Skip to main content

Executive Summary

Over the 30-day period from 2026-06-01 to 2026-07-01, a total of 3,515 cyber incidents were recorded globally across monitored sources. This represents a −5.7% week-on-week decline from the prior window's 3,727 incidents, suggesting a modest reduction in overall volume, though the absolute level of activity remains operationally significant and consistent with 2026's elevated baseline. 

Stephen Green
Stephen Green

Threat Intelligence Lead | Cyber Risk

sgreen@thomasmurray.com

The United States remained the single most targeted nation, with 649 incidents, followed by France (242) and Thailand (169), with the top ten countries collectively accounting for the substantial majority of observed global activity.

The threat landscape this period was shaped by three dominant attack modalities: Data Leak / Exfiltration (1,441 incidents), Ransomware (1,286 incidents), and DDoS (724 incidents), together accounting for over 98% of all categorised activity. 

The finance sector recorded 170 dedicated incidents during the period, with hacktivist-aligned DDoS groups and financially motivated ransomware operators both contributing meaningfully to its threat load. The most active threat actor globally was NoName057(16), a prolific pro-Russion hacktivist group, with 228 incidents, with ransomware operators The Gentlemen (103) and Qilin/qilin (157 combined) rounding out the top tier.

From a sector perspective, Public Administration and Defence (industry code P) dominated with 682 incidents, followed by Manufacturing (C) 309, Mining/Industry (B) 295, Real Estate/Professional Services (L) 260, and Wholesale/Retail Trade (G) 239. The finance sector (code K), 212 incidents placed sixth overall, a consistent pattern underscoring the sustained interest threat actors have in financial infrastructure, both for data exfiltration and disruptive DDoS campaigns.

Strategic Context

The June 2026 threat picture reflects a geopolitical environment in which hacktivism and state-aligned disruption campaigns continue to intersect with financially motivated cybercrime. The heavy DDoS burden on Israel (148 of 168 total incidents) is consistent with the persistent operational tempo of pro-Palestinian and Iran-aligned hacktivist collectives, a dynamic that mirrors the broader pattern noted by researchers linking kinetic Middle East tensions to increased cyber operations. 

Meanwhile, the dominance of NoName057(16) across France, the United Kingdom, and Israel reinforces the well-established correlation between pro-Russian hacktivist tasking and European political events, including NATO-adjacent government activities and diplomatic signalling. 

In the financial sector specifically, after a brief reprieve driven by law enforcement pressure on dominant groups, direct ransomware attacks on financial institutions rebounded sharply, with incidents climbing from 156 in 2024 to 202 in 2025. Early 2026 data recordings show 65 finance-sector incidents in Q1 alone, a 76% increase over Q1 2025. 

The supply chain vector remains particularly acute: by gaining access to a single managed service provider, Qilin used standing privileged credentials to move laterally into 32 South Korean financial institutions without breaching each independently, extracting over one million files and more than 2 terabytes of data. This structural vulnerability, well-defended primary institutions undermined by lower-maturity vendors, is now the defining attack path in the sector. 

For banks, the most material cyber threat in 2026 is the combination of identity compromise, ransomware-driven data extortion, and third-party technology exposure.

Figure 1: Top 8 most-targeted countries by cyberattack incidents, June 2026.

 

Recent Headlines

June 2026 Cyberattack Statistics by Country and Sector

MetricValue
Total Incidents (Period)3,515
Prior Period Incidents3,727
Week-on-Week Change−5.7%
Top Threat ActorNoName057(16), 228 incidents
Top Targeted CountryUnited States, 649 incidents
Top Targeted SectorPublic Administration and Defence (P), 682 incidents
Top Attack CategoryData Leak / Exfiltration, 1,441 incidents
Finance Sector Incidents170 incidents
Reporting Period (Days)30
Cyber Attacks by Country
United States

Total Incidents: 649

CategoryCount
Ransomware407
Data Leak / Exfiltration210
DDoS20
Cyber Incident4
Malware1

Top Industries: Arts/Entertainment/Recreation (R), 70; Mining/Industry (B), 69; Administrative and Support Services (N), 64; Real Estate/Professional (L), 54; Finance and Insurance (K), 53

Top Threat Actors:

Threat ActorIncidents
Qilin40
akira32
The Gentlemen31
qilin30
ShinyHunters24

Notable Targeted Organisations: NASA, Prince George County, AT&T, NASCO, DISCORD, SYSCO, APOLLO.IO, Federal Bureau of Investigation (FBI)

The United States remains by far the most targeted country in the dataset, accounting for 18.5% of all global incidents. Ransomware dominates the US threat profile, 407 of 649 incidents, with Qilin (combined 70 incidents across both case variations) and Akira driving the majority of enterprise-level intrusions. The targeting of high-profile entities such as NASA, AT&T, and the FBI highlights the breadth of attacker interest, spanning critical infrastructure, telecommunications, and federal agencies.

France

Total Incidents: 242

CategoryCount
Data Leak / Exfiltration138
DDoS64
Ransomware34
Phishing1
Unauthorised Access1

Top Industries: Public Administration (P), 53; Government/Defence (G), 38; Mining/Industry (B), 21; Manufacturing (C), 15; Health and Social Work (Q), 13

Top Threat Actors:

Threat ActorIncidents
NoName057(16)48
ChimeraZ23
misere20
0xSec12
Dark Storm Team11

Notable Targeted Organisations: Bouygues Telecom, Propriétés Privées, HOP!, City of Dunkirk, French Mutual Insurance Company, Prefect of Haute-Savoie, EVAD, State Services in French Polynesia

France is the second most targeted country globally, with a threat profile skewed toward data exfiltration and hacktivist DDoS. NoName057(16)'s 48 incidents underline continued pro-Russian targeting of French public administration and government institutions, a pattern consistent with France's prominent role in European NATO coordination and its outspoken political stance on the Ukraine conflict.

Thailand

Total Incidents: 169

CategoryCount
DDoS93
Data Leak / Exfiltration48
Ransomware28

Top Industries: Public Administration (P), 61; Health and Social Work (Q), 26; Manufacturing (C), 23; Government/Defence (G), 10; Arts/Recreation (R), 6

Top Threat Actors:

Threat ActorIncidents
NXBB.SEC49
ZxS3C44
EagleGodSEC12
NIKK BOSS9
ZAHER INFINITY6

Notable Targeted Organisations: Ministry of Tourism and Sports, Ministry of Public Health, Department of Alternative Energy Development and Efficiency, National Health Security Office, VISTA, Songkhla Rajabhat University

Thailand's position as the third most targeted country, driven predominantly by DDoS (93 incidents), is a notable finding this period. Activity is concentrated against public administration and health sector entities. The leading threat actors, NXBB.SEC and ZxS3C, appear to be regional hacktivist collectives targeting government digital infrastructure, reflecting Thailand's growing exposure as a developing digital economy.

Israel

Total Incidents: 168

CategoryCount
DDoS148
Data Leak / Exfiltration19
Ransomware1

Top Industries: Public Administration (P), 30; Mining/Industry (B), 18; Real Estate/Professional (L), 17; Finance and Insurance (K), 16; Government/Defence (G), 15

Top Threat Actors:

Threat ActorIncidents
RipperSec33
BD Anonymous25
Elite Squad24
YEMEN CYBER GROUP20
Dark Storm Team19

Notable Targeted Organisations: Yad Tabenkin, Internet Binat, Elco Ltd, Nefesh B'Nefesh, First International Bank of Israel, Israel Discount Bank Ltd, Jet Fiber, NetFree

Israel's threat profile is almost entirely defined by DDoS (148 of 168 incidents), and the actor composition, RipperSec, BD Anonymous, YEMEN CYBER GROUP, Dark Storm Team, reflects the well-documented hacktivist coalition that operates in alignment with pro-Palestinian and Iran-adjacent objectives. Notably, two Israeli banks (First International Bank of Israel and Israel Discount Bank Ltd) appear in the targeted organisations list, underscoring the financial sector's exposure to politically motivated disruption campaigns.

Indonesia

Total Incidents: 130

CategoryCount
Data Leak / Exfiltration112
DDoS11
Ransomware7

Top Industries: Public Administration (P), 76; Health and Social Work (Q), 19; Real Estate/Professional (L), 9; Mining/Industry (B), 5; Manufacturing (C), 4 |

Top Threat Actors:

Threat ActorIncidents
MatxCysec16
KNOK666X15
JAX79
DigitalStormSec8
B4d0kAhay7

Notable Targeted Organisations: Tanjungpinang City Government, National Nutrition Agency, Desa Dangin Puri Kelod, Sustainable Pulp and Paper Company, Indonesia Re

Indonesia's incident profile is dominated by data exfiltration (86% of all incidents), concentrated heavily against public administration entities. The threat actors observed are lower-profile hacktivist or data-broker collectives operating regionally, with the targeting of the National Nutrition Agency and multiple city governments indicating a broad opportunistic sweep across less-hardened public sector systems.

United Kingdom

Total Incidents: 128

CategoryCount
DDoS74
Ransomware32
Data Leak / Exfiltration20
Malware1

Top Industries: Public Administration (P), 43; Mining/Industry (B), 15; Manufacturing (C), 10; Transport and Storage (H), 10; Wholesale/Retail (G), 7

Top Threat Actors:

Threat ActorIncidents
NoName057(16)48
Dark Storm Team17
BD Anonymous4
ANUBIS2
qilin2

Notable Targeted Organisations: Conwy County Borough Council, Salford City Council, East Cambridgeshire District Council, BT Group, Sky-Drones, Bradford Council, YU Energy, Belfast Harbour

The UK's profile mirrors France's, with hacktivist DDoS (NoName057(16), 48 incidents; Dark Storm Team, 17) dominating a landscape that also sees a meaningful ransomware tail. The repeated targeting of local councils, Conwy, Salford, East Cambridgeshire, Bradford, suggests systematic exploitation of known weaknesses in UK municipal digital infrastructure. BT Group's appearance reinforces the continued targeting of telecommunications assets.

Mexico

Total Incidents: 118

CategoryCount
Data Leak / Exfiltration98
Ransomware20

Top Industries: Public Administration (P), 44; Health and Social Work (Q), 26; Arts/Recreation (R), 11; Real Estate/Professional (L), 5; Agriculture (A), 4

Top Threat Actors:

Threat ActorIncidents
EXILIADOS #5559
cenfecracked8
MagoSpeak8
Black0ut_Exi6
Chronus leaks6

Notable Targeted Organisations: YOREMIA, Centro Nacional de Trasplantes, Instituto de Educación Digital del Estado de Puebla, Sistema de Atención Ciudadana, Hospital Angeles, SIDEPAT Cuauhtémoc, Santander México, Judiciary of the State of Colima

Mexico's profile is almost exclusively data-exfiltration driven, with no DDoS incidents recorded. The actor landscape is fragmented among numerous lower-profile groups. The targeting of Santander México within the financial sector and the Centro Nacional de Trasplantes and Hospital Angeles within healthcare reflects a pattern of data brokering against high-value PII repositories in Latin American public and semi-public entities.

Germany

Total Incidents: 105

CategoryCount
Ransomware78
Data Leak / Exfiltration20
Cyber Incident3
Unauthorised Access1
Data Breach / Exfiltration1

Top Industries: Manufacturing (C), 23; Administrative and Support Services (N), 17; Mining/Industry (B), 14; Wholesale/Retail (G), 7; Public Administration (P), 5

Top Threat Actors:

Threat ActorIncidents
The Gentlemen9
qilin6
SAFEPAY6
safepay6
thegentlemen6

Notable Targeted Organisations: Zalando, MAIKI, District of Schleswig-Flensburg, Gies Dienstleistungen GmbH, Hemmersbach, Immling Festival, Primed Halberstadt Medizintechnik GmbH, FIL Fondsbank GmbH

Germany stands apart from other top-ten countries in that ransomware is overwhelmingly the primary attack category (74% of incidents). Manufacturing (C) is the top targeted sector, consistent with Germany's industrial export economy and the known appetite of groups such as The Gentlemen and SafePay for enterprise-grade victims with production dependencies. The presence of FIL Fondsbank GmbH in the victim list highlights ongoing financial sector exposure.

Threat Actor Activity
Global Threat Actor Rankings, Top 10
RankThreat ActorIncidentsPrimary Modality
1NoName057(16)228DDoS (Hacktivist)
2The Gentlemen / thegentlemen168 (combined)Ransomware
3Qilin / qilin157 (combined)Ransomware
4Dark Storm Team97DDoS (Hacktivist)
5Aquahack66DDoS / Data Leak
6akira63Ransomware
7NXBB.SEC50DDoS (Regional Hacktivist)
8LOCKBIT 5.048Ransomware
Finance Sector, Top Threat Actors
Threat ActorFinance Incidents
elazo220
Exchange Markets17
NoName057(16)11
Dark Storm Team5
GORZ ROSTAM5

Total Finance Sector Incidents: 170

Top Threat Actor Profile, NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that emerged in March 2022 and has since established itself as the most persistently active DDoS campaign group in the global threat landscape. With 228 incidents recorded this period, the group's activity is concentrated against Western European and NATO-aligned nations, with France (48 incidents) and the United Kingdom (48 incidents) bearing the heaviest targeting load. The group employs dual-extortion tactics combining data theft with file encryption, advanced evasion and persistence techniques, and conducts targeted attacks across multiple industries and geographic regions. NoName057(16) is known to coordinate campaigns through Telegram and to task affiliate volunteers via its DDoSia tool, enabling crowd-sourced disruption of government portals, financial institutions, and transport infrastructure across target nations. In the financial sector this period, NoName057(16) contributed 11 of 170 total finance incidents, targeting banks and financial services primarily in France and Israel.

Analyst Notes

  • DDoS remains the dominant hacktivist instrument against Western Europe and Israel. NoName057(16) and Dark Storm Team together accounted for the majority of DDoS incidents in France, the UK, and Israel. Organisations in these countries, particularly public administration, telecoms, and financial services, should maintain DDoS mitigation postures commensurate with sustained, politically-motivated campaign activity rather than isolated incidents.
  • Qilin and The Gentlemen are the ransomware operators to watch. Combined, Qilin/qilin recorded 157 incidents and The Gentlemen/thegentlemen 168, placing them ahead of legacy brands in raw volume. The Gentlemen ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. Both groups should be prioritised in threat modelling exercises for enterprise environments.
  • Financial sector supply-chain risk is at a structural inflection point. The finance sector recorded 170 incidents this period. Early 2026 data shows 65 finance-sector ransomware incidents in Q1 alone, a 76% increase over Q1 2025. The attack path of choice is vendor compromise: the gap between heavily regulated financial institutions and the vendors that serve them, who face no comparable compliance pressure, has become the most exploitable seam in the threat landscape. Third-party risk programmes must be treated as a first-order control.
  • Indonesia and Thailand signal expanding attacker interest in Southeast Asian public infrastructure. Both countries entered the top-five most targeted nations primarily on the back of data exfiltration and DDoS campaigns against government ministries and health agencies. This is consistent with a broader trend of threat actors broadening their footprint into developing digital economies with lower defensive maturity.
  • LOCKBIT 5.0 warrants close monitoring. The re-emergence of the LockBit brand under the "5.0" designation, recording 48 incidents in this period, suggests operational reconstitution following prior law enforcement disruption. If this trajectory continues into Q3 2026, it may indicate a sustained rebuild of the RaaS affiliate model that previously made LockBit the most prolific ransomware operator globally.
Cyber Risk

Threat Intelligence Reports

Our custom cyber threat intelligence reporting delivers strategic, operational, and tactical insights tailored to your organisation's unique needs. We help organisations understand and address specific threat landscapes across industries and geographies through detailed, actionable reports, enabling informed decisions to safeguard operations at all levels.

Learn more