It’s only April, and 2026 has already delivered a full season’s worth of digital chaos. Nation-state spies, prolific criminal gangs, and a fileless iPhone exploit left sitting openly on a Ukrainian court website, this year’s cyber threatscape is as busy as it is alarming.
Here’s what’s happened so far.
The FBI got hacked by the adversary it’s supposed to be tracking
The most politically explosive incident of the year landed in March, when the FBI formally classified a China-linked intrusion into one of its internal surveillance networks as a “major incident” under federal law.
The compromised system wasn’t peripheral. It held pen register and trap-and-trace surveillance data — records of call patterns, phone numbers, and websites visited by people the FBI was actively monitoring. For a foreign intelligence service, that’s a gold mine: it’s essentially a map of American counterintelligence operations.
Investigators found that the attackers gained access by exploiting a commercial ISP vendor’s infrastructure. The White House convened an emergency meeting involving officials from the FBI, NSA, and CISA. The bureau’s public statement was terse, saying only that it “identified and addressed suspicious activities on FBI networks.”
DarkSword: an iPhone zero-day being sold to anyone who’ll pay
Perhaps the most technically striking discovery of 2026 so far is DarkSword, an iPhone exploit framework jointly uncovered by iVerify, Lookout, and Google’s Threat Intelligence Group.
What made it remarkable was that it was found sitting in plain sight on two compromised Ukrainian websites: a news outlet and Ukraine’s official site of the Seventh Administrative Court of Appeals. A researcher described it as so cleanly organized that repurposing it would take little more than a copy and paste.
DarkSword works as a “watering hole” attack: it compromises a website and then waits for victims to visit. On an unpatched iPhone, it silently siphons off iCloud Keychain passwords, iMessages, photos, health data, browser history, and the contents of cryptocurrency wallet apps, then erases its own tracks.
The exploit has been observed in attacks across Ukraine, Saudi Arabia, Turkey, and Malaysia, linked to multiple hacking groups. Researchers believe it’s being sold on an underground market. Estimates suggest between 221 million and 270 million iPhones are still running vulnerable iOS versions.
149 million logins, no password, no encryption
In January, security researcher Jeremiah Fowler found a 96GB database open on the internet with no password or encryption, containing 149,404,754 unique login credentials. It covered Gmail, Facebook, Instagram, Netflix, Outlook, iCloud, TikTok, Binance, and more. Government email domains from multiple countries were also present.
The setup was classic infostealer infrastructure: an automated pipeline designed to collect and organize a constant stream of stolen keystrokes. Fowler noted that the number of records kept growing during the nearly month-long effort to get the server taken down, meaning fresh victim data was arriving in real time.
Getting it taken down required tracking through multiple layers of hosting providers. But the real damage was already done; 149 million sets of credentials are almost certainly already in criminal hands, available for credential stuffing, phishing, and identity theft.
Stryker: Iran wiped the computers and walked out
On a day in March that Stryker employees won’t forget, they watched their computers get wiped in real time. The Iran-aligned hacktivist group Handala didn’t encrypt files for ransom or steal data for sale; they gained access to Stryker’s Active Directory through Microsoft Intune and simply destroyed what they found.
This was a disruption attack. Manufacturing sites went dark. The company had restored most operations by April 1. Security analysts noted that the attack underscored a growing category of cyber warfare in which the goal isn’t profit but operational pain.
Adobe zero-day exploit used for months
A critical zero-day in Adobe Acrobat Reader has been actively exploited since at least December 2025. Opening a malicious PDF is all it takes; no additional interaction is required.
The exploit uses legitimate Acrobat APIs to extract files and system data, and can potentially enable remote code execution and sandbox escape. Security researcher Haifei Li warned that it “allows the threat actor to not only collect or steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
Initial campaigns used Russian-language lures tied to the oil and gas sector.
Google dropped its biggest Android patch since 2018
In March, Google released 129 security fixes in a single Android update, the largest patch drop since April 2018. One vulnerability stood out: CVE-2026-21385, a Qualcomm graphics chip integer overflow already being exploited in the wild. It affects 234 different chipsets and requires no user interaction to exploit.
“There are indications that CVE-2026-21385 may be under limited, targeted exploitation,” Google stated in its security bulletin. The most likely attackers, according to security experts, are commercial spyware vendors targeting journalists, activists, and executives. The fix is available in the 2026-03-05 patch level, if your device supports it.
The Apple scam wave hitting bank accounts across the US, Europe
This one doesn’t require a sophisticated exploit, just panic. A surge of social engineering scams is targeting iPhone users with official-looking texts claiming Apple Pay fraud, then routing victims to fake “investigators” who pressure them into withdrawing cash or disabling security features.
ConsumerAffairs noted the scam’s effectiveness lies in how “it creates panic in its victims.” One documented case saw a woman nearly persuaded to withdraw $15,000 before a bank teller intervened.
Apple Support has been explicit: “Apple will never ask you to log in to any website, or to tap Accept in the two-factor authentication dialogue, or to provide your password, device passcode, or two-factor authentication code.” Suspicious texts can be reported to [email protected].
Match Group: 10 million records, one analytics vendor
In January, ShinyHunters claimed to have breached Match Group, parent company of Tinder, Hinge, and OkCupid. The reported entry point wasn’t Match Group itself but AppsFlyer, a third-party marketing analytics partner.
According to reports, the compromised data included user records, internal documentation, transaction data, and IP addresses. Match Group called it a “security incident” under investigation. The case is a clean example of third-party vendor risk.
Nike: 1.4 terabytes of trade secrets gone
Threat group WorldLeaks claimed in January to have exfiltrated 1.4 terabytes of Nike’s internal data, product development IP, and supply chain logistics.
Nike launched an investigation. No personal customer data was reportedly in the leak; this was a corporate espionage operation targeting competitive intelligence. Threat intelligence analysts suggested the attack may have involved supply chain infrastructure.
Brightspeed ransomware hits over 1 million users
Telecom provider Brightspeed was hit by a ransomware attack that affected more than 1 million users. The incident exposed personal data and disrupted services, underscoring ransomware’s continued dominance as a primary threat vector.
Like many ransomware cases, the attack likely began through phishing, stolen credentials, or unpatched systems.
Over 1 billion Android phones are flying without a security net
This one isn’t a breach; it’s a structural crisis. Google confirmed that more than 40% of Android devices globally, representing over a billion phones, no longer receive critical security updates. Any device running Android 12 or older is outside the patch ecosystem.
Samsung worsened the picture by dropping the Galaxy S21 from updates entirely and cutting the S22 series from monthly to quarterly patching. A Google spokesperson told Forbes: “Google Play Protect, Android’s built-in malware and unwanted software protection, continues to support devices as far back as Android 7 to help keep users safe.” Still, experts say this protection is limited compared to full system updates.
Additional breaches highlight systemic weaknesses
Other notable incidents include:
- Navia: 2.7 million records exposed via an API vulnerability.
- CarGurus: Over 12 million users affected in a social engineering attack.
- University of Hawaiʻi: 1.2 million impacted in a ransomware attack.
- Pathstone Family Office: 641,000 records stolen in an extortion attempt.
- ManageMyHealth: 120,000 medical records compromised.
- Under Armour: 72 million emails resurfaced from a prior breach.
Across these cases, common failures included misconfigured systems, poor monitoring, and a lack of encryption.
2026 by the numbers
According to SentinelOne, the stats for 2026 paint a grim picture between hackers and security teams:
| Statistic | 2026 projection/fact |
|---|---|
| Total cost of cybercrime | Surpassing $10.5 trillion |
| Global average cost of a data breach in 2026 | $4.88 million |
| Global security spending | Expected to hit $240 billion |
| Ransomware frequency | One attack every 2 seconds |
| Cloud breach root cause | 95% due to human error or misconfiguration |
| Phishing prevalence | Involved in 42% of all global breaches |
Final takeaway
If there’s a pattern across 2026’s biggest cyber incidents, it’s this: many were preventable.
From phishing scams to misconfigured databases and unpatched systems, the root causes often stem from human error and gaps in security practices. Cybersecurity experts warn that the threatscape is evolving fast, but the basics still matter: updates, awareness, and strong access controls.
Also read: Fake Apple Pay fraud texts are pressuring iPhone users to call scammers, move money, and hand over account credentials.
