NCC Group Warns Ransomware, State Hackers, and AI Fraud Tools Are Colliding

Ransomware activity in May 2026 remained stuck at historically high levels, even as attacks dipped slightly month over month, according to a new cyber threat intelligence report from NCC Group and Fox-IT.

The report recorded 749 ransomware victim listings in May, a 4 percent decline from the previous month but still part of an elevated 2026 baseline. Industrial organizations were hit hardest, accounting for 29 percent of ransomware attacks. Qilin remained the most active ransomware operation, responsible for 15 percent of attacks, while The Gentlemen ranked second for the second consecutive month.

But the bigger warning from NCC Group is not just attack volume. It is the increasingly blurred line between cybercrime, state-backed hacking, and AI-assisted fraud.

The report highlights a campaign attributed with moderate confidence to MuddyWater, an Iranian cyber espionage group linked to Iran’s Ministry of Intelligence and Security. In that operation, MuddyWater allegedly posed as Chaos ransomware, using extortion notes, negotiation channels, and a leak site listing to make targeted espionage look like financially motivated cybercrime.

That tactic complicates incident response. A ransomware note may no longer mean a victim is dealing only with a criminal extortion crew. It could also signal espionage, disruption, or a state-backed operation designed to hide inside the noise of ransomware.

NCC Group also warned that geopolitics is feeding cyber risk. The report points to rising tensions involving China, the United States, Russia, Ukraine, and Quad nations as drivers of espionage, influence operations, and long-term network compromise. Organizations tied to critical minerals, maritime infrastructure, defense, energy, logistics, and national communications infrastructure may face elevated exposure.

The most striking technical finding is Kitana, an AI-built Adversary-in-the-Middle fraud platform identified by NCC Group in April 2026. Unlike traditional web skimming campaigns that compromise legitimate merchant websites, Kitana routes victims through attacker-controlled domains that mirror real e-commerce and hospitality sites.

The platform combines a reverse proxy, real-time operator control, Telegram-based command and control, and payment data theft capabilities. It can filter traffic to avoid researchers, fingerprint victims, replace payment SDKs, trigger fake authentication prompts, and capture payment details, credentials, and one-time codes during a live session.

NCC Group said Kitana’s code shows signs consistent with AI-assisted development, including structured logic patterns and machine-oriented documentation. At the same time, the platform reportedly contains basic security mistakes such as hardcoded credentials and exposed API keys.

The result is a warning for defenders: AI is helping attackers build more capable fraud infrastructure faster, even when the operators behind it lack mature engineering discipline.

Matt Hull, VP of Cyber Intelligence and Response at NCC Group, is listed in the report as leading the company’s monthly threat intelligence highlights webinar, which covers “a clear breakdown of the latest report findings,” “key trends across regions and sectors,” “emerging threat actors to watch,” and “the most impactful active cyber threats right now.”

For security teams, the takeaway is stark. Ransomware can no longer be treated as purely criminal. Fraud platforms are becoming more interactive and scalable. Geopolitical conflict is shaping target selection. And AI is lowering the barrier to building cybercrime tools that look increasingly like professional software.