A fast overview of major ransomware, espionage, and supply-chain attacks and how they evolved
This timeline collects the most significant cyber incidents affecting governments, defense contractors, high-tech firms, and large economic crimes since 2006. It highlights episodes where attacks caused major disruption, exposed huge volumes of data, or produced losses above one million dollars.
The selection emphasizes nation‑state activity, organized cybercrime, and supply‑chain compromises. If you believe an important case is missing, please send details to [email protected] so we can review and update the record.
Across the years recorded here you will notice repeated patterns: use of ransomware and extortion, supply‑chain manipulation, credential theft, and politically motivated DDoS or disruption campaigns.
The timeline documents both technical intrusions—like software compromise and stolen OAuth 2.0 tokens—and socially engineered operations such as spear‑phishing and fake recruitment offers. These incidents illustrate the blurred line between financially motivated cybercrime and state-directed espionage or sabotage.
Late 2026: concentrated intrusions and high‑value thefts
December 2026 saw several high‑profile events: a supply‑chain compromise of a Chrome extension for Trust Wallet led to roughly $7 million in stolen cryptocurrency after a malicious update on December 24th; France’s postal service La Poste and La Banque Postale were hit by a consumer‑impacting DDoS shortly before Christmas; and Venezuela’s PDVSA reported a disruptive ransomware incident on December 15th that affected cargo deliveries. France’s Interior Ministry disclosed on December 12th that its e‑mail servers were accessed, triggering tightened access controls. South Korea’s Coupang announced a major data breach exposing 33.7 million customer accounts; authorities have named a former employee as a suspect and opened investigations.
November and October 2026 continued the trend of mixed motives: North Korea’s Lazarus group reportedly stole $30.4 million from Upbit (reported November 28), while ShinyHunters exploited Gainsight OAuth integrations to access records across more than 200 companies (disclosed November 21). The INC gang disrupted emergency alerts by compromising OnSolve’s CodeRED platform in early November. Other incidents include a U.S. Congressional Budget Office breach (November) and large data exfiltrations affecting airlines and luxury brands during October and September, demonstrating how attackers target both critical infrastructure and customer databases.
Recurring tactics and strategic campaigns
Several cross‑cutting themes run through the timeline. Nation‑state groups repeatedly use espionage to acquire defense, telecom, and research secrets—examples include Chinese targeting of telecommunications and government networks (attributed in mid‑2026), North Korean focus on cryptocurrency and defense supply chains, and Russian operations aimed at political and defense targets. Law enforcement actions also appear: Interpol’s August 2026 “Operation Serengeti 2.0” dismantled many criminal networks, while coalition attributions in 2026 named firms and groups tied to intelligence services.
Supply chain and identity weaknesses
Supply‑chain attacks and identity compromises recur as force multipliers. Notable cases include the 3CX desktop app compromise (April 2026), widespread exploitation of Microsoft SharePoint and Outlook vulnerabilities (various 2026–2026 incidents), and theft of OAuth refresh tokens from Salesloft and Drift integrations (September 2026). These methods highlight how attackers gain broad access by compromising a single vendor or stolen credential. The concept of supply-chain attack refers to tampering with software or services trusted by many organizations to pivot to multiple victims.
Risks to critical infrastructure
Attacks against industrial and public services appear frequently and sometimes aim for physical consequences. Examples include DDoS and intrusion campaigns against energy firms, water utilities, and transport networks (from 2026 through 2026), the reported seizure of control elements at a Norwegian dam (attributed in August 2026), and attacks on airport operations that forced manual processing at major European hubs. These incidents demonstrate the growing use of cyber operations to pressure states and disrupt essential services.
Practical lessons for organizations
Defenders can reduce exposure by applying layered protections: enforce multi‑factor authentication, segment networks to limit lateral movement, and adopt robust patch management to close known vulnerabilities promptly. Prioritize supply‑chain risk assessments and vet third‑party access. Prepare an incident response plan that includes communications, backups, and legal coordination. Emphasize employee training to counter spear‑phishing and social engineering, and maintain offline backups to mitigate ransom demands. The least privilege model—granting users only the access they need—remains a high‑value control across sectors.
This timeline is a living document intended to show trends and major episodes, not every event since 2006. If you can provide verifiable additions or corrections, please e‑mail details to [email protected] so we can keep the record current and useful to practitioners, policymakers, and the public.
