Notes

the April 2026 Dark Web Threat Actor Trend Report summarizes trends in hacktivists and threat actors operating on the deep web and dark web. due to the nature of the sources, some of the information is difficult to fully verify as factual.

Major Issues

• NoName05716 claimed repeated DDoS attacks against dozens of organizations, including government agencies, public institutions, and businesses in the Region of South Korea. in a single claim, up to 22 organizations were listed as targets simultaneously.
• 313 Team claimed attacks on eBay’s Japanese and US websites, as well as an attack linked to the Bluesky service outage.
• Handala claimed attacks against infrastructure in the United Arab Emirates and the website of St. Joseph County, Indiana, US.
• RuskiNet Group claimed DDoS attacks against 10 Israeli companies.
• in Japan, unauthorized access to Alps Alpine’s external VPN system was confirmed, and Municipal Nara Hospital experienced an EMR (electronic medical record) failure. A phishing campaign impersonating PayPay was also confirmed.
• an AppDomainManager hijacking-based APT attack utilizing a document impersonating the Saudi Arabian Ministry of Finance was observed.
• The FBI issued a warning about the targeting of network devices with AVrecon malware (malware that infects SOHO network devices such as routers to form botnets).
• TeamPCP and Vect claimed supply chain attacks against global sports Data companies.
• Peter Stokes, a 19-year-old hacker with ties to Scattered Spider, was indicted, and HasanBroker declared all-out war on the Scattered LAPSUS$ Hunters.
• paris prosecutors seized HexDex user accounts on DarkForums and arrested a suspect.
• The identity of alleged BreachForums operator “NA” Angel Tsvetkov was exposed, and Germany’s BKA revealed the identity of REvil and GandCrab operator “UNKN.
• law enforcement agencies seized Maxstresser[.]com, the VerifTools marketplace infrastructure, and the W3LL phishing kit distribution infrastructure, while in Russia there was a crackdown on Cryptex and the uncovering of a cryptocurrency money laundering network.
• A negotiator associated with the ALPHV/BlackCat ransomware group pleaded guilty.

Conclusion

in April 2026, we observed a combination of geopolitically motivated hacktivist claims of repeated DDoS attacks, actual breaches in the Region of Japan, and various threats such as phishing, APT, and supply chain attacks. at the same time, law enforcement agencies have made successive gains against DDoS proxy services, cybercrime marketplaces, phishing infrastructure, ransomware operators, and money laundering networks. organizations need to combine public infrastructure defense, supply chain security, phishing countermeasures, and strengthening remote access infrastructure security.