top of page

Cyber Security Report -January 2026

  • 2 hours ago
  • 14 min read

Research by OSINT Monitoring Team, NTT Security Japan K.K


Table Contents



Page Summary

This report selects and summarizes three topics that are considered particularly important among the various information security-related incidents and events that occurred during January 2026 and the changes in the environment surrounding them. The abstract of each topic is as follows.


Chapter 1 "Dutch hacker found guilty of infringement of port system ~ Is there a cocaine smuggling plan in the background?"

  • The Dutch defendant was sentenced to seven years in prison for hacking the Belgian port system.

  • In the early stages of the hack, the malware was deployed with the cooperation of port officials. The company uses an encrypted chat service to contact the criminals involved in the series of incidents, and the facts were discovered when the messages exchanged there were deciphered.

  • This case is considered an example of a cyberattack playing an important role as part of an operation that leads to physical crime. We are entering an era where cyber attacks are carried out in organized crime, just like in movies and dramas.


Chapter 2 "Zestix Sells Information Stolen by Infostealer"

  • A threat actor known as Zestix (also known as Sentap) used credentials obtained by "Infostealer" to infiltrate a number of corporate systems and sell the stolen data on the dark web.

  • Infostealer is malware that collects and steals various data about credentials and terminal users stored on the device, and is characterized by the fact that it can also steal session keys stored in browsers.

  • While VPN vulnerabilities and system intrusions using phishing emails are widely known, intrusions from devices infected with infostealers are also a significant threat that cannot be overlooked.


Chapter 3: "Cyberattacks from China targeting Taiwan's critical infrastructure will increase by 1,000% year-on-year in 2025"

  • Cyberattacks on Taiwan's critical infrastructure have reached about 960 million annually, and the energy sector has shown a remarkable increase of about 11 times compared to the previous year. Attacks are also increasing in other fields such as medical care and telecommunications, and China is targeting specific infrastructure intensively.

  • Attacks have increased at the same time as political events, government officials' trips, and PLA's patrols in the waters around Taiwan, giving it the appearance of a hybrid warfare in which politics and cyberattacks are linked.

  • These examples are lessons for predicting Japan's risks, and it is important to prepare for emergencies, such as strengthening cooperation with Taiwan in the field of security.



Dutch hacker found guilty of infringement of port system - Cocaine smuggling plan in the background


1.1. outline

The Dutch defendant was sentenced to seven years in prison for hacking the Belgian port system. In the early stages of the hack, the malware was deployed with the cooperation of port officials. The company uses an encrypted chat service to contact the criminals involved in the series of incidents, and the facts were discovered when the messages exchanged there were deciphered.


Court ruling against Dutch hacker
Figure 1 Court ruling against Dutch hacker


1.2. Hackers involved in port-based crimes

About the defendant[3]

The sentence was handed down to a 44-year-old Dutch man (hereinafter referred to as the defendant). He lived with his family while receiving welfare, but he had a behind-the-scenes face to hack the system of major European ports. It is believed that he regularly earned high income by selling the information obtained from it to cocaine smugglers. According to some media, the defendant had asked for 500,000 euros (about 90 million yen) for a series of work he performed.


In September 2021, he was arrested on suspicion of being involved in four crimes, including the following cases, and was sentenced to 10 years in prison the following year, but the defendant appealed the charge.


Intrusion into the system of the Belgian port organization

In mid-September 2020, the defendants began hacking into the port organization of the Belgian port of Antwerp (now the "Port of Antwerp-Bruges") with accomplices, including those involved in the smuggling of drugs and weapons. The purpose was to control computers, rewrite information, and open gates to allow trucks (possibly loaded with smuggled drugs) to enter.


The plan also involved a woman working at the port organization's counter as an insider. According to the local police investigation, the employee was asked by a person (an accomplice of the defendant) to insert a USB flash drive into the computer at work. And as a means to contact only that person, he was given a "Sky phone" (a terminal equipped with "Sky ECC" described later). "Just start the program on the stick (note: USB memory), double-click and wait 15 seconds, and you can take it out again," and the employee who did this received a reward of 10,000 euros (about 1.8 million yen).


A simple program automatically executed the process when the USB flash drive was inserted, and the malware was installed on the port organization's system, creating a backdoor (a "back door" for external access to the target's system). This allowed the defendant to remotely access software and other items that manage container placement, and made several unauthorized accesses until April 2021. The defendant, who broke in through the back door, checked information about the container and footage from port surveillance cameras, and stole confidential information such as photos of employees and plans of the terminal. However, he tried to duplicate the ID card to enter and exit various areas of the port, but failed to steal the account with the administrator rights of the related server. The hashed admin password was obtained, but the original password could not be determined.


Circumstances of the discovery of the incident

The facts heard in this trial were discovered because the police successfully intercepted and deciphered the communications of the encrypted chat service "Sky ECC" used by the defendants. It was confirmed that the defendant had explained the hacking operations to his accomplices, and in another case, he had exchanged information about the transportation of cocaine, and these records were presented as evidence at trial.


The facts heard in this trial were discovered because the police successfully intercepted and deciphered the communications of the encrypted chat service "Sky ECC" used by the defendants. It was confirmed that the defendant had explained the hacking operations to his accomplices, and in another case, he had exchanged information about the transportation of cocaine, and these records were presented as evidence at trial.[4]


Sky ECC is a privacy-preserving app developed by the Canadian company Sky Global, but its strong encryption capabilities backfired and it became widely used by international criminal organizations. There are also some reports that more than 90% of users were criminals.[5]Sky ECC's services were shut down in March 2021 following crackdowns by law enforcement agencies in several countries[6],[7]



Sky ECC function introduction page (Sky ECC official website [closed])
Figure 2 Sky ECC function introduction page (Sky ECC official website [closed])
Operational Taskforce LIMIT by EUROPOL
Figure 2 Operational Taskforce LIMIT by EUROPOL

Conviction of the accused

On January 9, 2026, the Amsterdam Court of Appeal found the defendants guilty of two other counts of intrusion into the aforementioned systems: smuggling cocaine into the Netherlands and threatening others. Meanwhile, he was acquitted of involvement in another cocaine smuggling scheme he was found guilty of in the first instance due to insufficient evidence. The sentence was commuted for exceeding the required appeal trial period by 21 months, and the defendant was sentenced to seven years in prison.In March 2023, a Belgian court convicted a woman who cooperated with the defendants in inserting a USB flash drive. [10]


1.3. Summary

On multiple occasions, the defendants had teamed up with drug smugglers and traders to hack the port's systems in exchange for money and provide them with confidential information. In another case in which he was convicted at the same time in this trial, it was revealed that he had monitored the arrival of a cargo ship loaded with cocaine and sent fake emails to those involved to transport containers containing cocaine out of ports.


It is easy to see that the hack at the port of Antwerp, the second largest in Europe, was also aimed at transporting smuggled cocaine into the EU. This case is considered an example of a cyberattack playing a significant role as part of an operation that leads to such physical crimes. We are entering an era where cyber attacks are carried out in organized crime, just like in movies and dramas.


References

[1] Source: Landelijk Dienstencentrum voor de Rechtspraak (LDCR) ECLI:NL:GHAMS:2026:22 https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:GHAMS:2026:22

[2] Source: Landelijk Dienstencentrum voor de Rechtspraak (LDCR) "ECLI:NL:GHAMS:2026:22"https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:GHAMS:2026:22

[3] Source: České centrum pro investigativní žurnalistiku 『NarcoFiles: Narkobaroni si najímají hackery, aby jim pomohli dostat kokain přes kontroly v přístavech』https://www.investigace.cz/narcofiles-kokain-evropa-pristavy/

[4] Source: CNN World "Nearly 28 tons of cocaine seized after police access encrypted network"https://edition.cnn.com/2021/04/06/europe/antwerp-belgium-cocaine-seizures-scli-intl

[5] Source: The Brussels Times 『Cracking of encrypted messaging service dealt major blow to organised crime』https://www.brusselstimes.com/news/belgium-all-news/159039/cracking-of-encrypted-text-messaging-service-sky-ecc-app-dealt-major-blow-to-organised-crime

[7] Source: Computer Weekly 『Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime』https://www.computerweekly.com/news/252497791/Arrest-warrants-for-Candians-behind-Sky-ECC-cryptophone-networks-used-by-organised-crime

[8] Source: Internet Archive Wayback Machine "SKY GLOBAL Inc. - SKY ECC: Features"https://web.archive.org/web/20210310131238/https://www.skyecc.com/features/

[10] Source: OCCRP "Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe's Biggest Ports"https://www.occrp.org/en/project/narcofiles-the-new-criminal-order/inside-job-how-a-hacker-helped-cocaine-traffickers-infiltrate-europes-biggest-ports


Zestix sells information stolen by infostealer



2.1. outline

In January 2026, it was revealed that a threat actor known as Zestix (also known as Sentap) used credentials obtained by the infostealer malware to infiltrate numerous corporate systems and sell the stolen data on the dark web. About 50 organizations have been affected.[11], [12]



2.2. What is Infostealer?


Infostealer is malware used to collect, collect, and steal credentials stored on the device and various data about the terminal user. The infection vectors of infostealers are diversifying over the years, with attackers using phishing emails, defaced sites, malicious links, and fake security alerts as a means to deploy malware. If a terminal user accidentally downloads a malicious file through them, an infostealer is executed and various information in the device is started.


The collected data includes IDs, passwords, browsing history, credit card information, automatic login information for cloud services, application configuration information, etc. stored in the browser, and if the device is for business use, not only the user but also information about the organization to which the malware belongs is transmitted to the attacker who set up this malware. Attackers can then use this sensitive information to take over an organization's employee accounts, infiltrate related systems, elevate the account's privileges, and move horizontally within the network to expand the scope of the breach.


Another factor that allows unauthorized access is that this malware can steal the session key (session cookie) stored in the browser. This allows an attacker to log in without entering an ID, password, or multi-factor authentication (MFA) as long as the session (the set of communications between the client and the server) is valid.[13]


2.3. Threats starting from Infostealer

In recent years, the threat of infostealer has skyrocketed due to the fact that the malware is distributed as Malware-as-a-Service (MaaS).MaaS is a criminal business model in which malware developers provide malware to other attackers rather than attacking themselves, and an environment is provided in which even people without specialized skills can easily execute infostealers.In addition, on the dark web, there are even services that provide the latest stolen credentials. This allows attackers to instantly search for and obtain the desired corporate account information, significantly lowering the hurdle to attack.[14]


According to a survey by security firm KELA, the damage caused by infostealers tends to be biased towards specific occupations. In particular, occupations such as project management, consulting, and software development, which access many systems on a daily basis, are at high risk of infection. If your business account information is stored on your personal device, it will be operated outside of your organization's control, further increasing the risk.


Even more serious is that the credentials stolen by infostealers are frequently exploited as an initial means of entry for ransomware attacks. KELA has reported confirmed links between ransomware groups such as Play, Akira, and Rhysida, as well as accounts infected with infostealers. In these cases, the victim's credentials were sold on the dark web ~5 days before the ransomware attack.[15]


This suggests that infostealers are not just information-stealing malware, but rather a starting point for processes that lead to significant ransomware attacks.


Ecosystem surrounding infostealer
Figure 3 Ecosystem surrounding infostealer (from Nikkei Crosstech) [16]

2.4. Zestix activities

One of the groups of Initial Access Brokers (IABs) that sell and resell access to targeted systems is Zestix. According to a study by cybersecurity firm Hudson Rock, Zestix sells access rights obtained or leaked from other sources. Many of the access that Zestix has gained is based on RedLine, Lumma, and Vidar[17], [18]It is believed that it was stolen by an infostealer.


In addition to the IAB's activities, Zestix also uses its own access rights to infiltrate corporate cloud environments. By using stolen access from the organization's employees' personal and work devices, Zestix was able to gain unauthorized access to enterprise cloud environments such as ShareFile, OwnCloud, and Nextcloud. This seems to be profiting by stealing confidential information and selling it on the dark web.The targets were users of enterprises that did not rely solely on password authentication and did not implement multi-factor authentication (MFA). As a result, it has been confirmed that breaches have occurred in about 50 companies, including major companies.


Infringement on 50 companies

The damage ranged from aviation, defense, robotics, law, and public infrastructure, for example, Spain's Iberia Airlines sold 77GB of data stolen from a cloud environment for $150,000. Other companies include Pickett & Associates, an engineering firm serving energy-related companies, Intecro Robotics, an aerospace and defense equipment manufacturer, Maida Health, a Brazilian medical digital solutions company, and CRRC MA, a subsidiary of a vehicle manufacturer.[19], [20]


2.5 Summary

While VPN vulnerabilities and system intrusions using phishing emails are widely known, intrusions using credentials stolen from infostealer-infected devices are also serious threats that cannot be overlooked. When the malware is deployed on a business device, the attacker can remotely log in to an organization's system without entering credentials (as mentioned above) without entering credentials, making it difficult for the system to detect it as an unauthorized login. The first priority is not to be infected with malware, and for this purpose, education for employees is considered an important measure.


In addition, we abandon the premise that "all terminals of an organization are secure" and promote the concept of "Zero Trust" (Zero Trust), which takes security measures without trusting anything for all information assets such as terminals, users, and networks connected to the organization. I want to curb the spread of damage from infostealers.


References

[11] Source: SecurityWeek "Dozens of Major Data Breaches Linked to Single Threat Actor"https://www.securityweek.com/dozens-of-major-data-breaches-linked-to-single-threat-actor/

[12] Source: InfoStealers by Hudson Rock "Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk"https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/

[14] Source: Check Point, "Malware-as-a-Service (MaaS): Cybercrime's Subscription Model"https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/malware-as-a-service-maas/

[15] Source: KELA "Inside the Infostealer Epidemic: Exposing the Risks to Corporate Security"https://info.ke-la.com/hubfs/Reports/KELA%20Report%20-%20The%20Infostealer%20Epidemic.pdf

[16] Source: Nikkei Crosstech "'Infostealer' Growing Presence, Thorough Explanation from Infested Background to Related Technologies"https://xtech.nikkei.com/atcl/nxt/column/18/02805/081900020/

[17] Source: HACKREAD, "Analysis of Top Infostealers: Redline, Vidar and Formbook"https://hackread.com/top-infostealers-analysis-redline-vidar-formbook/

[18] Source: Microsoft Security "Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer"https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

[19] Source: SecurityWeek "Dozens of Major Data Breaches Linked to Single Threat Actor"https://www.securityweek.com/dozens-of-major-data-breaches-linked-to-single-threat-actor/

[20] Source: InfoStealers by Hudson Rock "Dozens of Global Companies Hacked via Cloud Credentials from Infostealer Infections & More at Risk"https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/


Cyberattacks from China targeting Taiwan's critical infrastructure in 2025 will increase by 1,000% year-on-year


3.1. outline

On April 1, the National Security Bureau, the intelligence agency of the government of the Republic of China (Taiwan), released a document titled "Analysis of China's Cyber Threats to Taiwan's Critical Infrastructure in 2025." The survey/analysis results show that in 2025, the number of cyberattacks carried out by China against Taiwan's critical infrastructure reached approximately 960 million per year (an average of about 2.63 million per day), an increase of 6% from the previous year. Among them, attacks on the energy sector are prominent, about 11 times that of the previous year (an increase of 1,000%), indicating that China is selecting specific industries in Taiwan and intensively targeting them, along with the overall increase in the number of attacks.[21], [22]


Percentage increase or decrease in the number of cyberattacks carried out against Taiwanese industries from China in 2025
Figure 4 Percentage increase or decrease in the number of cyberattacks carried out against Taiwanese industries from China in 2025 [23]

The energy sector is followed by emergency and medical (up 54%), followed by telecommunications (up 6.7%).


3.2. Attack method


There are four types of attack methods used by China against Taiwan's critical infrastructure. First, "exploitation of vulnerabilities in hardware and software" is the most common, accounting for more than half of all attacks. Next, "DDoS", which sends a large amount of data from multiple computers to the target website (server) at the same time and causes it to malfunction, "social engineering", which exploits people's psychological gaps (carelessness, etc.) and exploits emotions such as trust and fear to steal confidential information, and preemptively infringes on the target organization's group companies and business partners to establish a foothold for intrusion into the main enclosure "Supply chain abuse" continues.


According to the document, China's cyber forces are intensively searching for network equipment and industrial control systems (ICS) for public and private companies related to oil, electricity, natural gas, etc. In addition, it has been observed that companies secretly embed malware in the target system when they perform software upgrades, and it can be said that an approach suitable for long-term hiding inside the system without being noticed by the target is used.


China's cyberattack methods on Taiwan's critical infrastructure
Figure 5 China's cyberattack methods on Taiwan's critical infrastructure[24]

3.3. Characteristics of attack timing

In terms of timing, attacks have increased around political events and overseas visits by government officials, and have been correlated with the People's Liberation Army's joint combat readiness patrols (joint patrols) conducted by military aircraft and ships against Taiwan.There will be 40 joint patrols in 2025. In 23 of these cases, it was confirmed that the occurrence of cyberattacks increased during the same time period as patrols, indicating that China is choosing the right time to exert pressure on Taiwan from both military and cyber aspects.


About the timing of attacks and unrestricted warfare

The concept of Chinese cyber attacks is known as "unrestricted warfare". This means eliminating the boundaries between military and non-military and combining all means to achieve the goal, and was proposed by two PLA servicemen in 1999. It is a military theory similar to the "hybrid warfare" that came out later, and cyberattacks also play a part in it.


In ultra-limited and hybrid warfare, military and non-military means are combined. If the function of critical infrastructure is reduced due to cyberattacks on critical infrastructure, it will cause serious disruption to society. Furthermore, there are concerns that the combination of information operations and military activities will not only affect the target infrastructure, but also affect various areas of society.[25]


In the event of a Taiwan emergency, China is believed to be aiming for a short-term decisive battle by simultaneously disrupting multiple domains, including communications, broadcasting, and electricity, and cyberattacks are expected to play an important role as a precursor to this. The general view is that the current cyber attacks on Taiwan are carried out as part of threats and checks on Taiwan's diplomatic activities and independence orientation, or as part of espionage activities to gather Taiwan's military intelligence in addition to diplomacy, but at the same time, it is also thought that they are conducting "rehearsals" for the "real thing" of an invasion of Taiwan.[26]


3.4. Summary

If the Taiwan emergency becomes a reality, Japan may also become a party to it. For this reason, information on cyber attacks in Taiwan and measures to be taken against them is considered useful as a lesson for predicting future events in Japan. I would like to strengthen cooperation with Taiwan in the field of security, mainly government agencies and critical infrastructure companies, and gather information to prepare for any contingencies.

References

[21] Source: National Security Bureau of the Republic of China 『Analysis on China's Cyber Threats to Taiwan's Critical Infrastructure in 2025』https://www.nsb.gov.tw/en/assets/documents/%E6%96%B0%E8%81%9E%E7%A8%BF/9976f2e1-3a8a-4fa2-9a73-b0c80fca1f04.pdf

[22] Source: Reuters, "Chinese cyberattacks on Taiwan's infrastructure, average of 2.63 million per day in 25 years"https://jp.reuters.com/world/taiwan/MKC6QWYCAJM5PIG74VW3X4OXUY-2026-01-05/

[23] Source: National Security Bureau of the Republic of China 『Analysis on China's Cyber Threats to Taiwan's Critical Infrastructure in 2025』https://www.nsb.gov.tw/en/assets/documents/%E6%96%B0%E8%81%9E%E7%A8%BF/9976f2e1-3a8a-4fa2-9a73-b0c80fca1f04.pdf

[24] Source: National Security Bureau of the Republic of China 『Analysis on China's Cyber Threats to Taiwan's Critical Infrastructure in 2025』https://www.nsb.gov.tw/en/assets/documents/%E6%96%B0%E8%81%9E%E7%A8%BF/9976f2e1-3a8a-4fa2-9a73-b0c80fca1f04.pdf

[25] Source: National Institute for Defense Studies, "NIDS Commentary No. 403, Takashi Kawashima, "Classification and Characteristics of Operational Methods in Hybrid Warfare: An Analysis Based on the Concept and Model of the European Hybrid Threat Countermeasure Center"https://www.nids.mod.go.jp/publication/commentary/commentary403.html

[26] Source: Maritime Self-Defense Force Executive School "'Waves' Vol. 36 No. 3 Takahiro Ishihara "'Hybrid Warfare and Super Warfare' -Re-reading 'Super Warfare' Now-"https://www.mod.go.jp/msdf/navcol/assets/pdf/column226_01.pdf


  1. Disclaimer

Please note that while we do our best to ensure that the content of this article is accurate, we do not guarantee the content and do not compensate for any damages or losses incurred as a result of the use of this article. If you have any inquiries such as typographical errors, content errors, or other points in the article, please contact us at the following address.


Inquiries

NTT Security Japan Corporation

Professional Services OSINT Monitoring Team

 
 
bottom of page