Quiet, Scalable and Persistent Attacks Target Everyday Systems
Stay ahead of the curve with this month’s Cyber Risk Newsletter, your essential briefing on the evolving threat landscape.
