All News
Portfolio1 July 2026

48,000 Attacks in Thirty Days

By Critical Ventures

Share
48,000 Attacks in Thirty Days

The raw data

June wasn't a quiet month. Hackurity, a Rotterdam-based autonomous security company we backed in late 2025, publishes monthly threat intelligence reports drawn from their global sensor network. The June edition covers 30 days of live attack data from enterprise infrastructure worldwide. The numbers are specific enough to be useful.

48,957 threat events. 2,207 unique attacker IPs. 142 confirmed exploit attempts. 1,806 credential stuffing attacks. 86 countries. 15 critical CVEs actively targeted — all in a single calendar month.

The targeted platforms aren't surprising: Fortinet FortiGate, Ivanti Connect Secure, Citrix NetScaler, and React/Next.js applications all appear in Hackurity's detected attack chains. FortiBleed fits squarely in that pattern. It wasn't a zero-day — it was systematic exploitation of credential exposure in widely deployed infrastructure. Security researchers at Arctic Wolf, Bitsight, and the Cloud Security Alliance independently confirmed that the campaign extracted configuration files and cracked credential hashes at scale, covering authentication bypass vulnerabilities across multiple FortiGate CVEs (including CVE-2026-24858 flagged by CISA in January).

This is the recurring theme in the data: attackers aren't doing anything particularly novel. They're using known CVEs on infrastructure that hasn't been patched, through credentials that have already leaked somewhere else. The gap is operational, not technical.

Credential stuffing at industrial scale

1,806 credential stuffing attacks in 30 days sounds like an abstract number. Each one is an automated attempt to match stolen usernames and passwords against live enterprise systems — running continuously, at scale, in the background.

The supply side of the problem is well documented. Verizon's Data Breach Investigations Report consistently names stolen credentials among the top initial access vectors, appearing in approximately 22% of analyzed breaches. The reason it keeps working is simple: password reuse across services remains pervasive, and the credential pools available to attackers are large. A June 2026 discovery of an exposed Elasticsearch cluster reportedly containing billions of stolen credentials — enriched with live CVE data to help prioritize targets — illustrated the kind of infrastructure attackers have to work with (note: the figure circulating from this incident is approximate and comes from a single news report).

Geography matters here too. Germany accounts for 37% of the attack traffic in Hackurity's June dataset, with Contabo GmbH identified as the top threat source. That's not necessarily a statement about German threat actors — it's a statement about how cloud and hosting infrastructure is being abused as launch infrastructure. Three Tor exit nodes were also observed conducting reconnaissance and exploitation attempts.

State actors and ransomware groups

The June report identifies two Iranian state-sponsored botnets — suspected APT35/Charming Kitten — running login brute force and credential stuffing operations across enterprise targets.

This is consistent with the broader 2026 picture. Research from Trellix and others has documented that APT35 had systematically pre-compromised digital infrastructure in Gulf states, Jordan, and Israel well ahead of Iran's February 2026 Operation Epic Fury — indicating that cyber operations in geopolitically sensitive contexts run significantly ahead of any kinetic activity. For organizations in critical infrastructure, financial services, or defense supply chains, that's relevant context for how to interpret persistent low-level intrusion attempts. They're rarely random.

On ransomware: 100 confirmed victims across 31 active groups in June alone. Qilin leads the dataset with 14 victims, which tracks with its position as the most active ransomware-as-a-service operation globally through 2026. Analysis from Barracuda Networks and Computer Weekly puts Qilin's 2026 victim count above 500, with manufacturing, business services, and healthcare as its most targeted sectors. The group offers affiliates up to 85% of ransom revenue — a revenue share that has concentrated experienced operators under one umbrella. Qilin's recent deployment by North Korea-linked Moonstone Sleet (documented by Microsoft in 2025) is a reminder that the lines between criminal and state-adjacent operations continue to blur.

The report also flags TLS fingerprint monitoring covering 97 known malware signatures — including 45 variants of the Tofsee botnet — and a detected worm propagating through React/Next.js honeypots with active command-and-control infrastructure. Not hypothetical risks.

About Hackurity's threat intelligence program

Hackurity publishes two series of reports, both freely accessible:

  • Monthly Threat Intelligence Reports — released on the 1st of each month, covering the prior 30 days. The archive dates back to October 2025 and includes full CVE analysis, attacker IP data, TTP breakdowns, and botnet activity.
  • Quarterly Ransomware Landscape Reports — deeper analysis of the ransomware ecosystem: victim counts, active groups, sector targeting, and operational trends. The Q1 2026 edition tracked 2,318 confirmed victims across 270 active groups.

All reports are available at hackurity.io/threatintel.

The data comes from Hackurity's global sensor network — honeypots and monitoring infrastructure deployed across enterprise environments. It's attacker-observed rather than modeled, which makes it a more direct read on what's actually being attempted at any given time.

Hackurity's core product stack — which they call Autonomous Red Teaming (ART) — runs four services continuously: Managed Autonomous Reconnaissance (MAR) for external attack surface mapping; Managed Autonomous Pentesting (MAP) for chaining discovered vulnerabilities into real attack paths without disrupting production systems; Autonomous Threat Intelligence (ATI) for dark web monitoring, breach correlation, and impersonation infrastructure detection; and Autonomous Brand Defence (ABD) for identifying and taking down fake domains and phishing infrastructure. The platform is ISO 27001 certified and operates out of Rotterdam, Netherlands.

What this data is actually for

Threat intelligence like this is most useful when it shifts the conversation from "are we compliant?" to "how would an attacker move through our environment right now?" Those questions have different answers, and they point to different priorities.

At Critical Ventures, we back companies working on the operational gap in security — the space between knowing about an exposure and actually being able to act on it. Continuous, automated insight is one part of that. Hackurity's monthly reports give security teams a standing view of what's being actively exploited across enterprise infrastructure, which is different from a point-in-time assessment.

If you're building in autonomous security, continuous testing, or threat intelligence infrastructure and want to compare notes, we'd like to hear from you.

Download the June 2026 Threat Intelligence Report