AdverseMonitor Research · Dataset v1.0

H1 2026 collected threat record study

AdverseMonitor recorded 29,858 unique posts_summary rows from January through June 2026. DDoS Attack was the largest category at 6,796 records (22.8%). Each row is a collected source observation, not proof of a confirmed incident.

Period: January 1 to June 30, 2026 · Snapshot: 2026-07-11T11:38:46.178Z · Published: 2026-07-11

29,858posts_summary records
29,854posts_details records
29,853UUIDs present in both tables

What the data says

The dataset contains 13 category labels and 4 network labels. telegram contributed 14,931 records (50%). These counts measure collected records. One event may produce more than one record when separate sources publish it.

Use this study for dataset composition and observed source activity. Do not use it as a breach count, victim count, or estimate of total criminal activity.

Monthly record volume

Monthly collected threat records in H1 20262026-01: 5,147 records; 2026-02: 4,789 records; 2026-03: 6,148 records; 2026-04: 4,031 records; 2026-05: 4,799 records; 2026-06: 4,944 records.5,147014,789026,148034,031044,799054,94406
Figure 1. Monthly record volume. 2026-03 had the largest count in the six-month period.
MonthRecordsShare of H1
2026-015,14717.2%
2026-024,78916%
2026-036,14820.6%
2026-044,03113.5%
2026-054,79916.1%
2026-064,94416.6%

Top categories

Six largest threat record categories in H1 2026The six largest categories were DDoS Attack, Data Breach, Ransomware, Defacement, Initial Access, Data Leak.DDoS Attack6,796 (22.8%)Data Breach5,882 (19.7%)Ransomware4,502 (15.1%)Defacement4,329 (14.5%)Initial Access3,526 (11.8%)Data Leak3,420 (11.5%)
Figure 2. The six largest category labels account for most records in the period.
RankCategoryRecordsShare
1DDoS Attack6,79622.8%
2Data Breach5,88219.7%
3Ransomware4,50215.1%
4Defacement4,32914.5%
5Initial Access3,52611.8%
6Data Leak3,42011.5%
7Alert6722.3%
8Malware3571.2%
9Cyber Attack1850.6%
10Vulnerability1430.5%

Source networks

RankNetworkRecordsShare
1telegram14,93150%
2openweb9,83032.9%
3tor5,09617.1%
4discord10%

Countries and industries in record metadata

A record can contain more than one country or industry. Percentages in these tables use all 29,858 summary records as the denominator, so a column can sum to more than 100%.

Countries

RankCountry labelRecordsShare
1USA3,06610.3%
2Israel1,7836%
3Indonesia1,2244.1%
4India9753.3%
5France8152.7%
6Thailand7332.5%
7UK5711.9%
8Ukraine4431.5%
9Spain3821.3%
10Germany3731.2%

Industries

RankIndustry labelRecordsShare
1Government Administration2,9419.8%
2Education1,2004%
3Information Technology (IT) Services8462.8%
4Financial Services7322.5%
5E-commerce & Online Stores5341.8%
6Government & Public Sector5331.8%
7Transportation & Logistics4661.6%
8Network & Telecommunications4591.5%
9Building and construction4031.3%
10Hospital & Health Care3681.2%

Threat actor labels

Actor names reproduce the metadata stored with each source record. AdverseMonitor did not merge aliases for this release.

RankActor labelRecordsShare
1NoName057(16)1,3764.6%
2BABAYO EROR SYSTEM6552.2%
3Qilin4401.5%
4The Gentlemen3681.2%
5Keymous Plus3451.2%
6Hax.or3301.1%
7DieNet2650.9%
8RipperSec2210.7%
9akira2140.7%
10Dark Storm Team2120.7%

Three real record examples

These examples come from posts_details. Organization names and source URLs are omitted here. The fields describe the collected record and do not confirm the underlying claim.

Record ID
POST-0015974D9BBFA468
Published
2026-06-06
Category
DDoS Attack
Network
telegram
Actor label
NXBB.SEC
Country metadata
Thailand
Industry metadata
Mental Health Care
Record ID
POST-000D25C2C7CFFB10
Published
2026-02-18
Category
Data Breach
Network
openweb
Actor label
killaTheGoat
Country metadata
USA
Industry metadata
Automotive
Record ID
POST-000B35663DEBB375
Published
2026-04-28
Category
Ransomware
Network
tor
Actor label
CL0P
Country metadata
Canada
Industry metadata
Building and construction

Data quality and table overlap

Field completeness in posts_summary

FieldPopulated rowsCompleteness
category29,858 / 29,858100%
network29,858 / 29,858100%
threat_actors20,628 / 29,85869.1%
victims_countries19,042 / 29,85863.8%
victims_industries17,230 / 29,85857.7%
victims_organizations16,850 / 29,85856.4%

Shared-field consistency

FieldCompared UUIDsMismatchesMatch rate
published_at29,853199.997%
category29,853199.997%
network29,8539,14669.363%
threat_actors29,85314599.514%
victims_countries29,85313899.538%
victims_industries29,85312499.585%
victims_organizations29,85311599.615%
is_reported_by_victim29,8530100%
is_threat_actor_claimed29,8530100%

The network field produced the largest difference. telegram → (blank): 4,346 UUIDs; openweb → (blank): 3,325 UUIDs; tor → (blank): 1,473 UUIDs; tor → openweb: 1 UUIDs. Different nonblank network labels affected 1 UUIDs.

posts_summary contained 5 UUIDs not present in the period-matched posts_details set. posts_details contained 1 UUIDs not present in the summary set. The victim-reported flag was true on 401 records (1.3%); the threat-actor-claimed flag was true on 38 records (0.1%).

Methodology

  1. Queried posts_summary and posts_details for published_at values from 2026-01-01T00:00:00Z up to, but not including, 2026-07-01T00:00:00Z.
  2. Rejected rows whose published_at value could not be parsed into the same UTC period.
  3. Counted posts_summary UUIDs as the analysis denominator. Compared UUIDs with posts_details to measure table overlap.
  4. Compared nine shared fields for every UUID present in both tables after trimming leading and trailing whitespace in text fields.
  5. Split actor, country, and industry text fields on commas, matching the project report pipeline. One record can contribute to more than one value in those tables.
  6. Did not deduplicate separate records that may describe the same real-world event across different sources.
  7. Did not treat category, actor, country, industry, or claim flags as independent verification of compromise.

Limits

  • Collection coverage changes when sources appear, disappear, restrict access, or change format.
  • Labels can be incomplete, duplicated, misspelled, or supplied by the original source.
  • This release does not independently verify every source claim or deduplicate events across channels.
  • Counts describe the AdverseMonitor dataset for the stated period. They do not measure the whole threat landscape.

Read the product monitoring methodology and editorial policy.

Download the aggregate data

The files contain aggregate counts and record examples, not the raw post bodies or organization list.

CSV SHA-256: 39bc3edf967bb0493f7a974ed8099f6f4d2a6c4a4a77965757196759d017b035
JSON SHA-256: 231074e5962f1a49bbe31ddd4958dfce7719995de6a38c4acd6d463301955680