Schools contacted Canvas hackers after the ShinyHunters breach disrupted classrooms and exposed student data across the United States and other affected education systems [AMER]. The investigation centres on Free-for-Teacher account abuse, institutional outreach to the attackers, data-leak pressure tactics and the forensic challenge of correlating student records, portal defacement evidence and affected school notifications (Source: Reuters, 09-05-2026).

The UK NCSC published guidance on using AI models to find vulnerabilities, warning organisations to control data exposure, permissions and validation processes [EMEA]. For investigators, the guidance is important because AI-generated findings must remain traceable, legally defensible and independently verified before they are used to support vulnerability disclosure, prioritisation or wider evidential conclusions (Source: NCSC, 11-05-2026).

Sri Lankan authorities warned that the country is becoming a base for transnational cybercrime after more than 600 foreign nationals were arrested in 2026 raids [APAC]. Investigators are examining luxury-apartment operations, tourist-visa abuse, crypto-linked fraud infrastructure and landlord reporting gaps, showing how physical premises, device seizures and financial tracing remain central to online scam investigations (Source: The Morning, 10-05-2026).

The Eastern Region Special Operations Unit arrested and charged ten suspects in the UK after coordinated warrants linked to an alleged cryptocurrency scam [EMEA]. The case demonstrates the continuing evidential value of synchronised searches, rapid charging decisions and crypto-asset tracing where investigators need to connect victim reports, wallet activity, communications evidence and suspect devices across multiple police-force areas (Source: ERSOU, 07-05-2026).

The Canvas learning-platform breach continued to affect schools and universities after ShinyHunters claimed access to large volumes of student and institutional data [AMER]. The incident combines consumer-app style data exposure with education-sector disruption, requiring investigators to assess compromised account routes, ransom communications, institutional notification records and downstream phishing risks for students, teachers and administrators (Source: Washington Post, 09-05-2026).

RansomHouse claimed responsibility for the Trellix source-code repository breach after the cybersecurity company confirmed unauthorised access to a portion of its code [AMER]. The investigative priority is whether repository access exposed credentials, development secrets or exploitable product logic, because source-code intrusions can create latent supply-chain risk even when the victim reports no evidence of distribution compromise (Source: BleepingComputer, 08-05-2026).

Researchers warned that the Dirty Frag Linux privilege-escalation chain may already be exploited against major distributions after disclosure of CVE-2026-43284 and CVE-2026-43500 [Global]. The chain matters operationally because local root escalation can turn limited footholds into full host compromise, making artefact preservation, kernel-version validation and post-exploitation timeline analysis essential for affected Linux estates (Source: SecurityWeek, 11-05-2026).

SOCRadar reported that Operation HookedWing has affected more than 500 organisations through a phishing campaign that has evolved over four years across multiple sectors [Global]. The campaign’s persistence gives investigators repeatable infrastructure, lure, domain and credential-theft patterns to correlate across historic incidents, helping distinguish isolated phishing events from a broader adversary-controlled collection architecture (Source: SecurityWeek, 11-05-2026).

The US Justice Department announced prison sentences for two US nationals who facilitated fraudulent DPRK remote IT worker schemes [AMER]. Prosecutors said the defendants hosted laptops and supported access arrangements for overseas workers, giving investigators a case study in device custody, employment-platform abuse, identity evidence and infrastructure used to disguise sanctioned foreign labour (Source: US Department of Justice, 06-05-2026).

INTERPOL reported that Operation Pangea XVIII produced 269 arrests and USD 15.5 million in seizures across 90 countries and territories [Global]. Although focused on illicit pharmaceuticals, the operation relied on online-marketplace monitoring, payment tracing, domain and logistics evidence, demonstrating how cyber-enabled commerce investigations depend on coordinated data sharing between customs, police, regulators and platform operators (Source: INTERPOL, 07-05-2026).

Americans for Responsible Innovation urged mandatory safety reviews for advanced AI models before public release and before suppliers qualify for US government contracts [AMER]. The proposal would expand pre-deployment scrutiny through the Center for AI Standards and Innovation, with cyberattack facilitation risk treated as a national-security factor in procurement, model assessment and future enforcement design (Source: Reuters, 11-05-2026).

Australia’s ASD ACSC warned of active exploitation of CVE-2026-41940 in cPanel and WHM products affecting Australian networks [APAC]. The advisory reinforces standards-led vulnerability governance because authentication-bypass exploitation against hosting control panels requires asset ownership clarity, patch verification, exposed-service review and retained logs sufficient to determine whether attackers reached hosted accounts or administrative functions (Source: ASD ACSC, 07-05-2026).