FreeCity Data Dump Spree Targets Malaysia, Vietnam, UK; Linux Zero-Day Exploited

Summary

Today's threat landscape is defined by a coordinated, high-volume data dump campaign from the actor FreeCity, which has claimed responsibility for over a dozen breaches targeting government, financial, and commercial databases across Southeast Asia and Europe. Simultaneously, defenders must prioritize patching a newly added Linux privilege escalation vulnerability (CVE-2026-31431) now confirmed as actively exploited in the wild. The convergence of a prolific data broker and a critical, weaponized OS-level bug signals a day where both data exposure and system compromise risks are elevated.

Today's developments

The most significant development today is the widespread data dumping campaign attributed to the actor FreeCity. The actor claims to have breached and leaked records from multiple entities across Vietnam, Malaysia, Spain, and the United Kingdom. The alleged scope is substantial, with claims including 4.8 million tourism records and 1.9 million property owner records from Vietnamese sources, over 7 million entries related to an overseas Chinese database from Malaysia, and 500,000 records from a UK-based bank (Schwab Bank) alongside 679,000 UK citizen records. These incidents, if verified, represent a significant aggregation of personal and financial data from multiple sovereign states. The targeting of high-net-worth citizen databases and insurance user data suggests the actor is prioritizing commercially valuable information.

Beyond the FreeCity campaign, several other notable incidents emerged:

• ShinyHunters has claimed breaches of Instructure, Inc. (US, E-Learning) and Cushman & Wakefield (US, Real Estate), as well as Accord Healthcare (UK, Healthcare & Pharmaceuticals). This actor's continued focus on high-value US and UK enterprises warrants close monitoring.
• Indonesia remains a heavily targeted geography. Alleged breaches were reported against Bank Negara Indonesia (Banking), Perusahaan Listrik Negara (PLN) (Energy), the Directorate General of Taxes, and the Ministry of Education and Culture. The concentration on critical national infrastructure and government agencies is a persistent concern.
• Government and military targets were also hit. Actors claimed breaches of the Mexican Navy (SEMAR), the Republic of Korea Army (attributed to Lazarus), the Ministry of Interior of Peru, and the Albanian Government (including its embassy in the US).
• Critical vulnerability alert: Security researchers have flagged that CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalog. This is a Linux kernel local privilege escalation flaw (CVSS 7.8) with confirmed active exploitation. Organizations running affected Linux distributions must prioritize patching immediately to prevent attackers from gaining root access.

Threat landscape signals

The data from today reveals a pronounced shift toward mass data aggregation and sale rather than targeted ransomware or disruptive attacks. The FreeCity campaign alone accounts for a significant portion of the day's critical data exposure events, indicating that the underground market for bulk personal data remains robust and that actors are willing to target multiple countries simultaneously. The victimology is also noteworthy: while the US and UK remain primary targets, there is a clear spike in activity against Indonesia and Vietnam, suggesting threat actors are expanding their focus to rapidly digitizing economies in Southeast Asia.

From an actor perspective, FreeCity has emerged as the most prolific single entity today, followed by the persistent ShinyHunters. The presence of Lazarus in a military breach (Republic of Korea Army) reinforces the ongoing state-sponsored interest in defense sector intelligence. The addition of CVE-2026-31431 to the KEV catalog is a critical signal for defenders: this is not a theoretical risk but a weaponized exploit. Teams should verify patch status for all Linux endpoints, especially those exposed to less-trusted networks. The combination of a high-volume data broker and a confirmed OS-level exploit makes this a day for heightened vigilance across both data security and endpoint hygiene.