The IT Nerd

There’s a new blog post from Flashpoint that covers tax refund fraud in 2026 and how threat actors are weaponizing identity data, verification systems, and cash-out channels at scale. The piece breaks down how fraudsters move from sourcing “fullz” and clients to bypassing government identity verification, inflating refunds, and rapidly converting payouts into cash or cryptocurrency while using highly structured, repeatable workflows.

In the piece, the Flashpoint Intel Team explains how tax refund fraud has evolved into a mature, community-driven fraud ecosystem, where identity theft, social engineering, and verification bypass techniques are continuously refined and shared across Telegram channels, dark web forums, and illicit marketplaces. They walk through the end-to-end fraud lifecycle from identity acquisition and return verification bypass to cash-out via banking apps, prepaid cards, and crypto exchanges, and highlight what these patterns mean for security and fraud teams trying to move from reactive detection to proactive disruption.

Additional key insights from the 2026 tax refund fraud landscape include:

• Why high-quality identity data (“fullz”) and recruited “clients” are now foundational to refund fraud success, and how that raises risk across identity, account takeover, and broader financial crime.
• How threat actors systematically bypass identity and tax return verification to leverage verified identity accounts, prior-year AGI, IP PINs, and scripted interactions with the IRS and government offices to make fraudulent filings look legitimate.
• How fraud tutorials, Telegram communities, and dark web forums accelerate the spread of new methods, including false wage submissions that pre-populate tax records before filing, and increasingly streamlined cash-out workflows that move funds quickly into crypto and digital banking platforms.

The full post can be found at: https://flashpoint.io/blog/tax-refund-fraud-in-2026-how-threat-actors-exploit-identity-verification-and-cash-out-channels/.

Flashpoint today announced the release of its 2026 Global Threat Intelligence Report (GTIR), providing security leaders from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office with a proprietary data-driven, ground-truth view of the converging threats defining today’s hybrid risk environment.

Powered by Flashpoint’s Primary Source Collection (PSC), the 2026 GTIR reveals a sharp rise in AI-related discussions, signaling a rapid shift from criminal curiosity to the active development of malicious agentic frameworks. At the same time, the mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to operate as legitimate users. As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust and identity compromise. Meanwhile, the patching window continues to collapse, with mass exploitation of zero-day vulnerabilities occurring in as little as 24 hours after discovery.

Cybercrime Has Entered the Era of Total Convergence

Between late 2025 and early 2026, adversaries rapidly accelerated adoption of agentic AI frameworks capable of orchestrating autonomous attack chains — automating reconnaissance, phishing generation, credential testing, and infrastructure rotation all without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.

The 2026 GTIR identifies four converging forces reshaping the global threat landscape:

• Agentic AI Operationalization — Autonomous systems capable of executing
  end-to-end attack chains at machine speed, increasing both the volume and intensity of
  cybercrime
• Identity as the Primary Exploit Vector — Billions of compromised credentials fueling
  credential-based intrusions beyond the boundaries of organizational oversight and
  control
• Compression of the Exploitation Window — Vulnerabilities weaponized within hours
  of disclosure before organizations can understand their exposures or begin to respond
• The Evolution of Extortion — Ransomware shifting toward identity-driven and
  insider-enabled models, enhancing its effectiveness

Together, these dynamics form a single, high-velocity threat ecosystem where automation,
identity compromise, and vulnerability exploitation reinforce one another.

AI-Related Illicit Activity Surged 1,500% in a Single Month

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025 from 362,000 mentions to more than 6 million, signaling a rapid transition from experimentation to operationalized malicious AI frameworks.

Threat actors are actively developing autonomous systems capable of scraping data, rotating infrastructure, adjusting messaging, and learning from failed attempts without continuous human oversight. These agentic systems dramatically increase iteration speed and reduce operational friction for attackers.

Identity Has Become the Primary Exploit Vector

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, generating an inventory of 3.3 billion compromised credentials and cloud tokens.

As a result, the mechanics of cybercrime have shifted from “breaking in” to “logging in.” Attackers now leverage stolen session cookies, tokens, and legitimate credentials to bypass traditional security perimeters entirely, turning digital identity into the connective tissue of modern exploitation. The reality of identity data and the potential for its automation necessitate a shift in how organizations must view their attack surface. Infostealers have shown that it is no longer limited to corporate infrastructure; it now includes employee browsers, personal devices, SaaS platforms, and third-party access.

The Window Between Vulnerability Disclosure and Exploitation Is Vanishing

Vulnerability disclosures increased by 12% year-over-year, with one-third (33%) of disclosed vulnerabilities having publicly available exploit code.

Several high-impact vulnerabilities were mass exploited within hours of disclosure, compressing remediation timelines and raising the stakes for exposure management. In this environment, organizations cannot rely solely on reactive patching cycles; they must incorporate early-warning intelligence to anticipate weaponization trends.

Ransomware Is Pivoting Toward Pure-Play Identity Extortion

Ransomware incidents rose by 53% in 2025, with RaaS groups responsible for more than 87% of attacks.

Rather than relying exclusively on encryption payloads, threat actors are increasingly targeting identity and human trust by recruiting malicious insiders, abusing authorized access, and leveraging credential theft to extort organizations without deploying traditional ransomware binaries.

Who should read the 2026 GTIR?

The report is designed for CISOs, threat intelligence teams, vulnerability management leaders, fraud and risk teams, and executive decision-makers seeking a strategic view of converged cyber and hybrid threats.

Read the full report here: https://flashpoint.io/resources/report/flashpoint-global-threat-intelligence-report-2026

Flashpoint’s threat intelligence team has published new analysis on a significant supply‑chain attack involving Notepad++, one of the world’s most widely used open‑source text editors. The compromise—quietly active for roughly six months—allowed threat actors to hijack the application’s update mechanism and deliver malicious executables to targeted users.

Flashpoint’s research breaks down how attackers gained unauthorized access to the hosting infrastructure supporting Notepad++ updates and selectively redirected update requests to attacker‑controlled servers. Instead of receiving legitimate installers, victims were served malicious payloads disguised as trusted updates. The attack did not exploit a vulnerability in Notepad++ code itself; it was an infrastructure‑level compromise that evaded detection for months.

Flashpoint’s analysis highlights several critical findings:

• The compromise persisted from June through December 2025, affecting users who attempted to update during that window.
• Attackers hijacked the update delivery pipeline, redirecting traffic from the legitimate Notepad++ server to malicious infrastructure.
• The attack targeted select victims, suggesting a focused espionage or intelligence‑gathering operation rather than broad malware distribution.
• The WinGUp updater lacked sufficient verification controls, enabling the delivery of malicious executables without triggering integrity checks.
• No CVE was assigned, underscoring that the weakness was not in the application code but in the surrounding ecosystem.

This incident is a stark reminder that supply‑chain attacks increasingly target the infrastructure around trusted tools – not just their source code. With Notepad++ used globally by developers, IT teams, and enterprises, the attack demonstrates how a single compromised update path can create widespread risk. Flashpoint’s analysis provides rare visibility into the mechanics of the attack and offers actionable guidance for organizations to assess exposure and strengthen their software update pipelines.

You can get more details here: What to Know About the Notepad++ Supply-Chain Attack | Flashpoint

Flashpoint’s threat intelligence team has uncovered new details about DarkCloud, a rapidly spreading, commercially available infostealer that is reshaping the initial‑access landscape for cybercriminals.

DarkCloud is part of a growing wave of low‑cost, highly scalable infostealers that are lowering the barrier to enterprise compromise. First observed in 2022 and openly sold on Telegram and a clearnet storefront for as little as $30, DarkCloud gives even low‑skill threat actors the ability to harvest credentials at scale and gain enterprise‑wide access.

Flashpoint’s latest analysis reveals several concerning trends:

• DarkCloud is written in Visual Basic 6.0, a legacy language that helps it evade modern detection tools and signature‑based defenses.
• Its encryption and string‑obfuscation techniques make it harder for defenders to analyze and block.
• It is fully commercialized, with subscription tiers, active development, and a growing user base on Telegram—mirroring the professionalization of the cybercrime economy.
• Credential theft at scale enables attackers to pivot into ransomware, business email compromise, and long‑term espionage operations.

Flashpoint’s researchers warn that DarkCloud represents a broader shift: infostealers are now the dominant initial‑access vector in 2026, giving attackers a cheap, fast, and reliable way to infiltrate organizations.

Why this matters:
Infostealers like DarkCloud are no longer niche tools – they are becoming the backbone of modern cybercrime. With DarkCloud’s low cost, ease of access, and ability to bypass traditional defenses, organizations across every sector face heightened risk. Flashpoint’s analysis provides rare visibility into how these tools are built, sold, and deployed – and what security teams must do to defend against them.

Flashpoint can offer:

• Expert interviews with the analysts who dissected DarkCloud
• Insights into the commercialization of infostealers and the threat‑actor economy
• Guidance for CISOs on mitigating credential‑theft‑driven breaches
• Data from Flashpoint’s 2026 threat intelligence research

You can learn more here: Understanding the DarkCloud Infostealer | Flashpoint

Today, the threat intelligence team at Flashpoint published new research examining how the race between defenders and adversaries is accelerating — and why known vulnerabilities, not zero-days, are now driving the majority of real-world attacks.

Key finding: Flashpoint data shows that N-day vulnerabilities account for more than 80% of Known Exploited Vulnerabilities (KEVs) tracked over the past four years, underscoring a major shift in attacker behavior. Even more concerning, the average Time to Exploit (TTE) — the gap between public disclosure and observed exploitation — has collapsed from 745 days in 2020 to just 44 days by 2025, dramatically reducing the patching grace period many enterprises rely on. 

Flashpoint researchers attribute this trend to the rapid weaponization of publicly released proof-of-concept code, effectively creating “turn-key” exploits that allow even less sophisticated actors to launch mass attacks within hours. 

Additional insights include:

• Security and perimeter technologies — such as firewalls, VPN gateways, and edge devices — are among the most targeted because they must remain internet-facing. 
• Nation-state activity remains prominent, with China identified as the most active actor in vulnerability exploitation campaigns. 
• Most organizations lack full asset visibility, with many maintaining accurate inventories for only about 25% of assets, slowing detection and response. 

Why this matters? As weaponization timelines compress — sometimes to under 24 hours — organizations must shift from reactive patching toward intelligence-led exposure management that prioritizes exploitability and threat-actor activity. 

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Potential Physical Threats

Protests and Boycotts: Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

The blog post can found here:

https://flashpoint.io/blog/protecting-the-big-game-a-threat-assessment-for-super-bowl-lx/

Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

Last year, Flashpoint collected and researched:

• 91,321 posts of insider solicitation and service advertising
• 10,475 channels containing insider-related illicit activity
• 17,612 total authors

On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

Insider Threat Landscape by Industry

The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

Insider Threat data from January 1, 2025 to November 24, 2025

Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

Top Industries for Insiders Advertising Services (Supply):

• Telecom
• Financial
• Retail
• Technology

Top Industries for Threat Actors Soliciting Access (Demand):

• Technology
• Financial
• Telecom
• Retail

Flashpoint shares more details in a blog post, published today. It’s honestly worth your time to read.

 Flashpoint has published a new blog post on how Primary Source Collection (PSC) enables intelligence teams to surface emerging fraud and threat activity before it reaches scale. The article explores:

• How Threats Actually Evolve
• Why Static Collection Falls Short
• A Different Model: Primary Source Collection
• Making Intelligence Taskable
• How Taskable Collection Works in Practice

Why does this matter? Threat and fraud operations are moving faster than ever. Barriers to entry are lower. Tooling is more accessible. Collaboration rivals legitimate software development cycles. Defenders cannot afford to move slower than the adversaries they are trying to stop.

Primary Source Collection is how intelligence teams keep pace. It aligns collection with mission needs, enables real-time tasking, and delivers insight early enough to change outcomes instead of just documenting them. The signals have always been there – what has changed is the ability to surface them while they still matter.

Here is a new Flashpoint post that breaks down a rapidly developing security story: a critical Remote Code Execution vulnerability in React that is already drawing significant attention across the threat landscape. The post offers Flashpoint’s expert perspective on the scope of exposure and the implications for digital supply-chain security.

What Flashpoint is Seeing

• The flaw (CVE-2025-55182) is a critical RCE vulnerability in React Server Components that allows unauthenticated remote code execution.
• All React versions since 19.0.0 are affected, putting a massive portion of today’s web applications at risk.
• Given React’s ubiquity, the supply-chain impact is extensive — Flashpoint notes that this vulnerability creates broad downstream exposure across organizations and vendors relying on React-based infrastructure.
• Early signs of attacker interest are already emerging, heightening the urgency for defenders.

Impact
Flashpoint’s perspective highlights how this isn’t just a typical open-source bug — it has the potential to become a wide-scale supply-chain event, affecting enterprises, SaaS providers, and cloud-native applications. If exploited, it could lead to server compromise, data exfiltration, and large-scale operational disruption.

Here’s the analysis:
https://flashpoint.io/blog/digital-supply-chain-risk-vulnerability-react-unauthorized-remote-code-execution/