Greetings, Cybersecurity Enthusiasts!

May saw breach activity rebound after April’s slowdown, driven by a sharp increase in defacement activity and continued ransomware pressure across industries. Higher education emerged as the most impacted sector, while North America strengthened its position as the most targeted region. Although overall ransomware victim volume declined slightly, several leading gangs remained highly active and new threat groups continued to emerge.

📊 Cyber Incidents Breakdown

Across all monitored sources, we recorded 2,143 breaches in May, up from 1,966 in April. The increase was driven primarily by a surge in defacement activity, while ransomware remained one of the largest contributors to high-impact incidents.

Source Mix

• Ransomware Posts: 679 (↓ from 732)
• Defacements: 908 (↑ from 766)
• Hacker Forums: 300 (↑ from 190)
• News Coverage: 145 (↓ from 199)
• Official Reports: 106 (↑ from 73)
• SEC Filings: 5 (no change)
• Leak Reports: 0 (↓ from 1)

💥 Most Active Ransomware Gangs

The most prolific ransomware groups in May were:

1. Qilin — 103 victims (↓ from 109)
2. Gentleman — 75 victims (↑ from 67)
3. DragonForce — 57 victims (↓ from 64)
4. Akira — 41 victims (↓ from 51)
5. INC — 32 victims (↓ from 39)

Qilin remained the most active ransomware operation despite a slight decline in victim volume. Gentleman continued its upward trajectory and widened its presence across industries, while DragonForce and Akira remained persistent threats despite lower activity levels.

🆕 Enhanced Ransomware Gang Tracking

HackNotice expanded intelligence coverage for the following groups due to increased activity and infrastructure visibility:

• SpyCorporate
• Triplex
• Titan
• MedusaLocker
• Icarus
• CMDOrganization
• Payloads

📰 Breaches That Made the News

Several high-profile breaches captured attention in May:

• OnlyFans: https://app.hacknotice.com/#/hack/6a143cbd578c0daf2d9aece3
• Mercedes: https://app.hacknotice.com/#/hack/6a146d80578c0daf2d26f626
• GitHub: https://app.hacknotice.com/#/hack/6a0d7181578c0daf2d03cfb8
• Trump Mobile: https://app.hacknotice.com/#/hack/6a0ed8f5578c0daf2de1bff4
• CISA: https://app.hacknotice.com/#/hack/6a0c0ae9578c0daf2d2cf321
• British Airways: https://app.hacknotice.com/#/hack/6a06b20c578c0daf2d0aa22e
• White House: https://app.hacknotice.com/#/hack/6a06fb8e578c0daf2de35cff

🏭 Industry and Geography Insights

Industries Most Impacted

• Higher Education: 21.6%
• Professional, Scientific, and Technical Services: 8.8% (↓ from 12.3%)
• Educational Services: 7.9% (↑ from 4.6%)
• Manufacturing: 7.7% (↓ from 11.4%)
• Health Care and Social Assistance: 6.3% (↓ from 7.7%)

Industry Trends

Higher education became the most impacted sector in May, accounting for more than one-fifth of all categorized breach activity. Educational organizations broadly saw elevated targeting, with both higher education and educational services appearing among the most affected sectors.

Professional services remained a major target for threat actors despite a decline in overall share. Manufacturing continued to experience significant ransomware pressure, while healthcare remained among the most consistently targeted industries.

🌍 Regions Most Affected

• North America: 52.1% (↑ from 50.6%)
• Europe: 23.6% (↓ from 24.9%)
• Asia: 10.3% (no change from 10.3%)
• South America: 5.9% (↑ from 5.5%)
• Middle East: 3.4% (↓ from 3.7%)
• Africa: 2.5% (↓ from 3.2%)
• Oceania: 2.2% (↑ from 1.8%)

Regional Trends

• North America strengthened its position as the primary target of ransomware and breach activity, accounting for more than half of all geographically attributed incidents.
• Europe remained the second-largest region despite a modest decline in share.
• Attack activity continued to diversify globally, with South America and Oceania both recording gains while Asia maintained a stable share of overall activity.

✅ Closing Thoughts

May reversed April’s decline and pushed breach activity back above 2,100 reported incidents. Defacements reached their highest level of the year, ransomware remained a dominant threat vector, and Qilin continued to lead the ransomware ecosystem. Educational institutions saw a significant increase in targeting, while North America expanded its share of global breach activity.

🔍 If you are not tracking ransomware’s role in third-party exposure, you are missing a critical blind spot.

Stay ahead of shifting threats with HackNotice’s real-time intelligence across ransomware, breaches, and dark-web activity.

👉 Request a demo to see how HackNotice helps you manage third-party risk.