Notes

the May 2026 Dark Web Threat Actor Trend Report summarizes the trends of threat actors and hacktivists operating on the deep web and dark web. some statements are not factually verifiable.

Major Issues

• hacktivist activity targeting the South Korean Region was concentrated. some hacktivist groups claimed DDoS attacks against the website of the South Korean Army’s Special Warfare Command, while others claimed DDoS attacks against a number of South Korean government agencies. a Telegram channel with an unclear source also claimed a DDoS attack on the website of the Busan Regional Customs Society.
• in the Japan Region, Money Forward’s unauthorized access to GitHub and copying of repositories was officially confirmed. in the US Region, CB Financial Services disclosed a customer information exposure incident involving the use of unauthorized AI software.
• on the global supply chain side, OpenAI replaced macOS app certificates in response to a TanStack npm supply chain attack.
• We also observed a number of trends related to ShinyHunters. a cautionary alert was raised about accounts impersonating official channels, suspected seizures of clearnet domains, and claims of releasing a free decryption tool for the VECT ransomware. additionally, a claim of $38 million in enterprise extortion revenue this year was presented as an unverified, one-sided claim.
• Scattered LAPSUS$ Hunters denied any association with ShinyHunters and DLS.
• a new cloud threat actor, PCPJACK, has emerged, and confrontations with TeamPCP have been observed.
• LAPSUS$ Group was found to be running a campaign-type contest for website defacement.
• law enforcement had several successes. The suspected operators of the KimWolf DDoS botnet were arrested and charged. fIOD in the Netherlands seized the Stark Industries bulletproof hosting infrastructure and arrested its operators. First VPN was seized and shut down through Operation Saffron. german law enforcement arrested the operators of the Crimenetwork relaunch marketplace. Karakurt negotiator Deniss Zolotarjovs was sentenced to eight and a half years in prison in the US.

Conclusion

the month of May 2026 was marked by claims of multiple hacktivist DDoS attacks against the Region of Korea, the emergence of a new cloud threat actor PCPJACK, the exposure of customer information due to unauthorized AI software, the response to supply chain attacks, and law enforcement achievements against several cybercrime infrastructures and operators. the report concluded with repeated targeting of public institutions and military organizations in the Region and the need for vigilance in the use of supply chain, cloud, and AI tools.