Iranian conflict and cyber warfare, attacks in Italy, LeakBase and Tycoon 2FA disrupted

Iran: cyber offensives linked to the conflict

The conflict between the United States, Israel, and Iran has unfolded alongside extensive cyber operations, with reports of widespread internet disruptions, hacking of Iranian websites and applications, data breaches and leaks, and interference with infrastructure. The main cyber activities attributable to known and emerging adversaries include claims of DDoS attacks by pro-Iranian, pro-Russian, and pro-Palestinian hacktivists against organizations across multiple sectors in Israel, Bahrain, Iran, Jordan, Kuwait, Malaysia, Qatar, the United States, the United Arab Emirates, Saudi Arabia, and Greece. Among the known hacktivist groups observed to be active are Dark Storm Team, NoName057(16), DieNet and BD Anonymous. Ransomware offensives have also been reported, including one by INC RANSOM Team in Israel and another by DragonForce Team in the United Arab Emirates. The pro-Iranian hacktivist group Handala has been active on several fronts, claiming breaches against the Saudi national oil company Saudi Aramco and Sharjah National Oil Corporation (SNOC), the state-owned oil and energy company of the Emirate of Sharjah in the United Arab Emirates. The group has also targeted an Iranian-American influencer and an Iranian-Canadian influencer with direct death threats sent via email. Furthermore, it claims to have infiltrated for months the Institute for National Security Studies (INSS), an Israeli think tank focused on national security. The National Cyber Security Centre (NCSC) has recommended that organizations prepare for potential collateral impacts in the United Kingdom, particularly from pro-Iranian hacktivists, drawing attention to previous advisories related to DDoS attacks, phishing campaigns, and the targeting of ICS systems. Amazon confirmed that two Amazon Web Services (AWS) facilities in the United Arab Emirates and one in Bahrain were damaged by drone attacks, causing service disruptions. Finally, security researchers documented a campaign involving the systematic targeting of IP cameras attributed to Iranian adversaries, highlighting a temporal and geographic correlation between the exploitation of such devices and missile activity associated with Iran in the Middle East.

Italy: DDoS, ransomware, and phishing

On March 4, 2026, the pro-Russian hacktivist collective OverFlame claimed responsibility for DDoS attacks against the following Italian targets: Antonino Cannavacciuolo, Comune di Ravenna, and SanArti. Looking at the ransomware landscape, a group called VECT claimed on its leak site the compromise of Keliweb S.r.l.; an operator named Payload claimed Easy Servizi S.r.l.; LockBit Team claimed Formula50 S.r.l., Paoli Dental Center, and Barbero Pietro S.p.A.; and Tengu claimed Eos Technology S.r.l. Additionally, on February 27, 2026, a multi-stage phishing campaign was traced in Italy exploiting the name of a supposed National Financial Agency to deliver malware to targeted machines. Specifically, an email was identified with the subject “Informare servicii online ANBSC”, where the acronym appears to refer to the National Agency for the Administration and Allocation of Assets Seized and Confiscated from Organized Crime, headquartered in Via Ezio in Rome. However, the footer of the message lists the address of the Italian Revenue Agency. The message uses the pretext of an alleged irregularity in the 2025 tax declaration to prompt the recipient to click on an external link. The analysis made it possible to reconstruct communications with the command-and-control (C2) server and revealed that the IP and port are not hardcoded but dynamically retrieved from Pastebin, allowing attackers to update their infrastructure without redistributing the malware.

Cybercrime: international operations dismantle LeakBase and Tycoon 2FA

A joint operation by several international law enforcement agencies dismantled LeakBase, one of the largest online forums where cybercriminals bought and sold stolen data and tools for committing cybercrime. According to the U.S. Department of Justice (DOJ), the LeakBase forum had more than 142,000 members and over 215,000 messages exchanged among members as of December 2025. Anyone attempting to access the website is now greeted with a banner stating that the portal has been seized by the FBI as part of an international operation. The banner indicates that all forum content—including user accounts, posts, credit details, private messages, and IP logs—has been secured and preserved for evidentiary purposes. A second international operation coordinated by Europol, involving the European Cybercrime Centre (EC3) and supported by private sector partners, led to the disruption of the Phishing-as-a-Service (PhaaS) platform Tycoon 2FA, which was used to bypass multi-factor authentication (MFA) and compromise online accounts. The service offered cybercriminals a subscription-based toolkit designed to intercept authentication sessions in real time and gain unauthorized access to accounts protected by additional security layers, including email and cloud services. During the operation, 330 domains forming the core infrastructure of the platform—including phishing pages and control panels—were taken offline.

Weekly Threats Report is Telsy’s weekly update featuring the main developments on cyber attacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is composed of analysts and security researchers with technical and investigative skills and internationally recognized experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with useful information to anticipate attacks and understand their scope, with the support of a trusted partner in the event of a cyber incident.

Learn more about ourCyber Threat Intelligence solution.