US is Most Attacked Nation, Driven by Ransomware and Data Exfiltration

The dominant attack categories for this period were Data Leak/Exfiltration (1,193 incidents), DDoS (1,017 incidents), and Ransomware (678 incidents), collectively accounting for nearly the entirety of recorded events. The most targeted sector globally was Government (710 attacks), followed by Financial Services (294), Energy (274), and Manufacturing (247). 

The most prolific threat actor of the period was NoName057(16), responsible for 284 recorded attacks, predominantly DDoS operations against NATO-aligned and European government targets, followed by the ransomware group Qilin, with 150 attributed incidents.

Geographically, the United States ranked first with 520 total attacks, driven primarily by ransomware and data exfiltration. Israel ranked second (208 attacks), subjected almost entirely to DDoS campaigns. Indonesia (190) and Thailand (152) featured prominently in the Asia-Pacific cluster, with government sectors bearing the heaviest burden in both nations. 

The concentration of politically motivated DDoS activity across European and Middle Eastern targets, combined with sustained ransomware pressure on the US and France, underscores an environment where hacktivist and financially motivated actors are operating in parallel with comparable intensity.

Strategic Context

Geopolitical conflicts continue to fuel cyber disruptions targeting critical infrastructure, particularly in Europe, with Russia persisting in leveraging cyber capabilities to pressure NATO-aligned nations. This dynamic is directly reflected in the data: NoName057(16)'s concentrated DDoS campaigns against Austria, the UK, Ukraine, and France are consistent with the group's well-established pattern of politically motivated operations tied to European support for Ukraine. Cybercrime is also further internationalising, as AI-assisted translation tools and improved defences in traditional targets push threat actors to expand into newer regions and populations less experienced in countering cybercrime. This may explain the growing volume of attacks in Southeast Asia, particularly Indonesia and Thailand, where government and financial sectors face escalating data exfiltration campaigns from actors such as Mr. Hanz Xploit and ZxS3C.

The costs associated with the global epidemic of cybercrime rise into the trillions of dollars, and the growing scale and sophistication of these challenges mean that narrow, technical solutions to cybersecurity are no longer sufficient. The financial sector's exposure this period, 294 attacks globally, (349 when finance-adjacent subsectors are included) reflects the sector's enduring status as a high-value target for both ransomware groups and hacktivists. 

April 2026 was dominated by supply-chain compromises and OAuth abuse, with two major US banks hit through a shared third-party vendor, and a French government identity agency having records on millions of citizens offered for sale. This pattern of third-party and supply-chain exploitation is directly consistent with the multi-organisation victim clusters observed in the US and French country breakdowns within the dataset. AI-assisted attacks are rising sharply, and zero-day vulnerabilities are being exploited faster than security teams can respond. Defenders and intelligence analysts must treat this reporting period's decline in volumetric attack count not as de-escalation, but as a potential redistribution of effort toward higher-impact, lower-noise intrusion campaigns.

Recent Headlines

• Canvas Hack: Company pays criminals to delete students' stolen data: In late April 2026, Canvas LMS, operated by Instructure, was affected by a data breach and outage, with the company disclosing a cybersecurity attack involving user data including names, email addresses, student ID numbers, and messages.
• Coinbase Breach Compromises Nearly 70K Customers' Data: Dark Reading: A data breach affecting nearly 70,000 Coinbase users led to firings, heightened security, and a $20 million bounty, with the incident attributed to the misconduct of a small group of external contractors.
• Booking.com customers warned of 'reservation hijacking' after hack: Booking.com, which offers lodging services across over 200 countries, became a victim of a data breach that exposed customer data, with the company notifying customers on April 12 that their reservation details were compromised.
• Global Rise of Cyberattacks Exposes Limits of Technical Solutions: UN News: The costs of the global cybercrime epidemic rise into the trillions, driving a shift toward cyber resilience: whereby systems and societies are collectively able to react, adapt, and recover when attacks occur.
• Biggest Cyber Attacks of 2026 & Their Impact: REVA University RACE Lab: A ransomware attack on the AZ Monica hospital network in Belgium locked down every server at the Antwerp and Deurne campuses, forcing surgeons to cancel 70 procedures and emergency-transferring seven critical care patients via the Red Cross.

Attack Statistics

Country by Country Breakdown

United States

Top Threat Actors

Top Industries

Notable Organisations Targeted: GITHUB, COINBASE, U.S. CHAMBER OF COMMERCE, CUSHMAN & WAKEFIELD, OPENAI, MICROSOFT, INSTAGRAM

Commentary

The United States remains the single most attacked country in this reporting period, with ransomware accounting for over 53% of domestic incidents, the highest ransomware concentration of any tracked nation. The Financial Services and Energy sectors together absorbed 130 of 520 total attacks, underscoring persistent adversarial interest in high-value economic infrastructure. The appearance of Coinbase and OpenAI among notable targeted organisations reflects the dual focus of threat actors on both the financial technology and artificial intelligence sectors.

Israel

Top Threat Actors

Top Industries

Notable Organisations Targeted: ISRAEL POST, MOSSAD, TZEVA ADOM, PORT OF HAIFA, WEIZMANN INSTITUTE OF SCIENCE, ALLCARGO LOGISTIC SERVICES LTD., GALEI ISRAEL RADIO

Commentary

Israel's attack profile is overwhelmingly DDoS-driven (86% of incidents), reflecting the activity of hacktivist collectives, RuskiNet Group, DieNet, and RipperSec, conducting politically motivated disruption campaigns against Israeli civilian, government, and logistical targets. The targeting of critical port infrastructure (Port of Haifa) and intelligence institutions (Mossad) suggests an intent to maximise symbolic impact alongside operational disruption.

Indonesia

Top Threat Actors

Top Industries

Notable Organisations Targeted: KORBRIMOB POLRI, INDONESIAN NATIONAL POLICE (POLRI), BANK NEGARA INDONESIA, INSTITUT TEKNOLOGI BANDUNG, TOKOPEDIA, EAST KALIMANTAN SOCIAL SERVICES

Commentary

Indonesia stands out as the most data-exfiltration-focused country in this dataset, with 84% of its 190 incidents classified as Data Leak / Exfiltration. Government entities absorb nearly half of all Indonesian attacks (87 of 190), with repeated targeting of law enforcement bodies such as Korbrimob Polri and the Indonesian National Police, suggesting a deliberate focus on undermining state security institutions. The scale of Mr. Hanz Xploit's activity (36 attacks) warrants dedicated monitoring.

Thailand

Top Threat Actors

Top Industries

Notable Organisations Targeted: OFFICE OF THE COUNCIL OF STATE, ROYAL FOREST DEPARTMENT, BANGKOK BANK (BBL), UNITED OVERSEAS BANK (UOB), SIAM COMMERCIAL BANK (SCB), KASIKORN BANK (KBANK), CIMB THAI BANK (CIMB), KRUNG THAI BANK (KTB)

Commentary

Thailand's threat environment is characterised by a dual-pronged assault: ZxS3C-led DDoS campaigns against government entities account for the majority of incidents, while the financial sector faces a concentrated wave of attacks against multiple major retail banks simultaneously, with five distinct banking institutions appearing in the top-targeted organisations list. This pattern of parallel, multi-target banking sector disruption is an indicator of coordinated hacktivist campaign execution rather than opportunistic targeting.

Austria

Top Threat Actors

Top Industries

Notable Organisations Targeted: POINT OF CONTACT UKRAINE WIEDERAUFBAU, FEDERAL MINISTRY OF WOMEN, SCIENCE AND RESEARCH, LAND VORARLBERG, MARKTGEMEINDE KIRCHSCHLAG, AUSSCHREIBUNGSSUCHE, CITY OF HORN

Commentary

Austria's attack profile is almost entirely (95%) DDoS-driven, with NoName057(16) alone responsible for 105 of 132 incidents, the highest single-actor concentration in any tracked country this period. The targeting of Point of Contact Ukraine Wiederaufbau (a Ukraine reconstruction liaison body) alongside multiple federal and regional government ministries is directly indicative of the group's geopolitical targeting logic, penalising nations perceived as materially supporting Ukraine.

France

Top Threat Actors

Top Industries

Notable Organisations Targeted: BOUYGUES TELECOM, NEMEA GROUP, STERIMED, LEDIL IMMOBILIER, THE NATIONAL COMMISSION FOR THE CONTROL OF INTELLIGENCE TECHNIQUES, CARTES BANCAIRES, CIFFCO

Commentary

France presents the most diversified attack-category profile of any European nation in this dataset, with a near-balance across exfiltration, ransomware, and DDoS. Notably, The National Commission for the Control of Intelligence Techniques and Cartes Bancaires (France's national bank card scheme) both appear as targeted organisations, highlighting adversarial interest in both surveillance oversight bodies and national payment infrastructure. The emergence of ChimeraZ as France's top threat actor by volume warrants further attribution analysis.

United Kingdom

Top Threat Actors

Top Industries

Notable Organisations Targeted: TRAFFORD COUNCIL, RAIL.CO.UK, QUALIFICATIONS WALES, PORT OF FELIXSTOWE, EVOLVE DYNAMICS, UBUNTU, FXPRO

Commentary

The United Kingdom faces a notably balanced threat environment, with DDoS, Data Leak / Exfiltration, and Ransomware each contributing meaningfully to the total incident count. The Transportation sector (14 attacks, on par with Energy) and the targeting of Rail.co.uk and Port of Felixstowe point to deliberate pressure on national logistics and supply chain infrastructure. NoName057(16)'s dominance (45 attacks) confirms the UK as a primary target of pro-Russian hacktivist operations in this period.

Ukraine

Top Threat Actors

Top Industries

Notable Organisations Targeted: AUTOKRAZ, DNIPROAZOT, DNEPROSPETSSTAL, AMSTOR RETAIL GROUP, SPARING-VIST CENTRE, OCTAVA CAPITAL, BEZPEKA LTD

Commentary

Ukraine's incident profile is overwhelmingly DDoS-centric (87%), with NoName057(16) and IT ARMY OF RUSSIA collectively responsible for 79 of 99 incidents, a clear continuation of wartime cyber operations targeting Ukrainian industrial, governmental, and energy infrastructure. The Manufacturing sector leads with 24 attacks, reflecting strategic targeting of Ukrainian production capacity; organisations such as Autokraz (vehicle manufacturer), Dniproazot (chemical/fertiliser), and Dneprospetsstal (steel) represent dual-use industrial targets of military and economic significance.

Threat Actor Activity

Top Threat Actor Profile, NoName057(16):

NoName057(16) is a pro-Russian hacktivist collective that has been conducting politically motivated DDoS campaigns against NATO-aligned and EU member states since 2022. 

In this reporting period, the group recorded 284 attacks, the highest of any tracked actor, concentrating its operations on Austria (105 attacks), the United Kingdom (45), Ukraine (75), and France (12), consistent with its established pattern of targeting governments and institutions perceived as opposing Russian strategic interests. The group's Austrian campaign, which included strikes on Ukraine reconstruction liaison bodies and multiple regional government entities, demonstrates an increasingly granular and symbolically deliberate target selection methodology. NoName057(16) should be considered the most operationally active hacktivist threat actor in the European theatre for this reporting period.

Analyst Notes

• DDoS resurgence is the defining structural trend of this period. With 1,017 DDoS incidents recorded, accounting for 35% of all events, and concentrated execution by NoName057(16), ZxS3C, RuskiNet Group, and DieNet, coordinated volumetric disruption campaigns are operating at a scale that demands dedicated DDoS mitigation infrastructure, particularly for government and financial sector organisations in Europe and Southeast Asia.
• The 17.7% volumetric decline should not be interpreted as de-escalation. The reduction from 3,520 to 2,896 incidents may reflect operational pauses, retooling, or a shift toward lower-volume but higher-impact intrusion activity. Ransomware (678 incidents) and data exfiltration (1,193 incidents) remain at elevated levels, and the presence of Lazarus Group in the incidents sample targeting GITHUB suggests continued state-sponsored interest in supply-chain attack vectors.
• Financial Services faces a multi-vector threat environment. With 349 finance-sector incidents recorded, spanning multiple attack types, it remains a focus for many threat actors across the landscape.