- Record ID
- POST-0015974D9BBFA468
- Published
- 2026-06-06
- Category
- DDoS Attack
- Network
- telegram
- Actor label
- NXBB.SEC
- Country metadata
- Thailand
- Industry metadata
- Mental Health Care
H1 2026 collected threat record study
AdverseMonitor recorded 29,858 unique posts_summary rows from January through June 2026. DDoS Attack was the largest category at 6,796 records (22.8%). Each row is a collected source observation, not proof of a confirmed incident.
What the data says
The dataset contains 13 category labels and 4 network labels. telegram contributed 14,931 records (50%). These counts measure collected records. One event may produce more than one record when separate sources publish it.
Monthly record volume
| Month | Records | Share of H1 |
|---|---|---|
| 2026-01 | 5,147 | 17.2% |
| 2026-02 | 4,789 | 16% |
| 2026-03 | 6,148 | 20.6% |
| 2026-04 | 4,031 | 13.5% |
| 2026-05 | 4,799 | 16.1% |
| 2026-06 | 4,944 | 16.6% |
Top categories
| Rank | Category | Records | Share |
|---|---|---|---|
| 1 | DDoS Attack | 6,796 | 22.8% |
| 2 | Data Breach | 5,882 | 19.7% |
| 3 | Ransomware | 4,502 | 15.1% |
| 4 | Defacement | 4,329 | 14.5% |
| 5 | Initial Access | 3,526 | 11.8% |
| 6 | Data Leak | 3,420 | 11.5% |
| 7 | Alert | 672 | 2.3% |
| 8 | Malware | 357 | 1.2% |
| 9 | Cyber Attack | 185 | 0.6% |
| 10 | Vulnerability | 143 | 0.5% |
Source networks
| Rank | Network | Records | Share |
|---|---|---|---|
| 1 | telegram | 14,931 | 50% |
| 2 | openweb | 9,830 | 32.9% |
| 3 | tor | 5,096 | 17.1% |
| 4 | discord | 1 | 0% |
Countries and industries in record metadata
A record can contain more than one country or industry. Percentages in these tables use all 29,858 summary records as the denominator, so a column can sum to more than 100%.
Countries
| Rank | Country label | Records | Share |
|---|---|---|---|
| 1 | USA | 3,066 | 10.3% |
| 2 | Israel | 1,783 | 6% |
| 3 | Indonesia | 1,224 | 4.1% |
| 4 | India | 975 | 3.3% |
| 5 | France | 815 | 2.7% |
| 6 | Thailand | 733 | 2.5% |
| 7 | UK | 571 | 1.9% |
| 8 | Ukraine | 443 | 1.5% |
| 9 | Spain | 382 | 1.3% |
| 10 | Germany | 373 | 1.2% |
Industries
| Rank | Industry label | Records | Share |
|---|---|---|---|
| 1 | Government Administration | 2,941 | 9.8% |
| 2 | Education | 1,200 | 4% |
| 3 | Information Technology (IT) Services | 846 | 2.8% |
| 4 | Financial Services | 732 | 2.5% |
| 5 | E-commerce & Online Stores | 534 | 1.8% |
| 6 | Government & Public Sector | 533 | 1.8% |
| 7 | Transportation & Logistics | 466 | 1.6% |
| 8 | Network & Telecommunications | 459 | 1.5% |
| 9 | Building and construction | 403 | 1.3% |
| 10 | Hospital & Health Care | 368 | 1.2% |
Threat actor labels
Actor names reproduce the metadata stored with each source record. AdverseMonitor did not merge aliases for this release.
| Rank | Actor label | Records | Share |
|---|---|---|---|
| 1 | NoName057(16) | 1,376 | 4.6% |
| 2 | BABAYO EROR SYSTEM | 655 | 2.2% |
| 3 | Qilin | 440 | 1.5% |
| 4 | The Gentlemen | 368 | 1.2% |
| 5 | Keymous Plus | 345 | 1.2% |
| 6 | Hax.or | 330 | 1.1% |
| 7 | DieNet | 265 | 0.9% |
| 8 | RipperSec | 221 | 0.7% |
| 9 | akira | 214 | 0.7% |
| 10 | Dark Storm Team | 212 | 0.7% |
Three real record examples
These examples come from posts_details. Organization names and source URLs are omitted here. The fields describe the collected record and do not confirm the underlying claim.
- Record ID
- POST-000D25C2C7CFFB10
- Published
- 2026-02-18
- Category
- Data Breach
- Network
- openweb
- Actor label
- killaTheGoat
- Country metadata
- USA
- Industry metadata
- Automotive
- Record ID
- POST-000B35663DEBB375
- Published
- 2026-04-28
- Category
- Ransomware
- Network
- tor
- Actor label
- CL0P
- Country metadata
- Canada
- Industry metadata
- Building and construction
Data quality and table overlap
Field completeness in posts_summary
| Field | Populated rows | Completeness |
|---|---|---|
| category | 29,858 / 29,858 | 100% |
| network | 29,858 / 29,858 | 100% |
| threat_actors | 20,628 / 29,858 | 69.1% |
| victims_countries | 19,042 / 29,858 | 63.8% |
| victims_industries | 17,230 / 29,858 | 57.7% |
| victims_organizations | 16,850 / 29,858 | 56.4% |
Shared-field consistency
| Field | Compared UUIDs | Mismatches | Match rate |
|---|---|---|---|
| published_at | 29,853 | 1 | 99.997% |
| category | 29,853 | 1 | 99.997% |
| network | 29,853 | 9,146 | 69.363% |
| threat_actors | 29,853 | 145 | 99.514% |
| victims_countries | 29,853 | 138 | 99.538% |
| victims_industries | 29,853 | 124 | 99.585% |
| victims_organizations | 29,853 | 115 | 99.615% |
| is_reported_by_victim | 29,853 | 0 | 100% |
| is_threat_actor_claimed | 29,853 | 0 | 100% |
The network field produced the largest difference. telegram → (blank): 4,346 UUIDs; openweb → (blank): 3,325 UUIDs; tor → (blank): 1,473 UUIDs; tor → openweb: 1 UUIDs. Different nonblank network labels affected 1 UUIDs.
posts_summary contained 5 UUIDs not present in the period-matched posts_details set. posts_details contained 1 UUIDs not present in the summary set. The victim-reported flag was true on 401 records (1.3%); the threat-actor-claimed flag was true on 38 records (0.1%).
Methodology
- Queried posts_summary and posts_details for published_at values from 2026-01-01T00:00:00Z up to, but not including, 2026-07-01T00:00:00Z.
- Rejected rows whose published_at value could not be parsed into the same UTC period.
- Counted posts_summary UUIDs as the analysis denominator. Compared UUIDs with posts_details to measure table overlap.
- Compared nine shared fields for every UUID present in both tables after trimming leading and trailing whitespace in text fields.
- Split actor, country, and industry text fields on commas, matching the project report pipeline. One record can contribute to more than one value in those tables.
- Did not deduplicate separate records that may describe the same real-world event across different sources.
- Did not treat category, actor, country, industry, or claim flags as independent verification of compromise.
Limits
- Collection coverage changes when sources appear, disappear, restrict access, or change format.
- Labels can be incomplete, duplicated, misspelled, or supplied by the original source.
- This release does not independently verify every source claim or deduplicate events across channels.
- Counts describe the AdverseMonitor dataset for the stated period. They do not measure the whole threat landscape.
Read the product monitoring methodology and editorial policy.
Download the aggregate data
The files contain aggregate counts and record examples, not the raw post bodies or organization list.