databreaches.net 4/30/2026, 11:12:39 PM · via preferred

“to recover your files, kindly send 0.1 BTC to…” ransom note appears on websites

Developing story vulnerability 8 articles tracked
Critical cPanel authentication bypass (CVE-2026-41940) exploited worldwide
CyberSIXT Evidence Panel
CISA KEV Listed in KEV
Patch Patch Available

A ransom note demanding 0.1 BTC appeared on Naturalsciences[.]org, with the site briefly down for construction and later returning online. The attack is described as linked to the CPanel/WHM vulnerability identified as CVE-2026-41940, though not all victims managed their own CPanel, and a Reddit thread is cited as illustrating this. Some X[.]com posters warned victims not to pay, and there is no evidence that anyone who paid recovered their data; the article notes it is unclear how many people paid in total.

The ransom note includes a Bitcoin wallet address bc1q9nh4revv6yqhj2gc5usncrpsfnh7ypwr9h0sp2 and a tweet handle ty15b6TOTuBuzUhfypJeagHl4e2sAs26, while a wallet balance of $81.92 was observed at the time of checking. BleepingComputer is cited as having reported that cPanel published a security bulletin with updates and that administrators should run the command /scripts/upcp –force to install safe versions. According to BleepingComputer, the bulletin lists several product versions and the update guidance.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline