- Cybersecurity Docket
- Posts
- How a Data Theft Extortion Campaign is Gaining Access to Law Firm Data
How a Data Theft Extortion Campaign is Gaining Access to Law Firm Data
Plus, law firm Weil Gotshal reportedly paid up to $20 million after hackers stole client data.

Good morning! Here’s what’s up.

People
Jake Bernstein has joined global law firm K&L Gates to serve as global AI and innovation partner. In this newly created role, Bernstein leads the firm’s global AI strategy, governance, and innovation operations.
George Chaisty has joined the international Incident Response practice of law firm Mullen Coughlin as senior partner in London.

Clips ✂️
UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign
Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026.
The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
"UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments," researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said.
"Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities."
Upon gaining access, the threat actors have been found to either carry out direct searches to locate and exfiltrate files of interest or deceive the victim into carrying out the actions on their behalf. Stolen information includes proprietary legal agreements, personally identifiable information (PII), and financial records.
👉UNC3753 is the same threat actor that targeted law firms Weil Gotshal and Jones Day, mentioned below.
Weil reportedly pays up to $20 million after hackers steal client data
US firm Weil Gotshal is the latest law firm to fall victim to a cyber attack after it was reportedly forced to pay a ransom in the double-digit millions to prevent the publication of confidential client data.
According to The Insurer (£), Weil paid between $18 and $20 million (£13 and £15 million) to cyber extortion group Luna Moth, who threatened to publish stolen confidential client data to an external cloud storage site.
Whilst Weil has not commented on whether it coughed up the cash, the report claims it paid the amount within three days of the demand.
In a statement, a firm spokesperson said, “Weil, Gotshal & Manges LLP recently responded to a cyber incident involving a threat actor and the unauthorized uploading of a limited number of client documents to an external cloud storage site. Upon discovering the incident, we immediately activated our response protocols, took preventative containment measures, and launched an investigation with the support of third-party cybersecurity professionals. We also notified law enforcement.”
👉Law firms have become increasingly targeted by cyberattacks. In April, law firm Jones Day fell victim to a cyber phishing attack by the Silent Ransom Group, which successfully accessed the data of 10 clients and posted that data online, Reuters reported.
The Wiley Rein Data Breach Lawsuit: Yet Another Cybersecurity Wake-Up Call
Wiley Rein, one of Washington’s most prominent Am Law 200 firms, has now been sued for damages from a data breach. And it illustrates exactly what I and others have been warning about.
We have frequently written about the dangers of data breach and the lack of cybersecurity concerns among many law firms. Law firm management often doesn’t understand cybersecurity threats, thinks it won’t happen to them, leaves it entirely in the hands of IT and believes the cybersecurity insurance policy the firm has will protect them. They fail to see or don’t want to see the risks that can be significant to the very lifeblood of the firm.
But now add to already existing risks the fact that a breach might just get the law firm sued, compounding existing harms exponentially.
…
The suit was filed in federal District Court for the District of Columbia. It alleges the sensitive material was obtained by hackers and then sold on the dark web.
Trump's top AI advisor leaving the White House
A tech investor who shaped the Trump administration’s pro-industry artificial intelligence policies will depart the White House at the end of the month.
Sriram Krishnan has informed administration officials that he plans to leave his post as the White House senior policy adviser for AI to start an outside institution that will influence technology policy, according to a person familiar with his plans, who spoke on the condition of anonymity to describe the private discussions. Planning for the new initiative is in nascent stages, but it is intended to allow the tech leader to continue to play an active role in the Trump administration’s response to the development of AI.
Krishnan was an architect of the administration’s “AI Action Plan,” which provided a blueprint to roll back regulation of the emerging technology and promote the build-out of data centers across the country. He also was among Trump’s tech advisers who crafted an executive order limiting states’ ability to regulate AI.
Research says Phishing overtakes Dark Web as primary source of stolen Personal Information
For years, the Dark Web has been regarded as the primary marketplace for stolen personal and corporate information. Cybercriminals frequently relied on underground forums and marketplaces to buy and sell sensitive data obtained from previous breaches. However, recent findings suggest that the cybercrime landscape is undergoing a significant shift.
According to the 2026 Enterprise Social Engineering Report compiled by Optery, phishing and other social engineering techniques have now emerged as the leading methods used by hackers to obtain valuable information, pushing the Dark Web into a secondary role.
The report, which gathered insights from more than 420 cybersecurity leaders across various industries, highlights growing concerns about the security of employee information. Surprisingly, only 4 percent of respondents expressed confidence that their employees’ personal data—including phone numbers, residential addresses, and details about family members—was adequately protected from cybercriminals.
On 20 January 2026, the European Commission published a proposal on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (the “Cybersecurity Act 2.0.” or “CSA 2.0.”).
The proposal goes beyond the remit of cybersecurity as traditionally conceived under EU law. It would have important consequences for 18 critical sectors and their ICT suppliers, with broad implications for international trade and the EU’s relationships with key trading partners. This is the first time the EU is using a mandatory instrument to impose trade restrictions, grounded in geopolitical and national security concerns, affecting critical sectors’ ICT supply chains.
…
This article explores the “non-technical” aspects of the proposal and how these measures may affect companies operating in the 18 critical sectors and their suppliers.
