Aquahack 63-Victim Blitz; Russian Banks, Belgium Gov Hit

Summary

The dominant signal on June 4 is Aquahack's volume: 63 claimed breaches across more than 20 countries in a single day marks one of the widest-spread single-actor campaigns in recent weeks. The breadth -- government identity registries, universities, retailers, health platforms, and financial services firms across four continents -- points to automated enumeration and bulk posting rather than targeted intrusion. Alongside Aquahack, elazo2's sweep of four Russian banks and The Gentlemen's five-country ransomware run confirm that financial and healthcare targets remain the day's highest-impact sectors.

Today's developments

Actor Aquahack posted an exceptional volume of alleged breach claims. The most sensitive concerns Belgium's Directorate-General for Identity and Citizens -- a government body overseeing civil identity documents -- and Giropay, the German bank-transfer platform. The broader Aquahack list spans Czech Republic (Evropska databanka, Libimseti.cz, CALS.cz), Finland (Motonet Oy), Australia (onegolf.com.au), Bangladesh (Amber IT Ltd), Egypt (Egyptian Knowledge Bank), Brazil (Petz, Lojas Marisa), South Korea (Hyundai H Mall), Hungary (eMag Hungary, Tarr Kft, Jogazvilag), Greece (Kariera), Spain (Privalia, Euskaltel), Indonesia (Jember Regency government), Italy (Tiscali, IBS), Japan (OBIC Co., Asahi Culture Center, Bic Camera), Taiwan (Weikeng Industrial), Latvia (Doktori healthcare), and Mexico (Universidad del Valle de Mexico). All claims are alleged and unverified.

Actor elazo2 claimed breaches at four Russian financial institutions: Expobank, Fora-bank, Promsvyazbank, and MTS Bank. The sweep covers both mid-tier private banks and large state-linked lenders and continues a pattern of Russian financial-sector targeting that has intensified since 2025.

The Gentlemen ransomware group posted five new victims: Downriver Medical Associates (United States, medical practice), Liztex (Guatemala, textiles), Soja de Portugal (food and beverages), TE-LOH Germany GmbH (electrical/electronic manufacturing), and 3E Accounting (Singapore, accounting). Nitrogen ransomware claimed Pyramid Management Group (United States, real estate). Akira ransomware added National Standard Parts Associates and Northern Ohio Regional MLS, both in the United States.

On the DDoS front, NoName057(16) directed nine attacks against Israeli organisations including Wieder (retail) and San Interactive (IT services). ZxS3C ran 11 DDoS operations against Thai organisations -- VGI Public Company, Plan B Media, Thai Beverage PLC, Bangkok Dusit Medical Services, and Bangkok Life Assurance among them -- continuing a sustained campaign against Thailand's commercial infrastructure.

External security reporting from June 4:

• The US Department of Justice disrupted infrastructure tied to Southeast Asia crypto-fraud networks and froze $3.8 million in assets across multiple jurisdictions.
• Cisco warned that a proof-of-concept is now publicly available for a critical vulnerability in Unified Communications Manager; the flaw allows server-side request forgery remotely without authentication.
• A researcher published a full disclosure and PoC for a VS Code vulnerability enabling one-click GitHub token theft via a malicious extension interaction.
• Unknown attackers maintained access to a stock exchange executive's Outlook mailbox for at least five months before detection; exfiltration of executive communications went undetected until lateral movement attempts began.
• Researchers documented Operation FlutterShell, a macOS malvertising campaign distributing a backdoor via Google and YouTube ads impersonating popular tools.
• A state-nexus threat group previously focused on Asia-Pacific targets has expanded credential-phishing and malware distribution to the United Kingdom, Germany, Italy, and South Korea.
• Law enforcement and technology partners disrupted infrastructure supporting scammers across Southeast Asia, affecting more than 1.4 million accounts.

Threat landscape signals

Aquahack accounts for 34 percent of all June 4 events (63 of 184) and 58 percent of the Data Breach/Leak category. That concentration -- one actor posting at a rate faster than the entire rest of the day combined -- is consistent with automated database enumeration tooling or a coordinated bulk release of pre-collected data. The geographic scatter across 20-plus countries and 15-plus sectors supports the opportunistic mass-exposure hypothesis; defenders should prioritise exposed credential rotation across affected sectors rather than treat this as evidence of targeted intrusion.

The Cisco Unified CM proof-of-concept now in the wild is the day's most actionable defensive item. Organisations running on-premises Unified CM deployments face no-authentication remote exploitation and should treat the patch cycle as urgent. The VS Code extension-chain disclosure is a secondary supply-chain risk for development environments drawing from external extension repositories. The five-month mailbox intrusion at the unnamed stock exchange is a reminder that executive-level access remains a persistent and under-monitored attack surface.