ZeroFox Daily Intelligence Brief - February 5, 2026

ZeroFox Daily Intelligence Brief - February 5, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Italy Stops Russia-Attributed Cyberattacks on High-Profile Targets
• Drugs Marketplace Incognito Market Operator Sentenced to 30 Years in Prison
• Coinbase Confirms Insider Data Breach After Scattered Lapsus$ Hunters’s Brief Disclosure

Italy Stops Russia-Attributed Cyberattacks on High-Profile Targets

Source: https://www.reuters.com/world/italy-foiled-russia-linked-cyberattacks-embassies-olympic-sites-minister-says-2026-02-04/

What we know: Italy said it has thwarted cyberattacks targeting Foreign Ministry facilities, including its Washington embassy, and Olympics-related websites and hotels. Foreign Minister Antonio Tajani has reportedly attributed the activity to actors of Russian origin.

Context: The cyberattacks come as the Winter Games in Italy is scheduled to begin on February 6, 2026. ZeroFox has released an advisory warning of possible cyber threats to the Winter Games.

Analyst note: Although no other details of the attack has been confirmed at the time of writing, it is likely that Russia’s cyberattacks are retaliatory to the International Olympic Committee (IOC) restrictions that prevent Russian athletes from competing under the Russian flag and only allow participation as Individual Neutral Athletes (AINs).

Drugs Marketplace Incognito Market Operator Sentenced to 30 Years in Prison

Source: http://securityaffairs.com/187623/deep-web/taiwanese-operator-of-incognito-market-sentenced-to-30-years-over-105m-darknet-drug-ring.html

What we know: Dark web drugs marketplace “Incognito Market” operator has been sentenced to 30 years in prison in the United States. Incognito Market sold over one ton of narcotics worth more than USD 105 million worldwide between 2020 and 2024.

Context: The admin operating under the alias “Pharaoh” managed Incognito Market from places like St. Lucia, a country in the Caribbean. Vendors paid a 5 percent fee on each sale of drugs like cocaine, meth, and fentanyl-laced pills, among other narcotics. The transactions were carried out using a built-in cryptocurrency bank to ensure anonymity.

Analyst note: Law enforcement action targeting transnational operators of cybercrime forums is very likely to create a perception of increasing risk and uncertainty within cybercrime circles. The law enforcement very likely already has access to the data on Incognito Market, which can enable them to find leads on other cybercriminals and drug trafficking networks.

Coinbase Confirms Insider Data Breach After Scattered Lapsus$ Hunters’s Brief Disclosure

Source: https://www.bleepingcomputer.com/news/security/coinbase-confirms-insider-breach-linked-to-leaked-support-tool-screenshots/

What we know: U.S.-based cryptocurrency company Coinbase has confirmed a new insider breach that affected approximately 30 customers. Coinbase said a contractor had gained unauthorized access to the data. This incident is unrelated to a January 2025 insider breach.

Context: The confirmation comes after threat collective Scattered Lapsus$ Hunters posted screenshots exposing an internal Coinbase support interface, which revealed email addresses, names, dates of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions on Telegram before deleting them. Coinbase is yet to confirm if the leaked screenshots were directly sourced from the contractor involved.

Analyst note: This incident highlights a recurring "insider-for-hire" strategy being used by threat groups to leverage employees with privileged access. Additionally, threat actors are likely to target employees of business process outsourcing (BPO) firms that have high-level access to multiple sensitive corporate environments simultaneously.

DEEP AND DARK WEB INTELLIGENCE

University of Pennsylvania data breach: ShinyHunters extortion group has claimed to have leaked over 1.2 million records belonging to University of Pennsylvania, containing personally identifiable information (PII) and donation data. ShinyHunters also warned targeted entities that not paying ransom is only going to aggravate them more. The data breach is likely legitimate given the extortion group’s reputation. If the data is publicly leaked or sold to other threat actors, it is likely to be used for phishing, social engineering, and identity theft attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-25049: CVE-2026-25049 is a remote code execution (RCE) flaw in the n8n workflow automation platform that stems from weak sanitization of server-side JavaScript expressions and bypasses existing sandbox protections. It enables an authorized user to create or edit workflows, exploiting it to escape the n8n environment and execute arbitrary system commands on the host. Threat actors are likely to leverage this flaw to craft malicious workflows that can lead to full server compromise and post-exploitation data theft.

Affected products: n8n versions prior to 1.123.17 and 2.5.2