AUNZ Intelligence Insights Report, February 2026

ANZ faces a rapidly evolving cyber threat environment with ransomware operators, hacktivist groups and financially motivated threat actors all active in the region. Group-IB’s February 2026 ANZ Newsletter provides a deep dive into ransomware, hacktivism, compromised accounts and financial fraud with local context, named victims and adversary profiles specific to the ANZ market.

Unlike aggregated open-source reports, this intelligence is drawn directly from Group-IB’s proprietary telemetry, dark web monitoring and infostealer tracking.

Key Findings & ANZ Cybersecurity Trends in February 2026

Ransomware Drops But Complacency Remains a Risk.

ANZ recorded a 57.14% decline in ransomware incidents in February 2026 (compared to January 2026). Australia sits at 13th place globally, down from 6th, while New Zealand sits at 43rd. Notable victims include Distinctive Systems Ltd (Qilin), the Aeromedical Society of Australasia (Lockbit), and Sika Technology Limited in New Zealand (Play). Industrial manufacturing, healthcare and retail were the most targeted sectors.

Australian Water and Irrigation Systems Under Sustained OT Attack.

The TAZ-Pentest Alliance claimed access to an Australian wastewater treatment plant and an irrigation management system, claiming the ability to manipulate pump readings and alarms without detection. This follows their December 2025 compromise of the Burnt Hut facility. NoName057(16) and the Infrastructure Destruction Squad separately claimed attacks on the Australian Olympic Committee and an additional wastewater treatment plant.

Three ANZ Data Breaches Tracked by Group-IB in February 2026

FulcrumSec continued activity following the youX breach, claiming to have breached the LexisNexis Legal and Professional database and stating they hold tens of terabytes of data still being sifted. Separately, threat actor Telephone Hooliganism listed Booktopia Pty Ltd customer data for sale on BreachForums, and newly emerged actor Kirby leaked Forex Australia data - creating four database sale topics within a four-day window containing between 30,000 and 500,000 records each.

Account Compromises Down, but Volume Remains High.

Compromised accounts in ANZ fell 60.23% from January 2026, reflecting a normalisation following a data source spike. Vidar and Stealc jointly drove nearly 70% of all infostealer activity, distributed primarily via ClickFix attacks through social media, phishing emails and malicious websites. Roblox, Google and Facebook login domains were the most affected platforms. AMOS surged from approximately 600 victims in January 2026 to nearly 11,000 in February 2026.

ANZ Bank Card Fraud Falls, but Telegram Remains the Primary Distribution Channel.

Compromised bank cards recorded a 61.29% decline in February 2026 (compared to January 2026). Australia moved to 18th place globally from 7th, and New Zealand to 71st from 43rd. Telegram accounted for 2,504 of all leaked cards, with TG bots contributing a further 1,785 - together representing the overwhelming majority of distribution. Visa cards made up 53% of compromised cards, followed by Mastercard at 42%.

Frequently asked questions

What are the top ransomware threats targeting Australia and New Zealand in February 2026

arrow_drop_down

Qilin, Play, Lockbit, Space Bears, INC Blog and Kairos were all active in the ANZ region during February 2026. Qilin targeted Distinctive Systems Ltd, Lockbit struck the Aeromedical Society of Australasia, and Play attacked Sika Technology Limited in New Zealand. Industrial manufacturing was the most targeted sector, followed by healthcare and retail. Despite the overall decline in incident volume, the breadth of active groups means ANZ organisations should not interpret lower numbers as reduced risk.

Why are Australian water and critical infrastructure systems being targeted?

arrow_drop_down

Water, irrigation and energy infrastructure rely on operational technology (OT) that is increasingly internet-connected but often inadequately secured. Groups like NONAME057(16), the Infrastructure Destruction Squad and the TAZ-Pentest Alliance specifically target OT environments including ICS, SCADA and HMI interfaces because access to these systems enables disruption of essential services, manipulation of physical processes, and persistent covert surveillance. Australia recorded six hacktivist incidents in February 2026, all involving OT access techniques.

What is the FulcrumSec threat and how serious is it for ANZ organisations?

arrow_drop_down

FulcrumSec is a financially motivated threat actor active since October 2025, targeting victims through open-asset scanning and vulnerability identification. Following the youX breach – one of the most significant financial data compromises in Australian history involving 300GB of sensitive B2B FinTech data – the group has claimed access to the LexisNexis Legal and Professional database and states it holds tens of terabytes of additional data yet to be disclosed. ANZ financial services and legal organisations should treat FulcrumSec as an active and ongoing threat.

How are infostealers reaching ANZ devices?

arrow_drop_down

Infostealers in ANZ are primarily delivered as Malware-as-a-Service (MaaS), distributed through ClickFix attacks via social media, phishing emails with malicious attachments, and fake websites. Affiliates rotate between malware families based on detection rates and infrastructure availability, which explains sharp month-on-month swings such as AMOS rising from approximately 600 to nearly 11,000 victims between January 2026 and February 2026. Vidar, Stealc and RedLine Stealer together accounted for 74.17% of all compromised accounts in ANZ during February 2026.

How can ANZ organisations track the Middle East conflict's cyber implications in real time

arrow_drop_down

Group-IB monitors the cyber dimension of the Iran–Israel–U.S. escalation continuously. ANZ organisations can track developments in real time by setting up a hunting rule in Group-IB’s Threat Intelligence platform, or by accessing the Group-IB Threat Intelligence Portal directly. Group-IB’s Global Investigation Team and CERT-GIB provide 24/7 monitoring and publish finished intelligence as new threats are identified.

Who Should Read This Newsletter

An essential 15-minute read for ANZ Security and Risk Professionals:

Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Heads of Security.

Fraud, Risk and Compliance Leaders.

Government and Law Enforcement Professionals.

Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.

Board Level and Executive Decision Makers.

If you are responsible for protecting digital assets, customers or national infrastructure in Australia or New Zealand, this newsletter is for you.

AUNZ Intelligence Insights Report, February 2026

Key Findings & ANZ Cybersecurity Trends in February 2026

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Ransomware Drops But Complacency Remains a Risk. ">Ransomware Drops But Complacency Remains a Risk.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Australian Water and Irrigation Systems Under Sustained OT Attack. ">Australian Water and Irrigation Systems Under Sustained OT Attack.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Three ANZ Data Breaches Tracked by Group-IB in February 2026">Three ANZ Data Breaches Tracked by Group-IB in February 2026

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Account Compromises Down, but Volume Remains High. ">Account Compromises Down, but Volume Remains High.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="ANZ Bank Card Fraud Falls, but Telegram Remains the Primary Distribution Channel.">ANZ Bank Card Fraud Falls, but Telegram Remains the Primary Distribution Channel.

Frequently asked questions

What are the top ransomware threats targeting Australia and New Zealand in February 2026

Why are Australian water and critical infrastructure systems being targeted?

What is the FulcrumSec threat and how serious is it for ANZ organisations?

How are infostealers reaching ANZ devices?

How can ANZ organisations track the Middle East conflict's cyber implications in real time

Who Should Read This Newsletter

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Fraud, Risk and Compliance Leaders.">Fraud, Risk and Compliance Leaders.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Government and Law Enforcement Professionals.">Government and Law Enforcement Professionals.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.">Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.

<img src="https://www.group-ib.com/wp-content/themes/gib-theme/assets/images/check-icon--lbg.svg" alt="Board Level and Executive Decision Makers.">Board Level and Executive Decision Makers.

Relevant reports

Ransomware Drops But Complacency Remains a Risk.

Australian Water and Irrigation Systems Under Sustained OT Attack.

Three ANZ Data Breaches Tracked by Group-IB in February 2026

Account Compromises Down, but Volume Remains High.

ANZ Bank Card Fraud Falls, but Telegram Remains the Primary Distribution Channel.

Fraud, Risk and Compliance Leaders.

Government and Law Enforcement Professionals.

Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.

Board Level and Executive Decision Makers.