Nigerian Government, Israeli Data Leaks Dominate June 13 Threat Landscape

Events tracked
116
Critical exposure
47

Summary

Today's threat landscape is defined by a concentrated, multi-vector assault on Nigerian government and educational institutions, led by the prolific actor 404 CREW CYBER TEAM. Simultaneously, a wave of claims targeting Israeli political figures and media outlets signals a persistent hacktivist focus on the region. Defenders should also note a critical vulnerability in Splunk Enterprise (CVE-2026-20253) that allows unauthenticated remote code execution, demanding immediate patching.

Today's developments

The most prominent pattern today is a sustained campaign against Nigerian entities, with the actor 404 CREW CYBER TEAM claiming breaches of the National Institute for Legislative and Democratic Studies, the Muslim Community College of Health Science and Technology (MCCHST) Funtua, the financial services platform Mustard.ng, and the Federal Government Girls College Owerri. This cluster of claims -- spanning government administration, education, and finance -- suggests a broad, opportunistic targeting of Nigerian digital infrastructure.

Separately, a distinct set of actors is targeting Israeli victims. Z-BL4CX-H4T claims to have leaked data on Israeli politicians and ministers, as well as user data from the news outlet Globes. The YEMEN CYBER GROUP also claims to have leaked Israeli phone numbers. These incidents align with ongoing hacktivist activity tied to regional geopolitical tensions.

Several other high-profile claims demand attention. An actor known as BabayoErorSystem claims to have a database from the U.S. Social Security Administration (SSA) for sale. ROOT SYSTEM is allegedly selling Walmart accounts and PayPal accounts tied to Germany and Europe. A claim against Nintendo Co., Ltd. by actor SHADOWBYT3$ is notable given the company's size and the potential for brand damage.

On the vulnerability front, industry researchers at SecurityWeek and The Hacker News are reporting a critical flaw in Splunk Enterprise, tracked as CVE-2026-20253 with a CVSS score of 9.8. This vulnerability allows an unauthenticated attacker to execute remote code. Splunk has released patches in versions 10.2.4 and 10.0.7. Separately, the U.S. government has ordered Anthropic to disable its latest AI models, Fable 5 and Mythos 5, citing national security concerns over access by foreign nationals -- a development that underscores the expanding intersection of AI capability and export controls.

Threat landscape signals

The data reveals a clear geographic and sectoral clustering. Nigeria accounts for 19 of today's 116 events, with 404 CREW CYBER TEAM responsible for 18 total events across multiple victims. This actor is not a lone wolf but a dominant force in today's reporting. Indonesia is also heavily targeted (8 events), with breaches claimed against government agencies including the Army Information and Data Processing Service and the Jakarta Civil Registry, as well as the IT firm Kasir Pintar.

The mix of DDoS (34 events) and data breach/leak (47 events) indicates a dual-pronged threat: disruption via DDoS and long-term risk via data exposure. The presence of multiple actors selling databases (SSA, Walmart, PayPal, Italy, Chile) suggests a mature cybercrime supply chain where initial access and exfiltration are quickly monetized. Defenders should prioritize patching Splunk Enterprise and monitor for follow-on activity from the Nigerian-focused campaigns.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions