Global Phishing Campaign Steals Thousands of Credentials from Critical Sectors
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON — A sophisticated, years-long phishing campaign known as Operation HookedWing has compromised more than 2,000 user credentials from over 500 organizations worldwide, targeting critical infrastructure, government agencies, and major corporations across multiple sectors.
The operation, which has been active for several years, has successfully infiltrated entities in the aviation, travel, energy, financial, and technology industries. Security researchers identified the campaign on May 11, 2026, revealing the extent of the breach across public administration and logistics networks.
The threat actor behind Operation HookedWing employed targeted phishing emails designed to mimic legitimate communications from trusted partners and service providers. These messages contained malicious links that directed victims to counterfeit login pages, where users unknowingly entered their credentials. The stolen data includes administrative access keys and high-level executive accounts, providing attackers with significant leverage within compromised networks.
The campaign’s scope indicates a deliberate focus on organizations with high geopolitical relevance. Affected sectors include energy utilities, transportation hubs, and government bodies, suggesting the stolen credentials may be used to gather intelligence or prepare for future disruptive activities. The breadth of the operation spans continents, with victims reported in North America, Europe, and Asia.
Security experts note that the sophistication of the phishing materials suggests state-sponsored capabilities or a well-funded criminal enterprise. The attackers utilized advanced social engineering techniques, tailoring messages to specific industries and roles to increase success rates. Unlike opportunistic phishing, Operation HookedWing demonstrates persistent targeting of high-value assets.
The stolen credentials are believed to be sold on dark web marketplaces or retained for use by other adversaries. This secondary distribution poses ongoing risks, as compromised accounts may be used for unauthorized access, data exfiltration, or as entry points for ransomware attacks. Organizations are advised to audit access logs and enforce multi-factor authentication immediately.
No specific attribution has been made to a nation-state or criminal group, though the operational style aligns with known advanced persistent threat actors. The lack of public claims by the perpetrators leaves questions about their ultimate objectives. Whether the campaign aims to disrupt critical services, steal intellectual property, or establish long-term access remains unclear.
Cybersecurity firms are working with affected organizations to contain the breach and mitigate further damage. The incident underscores the evolving threat landscape, where phishing remains a primary vector for large-scale compromises. As investigations continue, the full impact of Operation HookedWing may take months to fully assess, particularly regarding potential downstream attacks enabled by the stolen credentials.