ZeroFox Daily Intelligence Brief - February 9, 2026

ZeroFox Daily Intelligence Brief - February 9, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Campaign to Recruit Cryptocurrency Insiders
• Ransomware Hits Major Financial Service, Causes Large-Scale Service Outage
• France Flags Alleged Russia-Linked Disinformation Linking Macron and Epstein

ZeroFox Intelligence Flash Report - Campaign to Recruit Cryptocurrency Insiders

Source: https://www.zerofox.com/advisories/38280/

What we know: A newly registered and untested threat actor, “LocalVulture,” has posted on popular dark web forum Exploit, seeking potential partners to recruit insiders within large cryptocurrency exchanges, preferably those from “third-world” countries.

Context: LocalVulture specifies that, post-identification of suitable insiders for recruitment, partners are expected to rely on social engineering techniques to establish and maintain effective communication. Additionally, LocalVulture also shared three categories of insider individuals along with a guidance manual to approach and profile prospective insiders.

Analyst note: The post likely indicates the actor’s inclination towards sophisticated operations beyond financial fraud, such as ransomware deployment, data extortion, and cyber espionage, to infiltrate and target major cryptocurrency exchanges.

Ransomware Hits Major Financial Service, Causes Large-Scale Service Outage

Source: https://www.bleepingcomputer.com/news/security/payments-platform-bridgepay-confirms-ransomware-attack-behind-outage/

What we know: U.S.-based payment gateway provider BridgePay has suffered a ransomware attack that forced key payment processing systems offline, reportedly triggering a nationwide outage. The company confirms, at the time of writing, that no payment card data was accessed.

Context: The attack on BridgePay also caused the City of Frisco, Texas’s Utility Billing payment portal system to be unavailable. Multiple core services, connected entities, BridgePay Gateway API, PayGuardian, MyBridgePay, hosted payment pages, and boarding portals remain impacted.

Analyst Note: Given the ransomware incident has not affected any payment card data, service disruptions likely indicate that the actor is pursuing extortion through operational pressure rather than data theft. The threat actor's objective is likely large-scale disruption and leverage, since disrupting payment pipelines creates immediate real-world pressure on BridgePay and its connected entities to restore services quickly.

France Flags Alleged Russia-Linked Disinformation Linking Macron and Epstein

Source: https://www.reuters.com/world/europe/pro-russia-disinformation-falsely-links-macron-epstein-french-government-source-2026-02-06/

What we know: France has reportedly uncovered a pro-Russia disinformation campaign linking President Emmanuel Macron with Jeffrey Epstein, originating from a fake news website and amplified through X video posts.

Context: The counterfeit domain pretending to be online news daily France-Soir was taken down, but the disinformation videos are still circulating on X. The French government source added that the tactics observed were similar to that of pro-Russia group Storm-1516, which was flagged by U.S. authorities for interfering in the 2024 Presidential elections.

Analyst note: The incident suggests that Russia-linked disinformation campaigns are likely to persist even during non-electoral periods, targeting political instability and anti-incumbency sentiments while leveraging opportunistic high-profile events.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Golden Falcon: Threat actor “Golden Falcon” claimed on Telegram to have identified coordinates of alleged Israeli defense facilities linked to the Soreq Nuclear Center, including Arrow missile system infrastructure. If the claims are true, the disclosure is likely to pose an operational security risk by potentially aiding hostile surveillance, targeting, or intimidation efforts against sensitive military assets.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-24423: This is an already-patched missing authentication vulnerability in SmarterTools SmarterMail that leads to remote code execution (RCE) via ConnectToHub API. CISA has flagged this flaw as being actively exploited by ransomware actors. Threat actors are likely to use this bug to steal sensitive email content, logs, and contacts and attempt to encrypt the data to demand a ransom.

Affected products: SmarterTools SmarterMail versions prior to build 9511