A Chinese-speaking fraud operation dubbed GHOST STADIUM has reportedly registered more than 4,300 FIFA-impersonation domains to target 2026 World Cup fans across global ticketing channels [APAC]. Investigators should prioritise domain registration timelines, payment redirection artefacts, cloned-brand infrastructure, and victim-device telemetry to connect phishing pages, credential harvesting, and financial mule activity (Source: The Record, 28-05-2026)

JPCERT/CC published a Japanese vulnerability notice for Jupyter Server open-redirect exposure, highlighting risk where notebook infrastructure is reachable by research and enterprise users [APAC]. The issue matters for evidence handling because redirect chains can preserve referrers, session traces, authentication artefacts, and phishing pivots that help reconstruct how trusted developer portals were abused (Source: JPCERT/CC, 28-05-2026)

A proposed class action says Wiley Rein suffered a Microsoft 365 email compromise tied to China-linked hackers, exposing sensitive personal, financial, medical, and identity data in Washington, DC [AMER]. The case highlights evidential questions around mailbox access logs, MFA posture, delayed notification timelines, and downstream fraud indicators such as estate-account misuse (Source: Reuters, 26-05-2026)

The U.S. Justice Department said a Romanian national was sentenced for selling access to Oregon state government systems and other U.S. victim networks [AMER]. For investigators, the case reinforces the value of tracing brokered credentials, intrusion-sale communications, victim access validation, and infrastructure reuse between marketplace activity and confirmed unauthorised logins (Source: U.S. Department of Justice, 27-05-2026)

Charter Communications confirmed a data breach affecting 4.9 million accounts after ShinyHunters claimed access through social engineering and cloud identity compromise in the United States [AMER]. Investigators should compare confirmed exposure against extortion claims, preserve Entra and Salesforce audit logs, and test whether voice-phishing artefacts align with account-token abuse (Source: BleepingComputer, 28-05-2026)

Carnival disclosed a data breach affecting nearly six million people, leaving customers exposed to identity-theft risk across travel and loyalty-related records [AMER]. Digital investigators should map exposed identifiers to booking, payment, and identity-verification workflows, then correlate any credential stuffing, travel-account takeover, or fraud reports against the breach notification population (Source: SecurityWeek, 28-05-2026)

Researchers reported active exploitation of CVE-2026-35616, an authentication bypass in FortiClient Enterprise Management Server, to deploy infostealer malware against exposed management environments [GLOBAL]. The exploitation path gives investigators clear artefact targets: anomalous EMS authentication events, pushed package histories, command execution traces, stolen-browser-data indicators, and outbound connections from management hosts (Source: BleepingComputer, 29-05-2026)

Microsoft published analysis of The Gentlemen ransomware, tracking the RaaS operators as Storm-2697 and describing a self-propagating Go encryptor used by affiliates [GLOBAL]. The report gives investigators high-value leads for timeline reconstruction, including lateral movement bursts, per-file encryption behaviour, affiliate deployment patterns, and host-to-host propagation artefacts (Source: Microsoft Threat Intelligence, 28-05-2026)

The U.S. Justice Department said a North Carolina man received 121 months in prison for selling personal information of more than seven million elderly Americans to Jamaican lottery scammers [AMER]. The prosecution shows how subscriber records, payment trails, list-broker evidence, and cross-border scam communications can prove data trafficking at population scale (Source: U.S. Department of Justice, 28-05-2026)

Dutch police arrested a 35-year-old man suspected of repeatedly hacking AFC Ajax systems after a breach exposed around 300,000 fan records in the Netherlands [EMEA]. The case underlines the importance of preserving club CRM logs, access-control records, suspect-device images, and any attempted resale or extortion messages linked to supporter data (Source: Help Net Security, 28-05-2026)

Singapore’s Cyber Security Agency issued guidance on OpenClaw autonomous AI agent risks, warning about unpatched vulnerabilities, weak access controls, data exposure, malicious skills, and memory poisoning [APAC]. Investigators should treat agent activity as evidentially complex because tool calls, prompt state, API tokens, plugin provenance, and memory stores may all affect attribution (Source: Cyber Security Agency of Singapore, 28-05-2026)

ENISA published its 2026 NIS360 assessment, reporting improved cybersecurity maturity across EU critical sectors while criticality levels remained comparatively stable [EMEA]. For investigation teams, the report sharpens sector-priority decisions by linking NIS2 criticality, maturity gaps, evidence expectations, and cross-border dependency mapping for incidents involving essential services (Source: ENISA, 28-05-2026)