THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-30D-010
CYBER · cves zero days · 2026-06-01SCOOP 60

May 2026 Ransomware: 646 Leak-Site Victims Across 61 Groups; Qilin Leads for Fifth Straight Month

Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries.

·FILED ISSUE 2026-06-01·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

VERDICT — CONFIRMED

QA-reviewed confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Cyber desk illustration
Generated desk illustration · The Dossier Wire · not a photograph

Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries. Qilin topped the rankings with 101 claimed victims, holding the number-one spot for the fifth consecutive month, followed by TheGentlemen (70), Akira (52), DragonForce (41) and INC_RANSOM (30). The United States was by far the most-targeted country with 254 listed victims (39.3%), ahead of the United Kingdom (36), Canada (31), Germany (29) and Spain (21).

By sector, manufacturing led with 58 victims, followed by healthcare (54), construction (42), consumer goods (38), and finance and technology (31 each). Breachsense characterized May as the lowest month of 2026, a 16% decline from April's 772 victims and a reversal of a four-month uptrend, though 2026 year-to-date still tracked roughly 18% above 2025's pace. Vendor counts vary by methodology—different trackers attributed slightly different monthly totals to Qilin (for example ~97 by one count)—but all major sources agreed Qilin remained the most active operation and that activity rose only modestly or dipped versus April.

The data reflect the continued dominance of data-theft-and-extortion models and sustained pressure on North American and Western European targets, with healthcare again among the most-hit sectors.

Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-30d-010 · filed 2026-06-01 · https://thedwire.com/wire/cyb-30d-010-may-2026-ransomware-646-leak-site-victims-across-61-groups.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Pro-Iranian hackers tricked Meta's AI support bot into handing over high-pr
Krebs on Security
CYBER · SCOOP 80

Pro-Iranian hackers tricked Meta's AI support bot into handing over high-profile Instagram accounts

Pro-Iranian hackers spent the last weekend of May seizing high-profile Instagram accounts by tricking Meta's AI support assistant into resetting their passwords, Brian Krebs reported. On May 31, word spread across several Telegram channels that Meta's AI bot would happily add a new email address to an existing account as part of its stand

✓ verifiednewSOURCE ↗
READ THE FILE ›
PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026
The Hacker News
CYBER · SCOOP 63

PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026-0257 to KEV

Exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN, moved to the top of defenders' weekend queue on May 30 after CISA added the flaw to its Known Exploited Vulnerabilities catalog late Friday and Rapid7 detailed in-the-wild attacks. The bug, first disclosed by Palo Alto Networks on May

✓ verifiednewSOURCE ↗
READ THE FILE ›
Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers
CYBER · SCOOP 80

Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers employee account

Carnival Corporation disclosed a data breach affecting 5,995,277 people, per a notification filed in Maine, with breach-notice letters sent on or about May 27, 2026. According to Carnival, an attacker used social engineering on April 14, 2026 to trick an employee into granting access to part of the company's IT environment; by April 22, 2

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.