Dark Web Digest – February 2026 Edition

February 2026 was messy. Between fake ransomware gangs scamming other criminals, a hacker group tearing through Ivy League schools like a buzzsaw, and a payment processor getting knocked offline so hard that restaurants had to dig out their “CASH ONLY” signs — it was a month that reminded everyone the underground doesn’t slow down just because the calendar is short.

Here’s what went down.

ShinyHunters — the same crew behind the Ticketmaster breach — had what can only be described as a career month. They hit over 15 companies in February alone, racking up north of 50 million stolen records. The big ones? Harvard University and the University of Pennsylvania. Both got popped through vishing attacks (that’s voice phishing — calling up admin staff and tricking them into handing over Okta SSO credentials). Both schools refused to pay ransom. So on February 4, ShinyHunters dumped 2.2 million records from both institutions on their leak site.

The Harvard leak was especially ugly. We’re talking donor records, wealth ratings, home addresses, donation histories, and internal strategy notes about cultivating high-profile donors. There were detailed briefing notes on figures like Bill Gates and signed financial agreements from the Pershing Square Foundation. Basically the entire social graph of Harvard’s wealthiest alumni — laid bare for anyone with a Tor browser.

But Harvard and UPenn were just the appetizer. ShinyHunters also claimed Panera Bread (5.1 million accounts dumped after the company refused to pay), SoundCloud (29.8 million accounts), CarGurus (1.7 million records plus 12.6 million accounts), Wynn Resorts (800,000 records), Betterment (1.4 million customers), Canada Goose (nearly a million records), and Crunchbase. They even went after Match Group — meaning data from Hinge, Bumble, and OkCupid users is potentially floating around out there. The common thread? Vishing employees, stealing SSO credentials, then pillaging Salesforce environments. Google’s Mandiant team confirmed the campaign is still active and ongoing.

Late in the month, they turned their sights on Ameriprise Financial, threatening to leak Salesforce records with PII and over 200GB of compressed SharePoint data if the company doesn’t engage by late March. That one’s still developing.

On February 6, a ransomware attack hit BridgePay Network Solutions and took down its entire payment processing platform. APIs, virtual terminals, hosted payment pages — all of it went dark. Merchants across the country were forced into cash-only mode overnight. Restaurants, city governments, utility billing portals — anyone running payments through BridgePay was stuck.

The City of Palm Bay, Florida posted a public notice telling residents their online billing was down. The City of Frisco, Texas was affected. Marietta, Georgia. Hundreds of municipalities. The outage stretched past four days with no firm ETA for full recovery.

BridgePay brought in the FBI and Secret Service forensic teams. Their initial assessment said no payment card data was compromised and that accessed files were encrypted — but the disruption itself was the real damage. Nobody has claimed responsibility publicly, and the specific ransomware family hasn’t been identified as of month-end. The whole incident was a textbook example of what happens when a single payment middleware provider goes down and takes thousands of downstream businesses with it.

This one was kind of hilarious, in a dark way. A group calling itself 0APT showed up at the end of January, immediately claiming over 200 victims on a slick-looking leak site. That kind of volume out of the gate normally signals a rebrand of an established operation, so researchers took notice.

Then things got weird. The victim list was full of made-up company names. The “leaked data” downloads were literally infinite streams of random noise — just /dev/random piped into the browser. Because Tor is slow, an analyst could spend a week downloading what turns out to be binary static. The file sizes were faked to look like hundreds of gigabytes. Multiple threat intelligence firms — GuidePoint, Kela, Red Piranha — all independently concluded it was a scam.

The apparent play? Recruit “affiliates” who had to pay 1 Bitcoin as a “security bond” to join the RaaS program. Classic con: scamming criminals. After getting called out, the site went offline on February 8, came back February 9 with a trimmed list of about 15 big multinational names (Mayo Clinic, Keysight Technologies, etc.) — presumably to look more credible. But the damage to their reputation was done. Ransomware.live removed them entirely with the note that most victims “cannot be verified and appear to be randomly selected.”

The real kicker is that some researchers at Halcyon said the actual ransomware binary is technically sound — functional encryptor, proper AES-256 implementation, cross-platform support. So the tools are real even if the victims aren’t. Whether 0APT evolves into something legitimate or flames out like 2024’s Mogilevich (which pulled the same stunt and netted $85K before admitting it was all fake) remains to be seen.

Qilin claimed 104 victims in February, holding the top ransomware position for the second month running. That kind of consistency isn’t luck — it signals stable infrastructure and a well-oiled operation.

Some of their bigger hits this month: Romania’s national oil pipeline operator CONPET got hit, with Qilin claiming nearly 1TB of stolen documents including financial records and passport scans. The company confirmed the attack disrupted its corporate IT systems and took its website offline, though pipeline operations kept running. They also listed Mount Barker Co-operative out of West Australia, claiming 40GB across 55,000+ files.

Right behind Qilin was a newer crew called TheGentlemen, who nearly doubled their victim count from 41 in January to 78 in February. They’re a technically sophisticated double-extortion group writing ransomware in Go with variants for Windows, Linux, and ESXi. They use living-off-the-land techniques and are clearly not amateurs. One of their notable claims was an attack on Chile’s Instituto Nacional de Derechos Humanos. Worth keeping an eye on this group going forward.

The University of Mississippi Medical Center got hit on February 19 and it was bad. The attack knocked their Epic electronic health record system offline across 35 clinics and more than 200 telehealth sites. Chemotherapy appointments were cancelled. Non-emergency surgeries postponed. Staff had to go back to paper workflows. Clinics didn’t reopen until March 2.

No group has claimed the attack yet. But it fits a grim trend: healthcare ransomware attacks jumped 30% from January to February, going from 37 to 48 confirmed incidents. A Japanese hospital, Nippon Medical School Musashi Kosugi Hospital, confirmed over 130,000 people were impacted in a breach, with the attackers demanding 15 billion yen (roughly $10 million). The hospital refused to pay.

Healthcare is now the second-most targeted sector behind manufacturing. With 93 victims across the month (more than double January’s 40), it’s clear that ransomware gangs view hospitals and clinics as soft targets who can’t afford downtime.

One of the more surreal listings spotted in February: a dark web actor posted domain admin access to what they claimed was Russia’s energy grid. The asking price? Less than a used car. The listing caught the attention of Trellix researchers who featured it in their monthly underground roundup.

Whether the access was legitimate or another case of underground exaggeration is hard to verify. But it’s part of a broader pattern where initial access brokers are listing corporate and critical infrastructure access for shockingly low prices. The same month also saw a data broker openly advertising age-segmented stolen data on Telegram — complete with a grandma emoji for the “Old Age Data” category. The listing appeared in a financial Telegram channel called “STOCK AND MARKET TALK,” which means someone’s retirement investment group was getting ads for elderly fraud leads. The underground has zero shame.

An actor going by cortana9000 apparently did legitimate deep analysis of Cisco’s Unified Communications Manager source code and found a pre-auth remote code execution chain (CVE-2026-20045). APT groups were already exploiting it in the wild.

So what did cortana9000 do? Posted on a forum to ask how much it was worth. Then listed it on a second forum for $70,000. A fellow forum member, KlopInko, immediately pointed out that since the vulnerability was now publicly known, it was a 1-day exploit — meaning its value was already dropping fast.

It’s the cybercriminal version of finding a Picasso in your attic and posting it on Reddit before calling an auction house.

Google pulled the plug on its Dark Web Report tool on February 16. The feature, which scanned for users’ leaked personal info on the dark web, had been around since March 2023. Google said it didn’t provide “helpful next steps” and was redirecting users to other tools like Results About You, Security Checkup, and passkeys.

All monitoring data was deleted on the shutdown date. The feature only ever worked with consumer Google accounts — Workspace and supervised accounts never had access. It’s now part of the Google product graveyard, joining a long list of projects that launched with fanfare and died quietly.

A batch of files related to Jeffrey Epstein that were released in February had inadequate redactions. Names and email addresses of around 100 potential victims were exposed. Some had nude photos leaked. Even worse, raw code was accessible in certain released emails, which allowed people to reconstruct and view information that was supposed to be redacted.

This wasn’t a dark web hack — it was a data handling failure by whoever managed the file release. But the fallout landed squarely in dark web territory, with the exposed data circulating on forums within hours.

The American National Standards Institute had its full database leaked on a breach forum on February 22. The dump was massive — approximately 2.3 terabytes of data, including ANSI standards documents, internal communications, draft and rejected standards, historical files, metadata, access logs, and technical committee records. For an organization that develops national standards for the United States, that’s about as complete a compromise as you can get.

February was a bad month for platforms that hold user data:

Substack disclosed on February 3 that unauthorized access compromised users’ phone numbers, email addresses, and other data. A threat actor using the handle “w1kkid” posted the dataset on BreachForums, claiming they scraped it. The breach actually happened in October 2025 but went undetected for four months.

Flickr notified users in February that a third-party provider breach exposed usernames, IP addresses, location data, account types, and activity logs.

Japan Airlines found unauthorized access to its systems on February 9. Customer data from anyone who used the service since July 2024 was compromised — names, phone numbers, email addresses, travel details including flight numbers, airports, and hotel names.

Wendy’s discovered that a database belonging to its international franchise was leaked on a breach forum on February 22.

On February 2, the Everest ransomware gang claimed they’d breached Iron Mountain and stolen 1.4TB of internal documents and client data. They posted folder screenshots as “proof” and set a negotiation deadline of February 11.

Iron Mountain investigated and responded that the whole thing was overblown. According to the company, the incident was limited to a single folder on a public-facing file-sharing server. The folder mostly contained marketing materials, and access was gained through one compromised credential. They deactivated the credential and moved on.

Whether Everest actually had more than they let on is debatable. But Iron Mountain’s response was one of the more measured corporate reactions we’ve seen this month — acknowledge it, scope it, downplay it, move on.

February 2026 in totals: 680 companies listed on ransomware leak sites. 54 distinct ransomware groups active. 72 countries affected. The United States accounted for the majority of victims, followed by the UK, Canada, and France. Brazil and Japan entered the top ten for the first time. Manufacturing led targeted sectors with 94 victims. Healthcare was right behind at 93. If the current pace holds, 2026 is on track for roughly 8,100 ransomware victims — an 11% jump over last year.

Weekly cyber attacks globally averaged 2,086 per organization, up nearly 10% year over year. North America saw a 9% increase. Europe was up 11%. The new normal is just… this. All the time. Every month.

March is going to be interesting.