Get 24/7 incident response assistance from our global team
Please review the following rules before submitting your application:
1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.
2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.
Your guide to AI innovation, adoption, and acceleration in cybersecurity
The High-Tech Crime Trends Report 2026 reveals how this shift has industrialized cybercrime, exposed the limits of perimeter-based defenses, and elevated identity and trust as the new primary attack surfaces.
Your guide to AI innovation, adoption, and acceleration in cybersecurity
Learn more
ANZ faces a rapidly evolving cyber threat environment with ransomware operators, hacktivist groups and financially motivated threat actors all active in the region. Group-IB’s January 2026 ANZ Newsletter provides a deep dive into ransomware, hacktivism, compromised accounts and financial fraud with local context, named victims and adversary profiles specific to the ANZ market.
Unlike aggregated open-source reports, this intelligence is drawn directly from Group-IB’s proprietary telemetry, dark web monitoring and infostealer tracking.
CI0P Returns with a Vengeance — 11 Australian Victims in a Single Month. Adversary of the Month: CI0P. Australian Water Infrastructure Under Active OT Attack. Alleged AUKUS and US Department of Defense Data Breach Listed for Sale. Vidar and LummaC2 Drive the Majority of Infostealer Activity with 215,584 ANZ Accounts Compromised.ANZ Bank Card Fraud Surges 96.48% - Australia Jumps to 7th Place Globally. CI0P is the dominant threat, executing 11 confirmed attacks in Australia in January 2026 alone – a 1,100% increase from zero in December 2025. Lynx was the second most active group with 5 incidents, followed by Qilin (2) and INC Blog (1). Professional services, manufacturing and financial services were the most targeted sectors. Australia sits 6th globally for ransomware exposure; and New Zealand, while currently lower in the rankings, should not be treated as immune given the breadth of active groups operating across the region.
CI0P is one of the largest ransomware operations in history, active since February 2019. The group deploys Clop ransomware to encrypt victim files and demands Bitcoin ransom, using dedicated data leak sites to pressure organisations into payment. Most recently, the group has used Get2 downloader to deliver the SDBbot backdoor for reconnaissance and lateral movement before deploying ransomware. In January 2026, CI0P executed 11 successful attacks across Australia, targeting organisations including Etto Australia, Podiatry WA and NextPhaze.
Very serious, and worsening. In January 2026, the Z-Pentest Alliance – a pro-Russian hacktivist group – claimed access to Aquacorp’s operational technology control systems, including the ability to manipulate sanitization schedules and alarm settings. This is the same group that gained full control of pump and liquid delivery systems at the Burnt Hut facility in December 2025. These are OT Access attacks targeting ICS, SCADA, and HMI interfaces, enabling covert tampering without triggering alarms. ANZ organisations operating water, irrigation, or industrial infrastructure should treat this as an active and ongoing threat.
January 2026 saw several significant ANZ-specific dark web incidents. CI0P published evidence of Whole IT’s breach on January 27th, threatening sensitive data disclosure. Threat actor Big-Bro listed domain access to an unspecified Australian grocery retailer for sale on January 17th. On January 15th, user tree_lover listed scraped Linktree profile data on BreachForums. Group-IB also confirmed that a widely circulated “Database Australia” national data leak was a re-branding of the 2021 Oxfam breach – not a new incident. The alleged AUKUS and US DoD data listing by Kraxs on January 12th remains under active monitoring.
Australia’s jump from 10th to 7th globally in compromised bank card rankings reflects renewed targeting by financially motivated criminal groups. Telegram and cybercrime forums are the two primary distribution channels, jointly accounting for the vast majority of leaked card data in the region. Mastercard and Visa are the most compromised card types. The sharp increase follows a period of relatively lower activity in Q4 2025 and may reflect seasonal targeting patterns as well as broader shifts in carding market activity across ANZ and the broader APAC region.
An essential 15-minute read for ANZ Security and Risk Professionals:
Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Heads of Security.Fraud, Risk and Compliance Leaders.Government and Law Enforcement Professionals.Security Operations Center (SOC), Incident Response (IR) and Threat Intelligence (TI) Teams.Board Level and Executive Decision Makers.
If you are responsible for protecting digital assets, customers or national infrastructure in Australia or New Zealand, this newsletter is for you.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
