Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedLow impactAI Generated
Iranian Hackers Breach Los Angeles Transit System, Data Stolen
Occurred 16 Mar 2026·Detected 26 May 2026·
🇺🇸 Los Angeles, California, USA; secondary incidents in South Florida and Turkey3 reportsEnded 28 May 2026
CyberPolitical Violence & WarPropertyTerrorism & Political ViolenceCyber
Israeli cybersecurity firm Jambit Security has linked Iranian state-sponsored hackers (via group 'Ababeel Minab') to a March 2026 breach of the Los Angeles Metropolitan Transportation Authority, resulting in theft of at least 700GB of data and partial network shutdown. The same group has claimed attacks on South Florida's Tri-Rail commuter system and vehicle-tracking firm Vynx, with additional targets including an insurance brokerage in Turkey. No credible insured loss estimate is provided and no confirmed physical damage or claims action is referenced in the source.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Low impact. While the breach of LA Metro and other named entities by Iranian state-sponsored hackers is operationally significant, the source provides no insured loss estimate, no confirmed cyber insurance claims, no evidence of physical damage to commercial infrastructure, and no named insurer or reinsurer response. The mention of a Turkish insurance brokerage as a target is noted but no loss pathway for that entity is described. This remains a watch-list item for cyber underwriters pending claims or loss quantification.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known6 lines
Iranian-linked group 'Ababeel Minab' breached LA Metro in March 2026, confirmed by Israeli firm Jambit Security▾
structured lineknown
No separate sourced-claim record is available for this line yet.
At least 700GB of emails, backups, and files were stolen from LA Metro▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The breach forced shutdown of parts of LA Metro's network▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Tri-Rail (South Florida) and Vynx vehicle-tracking firm also confirmed breaches▾
structured lineknown
No separate sourced-claim record is available for this line yet.
FBI is engaged and coordinating on the incidents▾
structured lineknown
No separate sourced-claim record is available for this line yet.
An insurance brokerage in Turkey was among named additional targets▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported4 lines
Jambit Security's forensic evidence links the server holding stolen data to a previously known Iranian hacking operation▾
structured linereported
No separate sourced-claim record is available for this line yet.
Iranian hackers have been conducting a sustained series of cyber operations since the US-Israel war on Iran began in late February 2026▾
structured linereported
No separate sourced-claim record is available for this line yet.
Ababeel group also reportedly targeted a media outlet and educational institution in Israel▾
structured linereported
No separate sourced-claim record is available for this line yet.
Iranian hackers reportedly tampered remotely with fuel gauges at gas stations (per CNN)▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain5 lines
Attribution to Iranian state has not been officially confirmed by US government▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Full scope of data compromised at Tri-Rail and Vynx is unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Identity of the Turkish insurance brokerage targeted is not disclosed▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
No insured loss quantum or claims action has been reported▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any cyber insurance policies have been triggered is unknown▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
3 active matches
- TRIA Certified AreasRule-basedConfidence 100%
- Caribbean Hurricane ZoneRule-basedConfidence 100%
- Pacific Ring of FireRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇦🇺 Australia🇧🇷 Brazil🇮🇱 Israel🇮🇷 Iran🇸🇦 Saudi Arabia🇹🇷 Turkey🇺🇸 United States
Timeline
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Status Change28 May 2026, 03:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change27 May 2026, 20:54
Status changed to active
Auto-promoted: 3+ sources
developing → active
Corroboration27 May 2026, 20:54
Iranian state-linked hackers attributed to the Ababil of Minab group breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, stealing 700GB of emails, backups and files. The attack disrupted arrival screens and transit card top-up systems but did not halt train or bus operations. The same group has claimed attacks on Tri-Rail, a vehicle tracking company, and a Saudi infrastructure firm, with an insurance brokerage in Turkey also reportedly among victims.
Source: r/LAMetro (Social / Community) · View source
Status Change27 May 2026, 13:38
Status changed to developing
Auto-promoted: multiple sources
signal → developing
Corroboration27 May 2026, 13:38
Researchers at Gambit Security have attributed a hack of the Los Angeles transit system to a group with ties to Iran's Ministry of Intelligence (MOIS), despite the group presenting itself as an independent hacktivist collective. The incident represents a state-sponsored cyber operation against US critical infrastructure. While the attack is confirmed, no loss estimates, operational disruption details, or insured asset damage have been reported in the source.
Source: The Record (Cyber) (Trade Media) · View source
Initial Detection26 May 2026, 14:24
Initial Detection
Israeli cybersecurity firm Jambit Security has linked Iranian state-sponsored hackers (via group 'Ababeel Minab') to a March 2026 breach of the Los Angeles Metropolitan Transportation Authority, resulting in theft of at least 700GB of data and partial network shutdown. The same group has claimed attacks on South Florida's Tri-Rail commuter system and vehicle-tracking firm Vynx, with additional targets including an insurance brokerage in Turkey. No credible insured loss estimate is provided and no confirmed physical damage or claims action is referenced in the source.
أوضح سيلا أن الهجمات تضمنت استهداف مؤسسة إعلامية ومؤسسة تعليمية في إسرائيل، وشركة وساطة تأمينية في تركيا
Source: Asharq Al-Awsat (Arabic) (Mainstream Media) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts