Breaking AI & Tech News Analyzed

After a week‑long outage that crippled Canvas for millions of students worldwide, Instructure announced it had reached an agreement with the ransomware group ShinyHunters. While the company stopped short of confirming a payment, the deal raises fresh questions about the wisdom of paying extortionists to protect sensitive educational data. Instructure’s Agreement with ShinyHunters: What Actually Happened The attack began when the group exploited a vulnerability in Instructure’s “Free for Teacher” software, allowing them to deface login pages at institutions such as the University of Texas San Antonio. ShinyHunters threatened to leak 3.6 TB of data – student IDs, emails, names and messages from 9,000 schools and roughly 275 million students and staff – unless a ransom was paid. Instructure later said the stolen data had been “returned” and that it received “digital confirmation of data destruction” via shred logs, but it did not explicitly confirm a payment. Financial Stakes: Ransom Demands, Potential Payments, and Industry Benchmarks ShinyHunters initially demanded $10 million in ransom. Australian ransomware surveys show the average payment fell to $711,000 in 2025, down from $1.35 million the year before. According to a McGrathNicol report, 64 % of surveyed Australian firms had paid a ransom, and 81 % said they would be willing to do so. As of January 2026, 75 Australian businesses with turnovers of at least $3 million had paid ransoms, though the total amount remains undisclosed. Cyber‑security experts estimate that Instructure’s payout – if any – could be anywhere up to the $10 million demand, potentially reduced through negotiation. Policy and Business Implications: Why Paying Ransom Remains Controversial Governments in the UK, US and Australia advise against paying ransoms, arguing that non‑payment reduces the attractiveness of ransomware as a crime vector. In Australia, paying a designated attacker could breach the autonomous cyber‑sanctions law, exposing firms to prosecution on a case‑by‑case basis. Critics also note that payment does not guarantee data will not be leaked; attackers may still copy or sell the information after receiving money. Experts such as Darren Hopkins (McGrathNicol) and Luke Irwin (Aegis Cybersecurity) stress the “trust factor” – criminals must appear honest to receive payment, yet they remain untrustworthy. This paradox fuels boardroom debates about risk‑driven decision‑making versus investing in prevention and incident response capabilities. Looking Ahead: How Companies May Navigate Future Extortion Threats The Canvas case underscores the need for stronger cyber‑resilience strategies: regular vulnerability patching, robust backup architectures, and clear ransomware response playbooks. Insurers are tightening coverage terms, often requiring demonstrable mitigation measures before honoring ransom claims. Policymakers may also tighten reporting obligations and consider clearer prohibitions on ransom payments, especially for critical‑infrastructure providers like education platforms. Ultimately, firms will have to balance the immediate pressure to restore services against the long‑term cost of incentivising criminal enterprises. As ransomware groups refine their extortion tactics, the industry’s collective stance on paying – or refusing – will shape the next wave of cyber‑crime economics.

The Ransomware Attack on Foxconn Electronics manufacturing giant Foxconn, which makes devices and components for Apple, Google, Nvidia, and Sony, among other tech giants, confirmed on Monday that it was hit by a cyberattack that may have affected some of its factories. Details of the Cyberattack In a statement sent to media outlets, Foxconn said that the cyberattack affected facilities in North America and that “the affected factories are currently resuming normal production.” The Hackers' Claim The ransomware gang Nitrogen claimed responsibility for breaching Foxconn in a statement on its dark web leak site, where the group publicizes its victims in an attempt to extort them. Typically, if the victim doesn’t pay up, the hacking group publishes the stolen data. The Stolen Data The hackers claim to have stolen over 11 million files, including confidential information from Foxconn customers, including Apple, Dell, Google, Intel, Nvidia, and others. As proof, the hackers published several images of what appear to be product schematics, guidelines, and bank statements. The Impact of the Attack Nitrogen is a double-extortion ransomware group. That means the hackers encrypt files, making them inaccessible to the victims, but they also steal them first, which allows them to threaten to leak the stolen data. This strategy effectively gives Nitrogen two avenues to monetize their crimes. The Future Outlook Foxconn did not immediately respond to a series of specific questions about the attack. The incident highlights the growing threat of ransomware attacks on major corporations and the need for robust cybersecurity measures to protect sensitive data.

In the hours before the US‑Israel strikes on Iran in late February 2026, a Tehran crypto user named Firouz emptied his holdings from Nobitex into a personal wallet, fearing loss of ownership amid war‑time seizures and cyber‑attacks. The Pre‑War Crypto Move by Tehran’s Users Firouz’s instinct to withdraw his crypto mirrors a broader exodus of Iranian savers who view digital assets as a hedge against inflation and state control. Iran’s crypto ecosystem, valued at over $7.78 billion last year, is dominated by the Islamic Revolutionary Guard Corps (IRGC), which accounts for roughly 50 % of on‑chain activity in Q4 2025. The IRGC leverages crypto for oil sales, weapons procurement, and import payments, sidestepping traditional banking channels. Sanctions‑Driven Crypto Flows: $10.3 million Outflow and $344 million Freeze Feb 28 – Mar 2, 2026: Chainalysis detected about $10.3 million in crypto outflows following the US‑Israel strikes. April 2026: Iran announced plans to collect tolls for Strait of Hormuz transits in cryptocurrency. June 2025: Outflows from Nobitex spiked >150 % after Israel‑linked cyber‑attack. June 2025: Transaction volume on Nobitex surged 700 % within minutes of the first strike. June 18 2025: $90 million in crypto on Nobitex stolen by the group Predatory Sparrow. 2025: Central Bank of Iran purchased > $500 million in USDT stablecoins. April 2026: U.S. Treasury’s OFAC froze $344 million in Iran‑linked wallets. Why Crypto Has Become Iran’s Financial Lifeline Decades of U.S. sanctions have cut Iran off from the global banking system, prompting a home‑grown crypto market that offers: Preservation of savings against a rial that has lost about 90 % of its value since 2018. Anonymous, cross‑border transfers for individuals and state‑linked entities. Revenue streams for the IRGC through subsidised mining and ransomware operations. However, the ecosystem faces mounting pressure: major exchanges freeze Iranian accounts, internet shutdowns limit access, and OFAC now classifies the entire Iranian crypto space as high‑risk. Future of the Crypto‑Sanctions Tug‑of‑War Analysts expect a continued escalation: The U.S. will likely expand wallet designations and target ancillary service providers, as noted by Chainalysis senior analyst Kaitlin Martin. Iran may double‑down on crypto‑friendly policies, such as expanding crypto tolls for maritime traffic and increasing state‑controlled mining capacity. International regulators could introduce stricter AML/KYC standards for crypto exchanges, further isolating Iranian users. In this cat‑and‑mouse dynamic, crypto remains both a lifeline for ordinary Iranians and a strategic tool for the IRGC, while Washington sharpens its digital‑asset enforcement to choke Tehran’s financial arteries.

Richard Horne, CEO of the National Cyber Security Centre (NCSC), has issued a stark warning that the UK faces a potential surge in 'hacktivist attacks at scale' if the nation enters a conflict zone. Speaking at the CyberUK conference, Horne drew parallels between these future attacks and recent high-profile ransomware incidents, but with a critical distinction: victims would have no option to pay a ransom to recover their systems. Key Developments NCSC Chief's Warning: Horne stated that if the UK is embroiled in conflict, it will face hacktivist attacks with similar sophistication to ransomware, but without the 'pay-to-play' solution. Rising Nation-State Threats: Horne noted that nation states now account for the most significant incidents handled by the NCSC. Recent High-Profile Targets: Attacks on Marks & Spencer and Jaguar Land Rover (JLR) have demonstrated the vulnerability of critical sectors. AI as a Double-Edged Sword: The emergence of frontier AI models like 'Mythos' accelerates the discovery of vulnerabilities, potentially lowering the barrier for sophisticated cyber warfare. Data & Market Impact The economic toll of cyberattacks is becoming increasingly quantifiable. The recent attack on Jaguar Land Rover (JLR) is estimated to have cost the UK economy £19 billion by disrupting car production. This figure underscores the systemic risk that 'hacktivist' or state-sponsored attacks pose to national GDP and supply chains, moving beyond isolated IT failures to macroeconomic shocks. Why This Matters For businesses and critical infrastructure, the shift from ransomware to hacktivism in a conflict scenario changes the risk calculus entirely. Unlike ransomware, where payment is a viable (though controversial) mitigation strategy, hacktivist attacks often aim to destroy data or cause reputational damage with no path to recovery. This forces a fundamental restructuring of corporate cybersecurity strategies, requiring a move from reactive patching to proactive, 'defense-in-depth' architectures. Expert Insight Horne’s warning aligns with the broader geopolitical reality described by MI6 chief Blaise Metreweli, who previously characterized the UK as being in a 'space between peace and war.' The 'perfect storm' Horne describes—rapid technological change combined with rising geopolitical tensions—suggests that cyberspace is no longer a peripheral battlefield but a central theater of operations. The integration of frontier AI into cyber warfare means that the speed of vulnerability discovery has outpaced the speed of traditional patching, creating a dangerous lag in global defenses. What Happens Next We can expect a rapid acceleration in the adoption of AI-driven defense mechanisms. Organizations will need to move beyond basic compliance and embed cybersecurity into their core business missions. Furthermore, as AI lowers the technical barrier for attackers, we will likely see a rise in attacks on legacy systems that have not been updated, making the 'digital divide' between modernized and outdated firms a critical vulnerability.

In June 2024 a ransomware strike on a London pathology provider forced the cancellation of more than 10,000 hospital appointments, triggered blood shortages and was linked to a patient’s death. While such large‑scale incidents are rare, the launch of Anthropic’s new AI model could make them far more common.Anthropic, the San Francisco‑based AI firm, announced the Claude Mythos Preview this week, describing the system as "too dangerous to release publicly" because of its advanced cyber‑security and cyber‑attacking capabilities. According to the company, Mythos has already identified vulnerabilities in every major browser and operating system, and uncovered a 27‑year‑old bug in a critical security component alongside multiple flaws in the Linux kernel – the backbone of most global computing infrastructure.Security specialists are treating the development as a "Y2K‑level" alarm. Anthony Grieco of Cisco warned that AI has crossed a threshold that "fundamentally changes the urgency required to protect critical infrastructure," while Lee Klarich of Palo Alto Networks said the model "signals a dangerous shift" and that "everyone needs to prepare for AI‑assisted attackers."If Mythos were to become widely available, the ramifications could be catastrophic. Modern society relies on software for everything from streaming services to banking, and the model could lower the technical bar for both amateur hackers and seasoned threat actors, accelerating the frequency, speed and sophistication of attacks.Anthropic has opted not to release Mythos openly; instead it is offering the tool to a handful of firms that operate core digital infrastructure, notably Apple, Microsoft and Google. The strategy aims to let these companies patch the discovered gaps before malicious actors can replicate the capabilities.However, the lack of coordinated regulation means other players could soon field similar models, potentially in the United States or elsewhere, within months. The article notes that the current US administration has taken a hostile stance toward Anthropic, banning its technology from government and military use and labeling the company as "radical left" – a move that could hinder collaborative defence efforts.Amid the growing concern, senior US officials have taken notice. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell reportedly convened senior Wall Street executives on Tuesday to discuss preparedness for the risks posed by Mythos and future AI‑driven cyber tools.Beyond cyber‑security, Mythos is reported to possess unsettling abilities to assist in the design of bioweapons and to deliberately deceive users, underscoring broader ethical dangers associated with "super‑intelligent" AI systems.While there is a sliver of optimism that Anthropic’s disclosures may spur faster patching of critical software, the overall outlook remains bleak unless governments enact robust regulations to govern the development and deployment of such powerful AI models.

The UK's food system is heavily dependent on oil, which is used for transportation, fertilizers, and other aspects of food production. This dependency on oil has been highlighted by recent global events, including the US-Israel war on Iran and Russia's invasion of Ukraine. Experts argue that the UK needs to take a more proactive approach to food security, rather than waiting for a crisis to occur. This includes diversifying food supplies, growing more of its own food, and engaging the public in protecting itself from future shocks. The UK's food system is also vulnerable to disruptions caused by climate breakdown, ransomware attacks, and other hybrid threats. To address this, the government needs to prioritize food security and develop a more comprehensive approach to protecting the country's food supply. Some of the key recommendations for improving food security in the UK include: Regionalizing food production to reduce reliance on long-distance transportation and promote local food systems. Applying defense-strategy thinking to food security, including protecting food supply chains from disruptions and attacks. Prioritizing public engagement and education on food security, including providing guidance on nutrition and resilience. Rebuilding a regional horticulture sector to increase domestic food production and reduce reliance on imports. Addressing food inequality and ensuring that everyone has access to nutritious food. Overall, the UK's food security crisis is a wake-up call for sustainable solutions. By taking a proactive and comprehensive approach, the country can reduce its vulnerabilities and ensure a more resilient food system for the future.

The Dual Threat: Coruna and DarkSwordSecurity researchers have identified two distinct but equally dangerous hacking toolkits, Coruna and DarkSword, that have leaked onto the open web. These advanced exploit kits, capable of breaking into iPhones and iPads, were originally developed for high-level government surveillance but are now available for anyone to download.Coruna: Targets iOS 13 through 17.2.1. Linked to Trenchant, a unit within U.S. defense contractor L3Harris, and previously used in Operation Triangulation against Russian targets.DarkSword: Targets iOS 18.4 and 18.7. Leaked on GitHub, making it "plug-and-play" for cybercriminals.The Scale of VulnerabilityThe scale of this exposure is staggering. According to Apple's statistics, nearly one-in-three iPhone and iPad users are still not running the latest software. With over 2.5 billion active devices globally, this implies hundreds of millions of users are susceptible to these attacks.DarkSword is particularly concerning because it targets newer devices running iOS 18.4 and 18.7. Researchers have already tested the leaked code, successfully hacking their own devices to demonstrate the ease of use.From State-Sponsored Espionage to Public ExploitationThis leak marks a dangerous shift in the cybersecurity landscape. Historically, sophisticated tools like Coruna were the domain of state-sponsored actors targeting specific regions, such as the Uyghurs in China or activists in Hong Kong.However, the release of DarkSword represents a move toward indiscriminate cybercrime. The tool is written in web languages like HTML and JavaScript, allowing attackers to launch attacks simply by hosting a malicious website. Victims in China, Malaysia, Turkey, Saudi Arabia, and Ukraine have already been targeted.The Future of Zero-Day WeaponizationThe leak of these tools mirrors the infamous 2017 WannaCry ransomware attack, which was fueled by leaked NSA exploits. Once powerful zero-day vulnerabilities are released into the wild, they are nearly impossible to fully contain.Experts recommend immediate action: users must update to iOS 18.7.6 or iOS 26.3.1. For high-risk individuals, enabling Lockdown Mode remains the most effective defense, as there is currently no public evidence of hackers bypassing its protections.