ZeroFox Daily Intelligence Brief - February 19, 2026

ZeroFox Daily Intelligence Brief - February 19, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Germany’s National Rail Operator Targeted in Disruptive Cyberattack
• Fake Version of Popular AI Chatbot Used to Sell Sham Crypto Coin
• First-of-its-Kind Payment Validation Fraud Uncovered

Germany’s National Rail Operator Targeted in Disruptive Cyberattack

Source: https://www.reuters.com/technology/german-railway-booking-systems-hit-by-ddos-attack-2026-02-18/

What we know: Germany’s national railway operator's website, Deutsche Bahn, suffered a Distributed Denial-of-Service (DDoS) attack that temporarily knocked key digital services offline.

Context: The attack disrupted the company’s website (bahn[.]de) and DB Navigator travel app, preventing customers from accessing booking and timetable systems for several hours on February 17, 2026 and services were restored by February 18.

Analyst note: DDoS attacks are largely symptomatic of hacktivist activities and are mostly claimed shortly by threat actors supporting a geopolitical cause. At the time of reporting, this attack has not been claimed by the perpetrators. This likely signals a low-visibility actor prioritizing operational impact over propaganda to test Deutsche Bahn’s resilience for future attacks without drawing immediate public attribution.

Fake Version of Popular AI Chatbot Used to Sell Sham Crypto Coin

Source: https://www.darkreading.com/endpoint-security/scam-abuses-gemini-chatbots-convince-people-buy-fake-crypto

What we know: Threat actors are reportedly deploying fake versions of a popular and trusted AI chatbot to sell a sham cryptocurrency coin, also named after a well-known tech giant. Researchers discovered the fake chatbot on a “presale” website for the crypto coin, mimicking the brand’s visual style.

Context: The scam utilizes both a phishing site and a fake chatbot to urge victims to send the attackers their cryptocurrency. The fake chatbot allegedly never broke character and consistently sold the coin like a salesperson.

Analyst Note: AI chatbots are almost certainly to be increasingly deployed by threat actors for social engineering scams, which earlier required human-to-human interaction. Social engineering scams using AI is also likely to enable attackers to target victims at scale and operate round the clock.

First-of-its-Kind Payment Validation Fraud Uncovered

Source: https://www.theregister.com/2026/02/18/fraudster_hotel_hack_one_cent_luxury_room/

What we know: A hacker reportedly manipulated the payment validation system of a hotel booking site to stay in luxury hotels, paying as little as one cent.

Context: Initially, the payments seemed legitimate to the hotel's management system. The fraud came into light after the booking site suspected foul play while trying to transfer the actual amount to the hotels. The booking site’s report led to legal investigation, eventually resulting in the hacker's arrest at a five-star hotel in Madrid.

Analyst note: This technique for altering the payment validation process is relatively new and will likely serve as a blueprint for other threat actors. By combining this tactic with the existing “I paid twice” and other phishing campaigns, swindlers can refine their financial fraud schemes even further.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user lucy: Threat actor “lucy” has been observed advertising access to a Kodex account on BreachForums, claiming it is linked to a law enforcement entity. Kodex is a U.S.-based cloud platform that facilitates the exchange of legal demands between law enforcement and private sector organizations. The threat actor claims buyers would receive KodexGlobal login credentials and access to the associated law enforcement email account, enabling submission of fraudulent emergency data requests (EDRs). If the seller's claims are true, buyers are likely to impersonate law enforcement, with the credentials being allegedly offered by the threat actors, to obtain sensitive user data from private-sector organizations under false requests.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-1670: This is a critical “missing authentication for critical function” flaw that affects Honeywell CCTV products. This flaw enables attackers to gain unauthorized access to camera feeds by changing the recovery email address linked to the device, leading to account take over. This is due to the unauthenticated API endpoint exposure that is responsible for the “forgot password” functions. Attackers are likely to sell the real-time recording manipulation as a service or misuse it in their own interest. Moreover, espionage-focused threat actors, such as state-backed groups, are likely to use this as a stepping stone to monitor their targets' operations, including critical infrastructure setups.

Affected products: Affected versions include I-HIB2PI-UL 2MP IP 6.1.22.1216, SMB NDAA MVO-3 WDR_2MP_32M_PTZ_v2.0, PTZ WDR 2MP 32M WDR_2MP_32M_PTZ_v2.0 and 25M IPC WDR_2MP_32M_PTZ_v2.0