More than six years ago, Bulgaria informed the U.S. authorities that it wanted to shut down the country’s largest torrent trackers, including ArenaBG, Zamunda, and Zelka.

Specifically, the country asked the U.S. authorities for help. That help eventually arrived in January this year, when the domain names of these torrent trackers were effectively seized.

The multinational effort involved Bulgarian authorities and law enforcement, as well as their American counterparts. This included the U.S. Department of Justice, Homeland Security Investigations, and National IPR Coordination Center, which were all featured on the seizure banner that’s still online today.

Multi-Decade Crackdown

The crackdown did not come as a surprise. Rightsholders have complained about the Bulgarian torrent trackers for many years, and the local authorities have also tried to address these issues for nearly two decades.

As far back as 2010, Yavor Kolev, the head of Bulgaria’s Computer Crimes Department, said that his organization was intent on shutting down Zamunda and ArenaBG. At the time, police investigations into these trackers had already been ongoing for years.

While the authorities managed to shut down some pirate sites over the years, these major targets survived. In fact, Zamunda had grown to become the 11th most visited site at the start of 2026, until its main domain was seized in January.

U.S. Piracy Watch List

Bulgaria’s challenge to address the local piracy problems motivated the USTR to add the country to the Special 301 Report. This annual overview is meant to urge foreign governments to improve policy and legislation in favor of U.S. copyright holders.

In 2025, for example, Bulgaria was put on the “Watch List” with USTR stating that the country “continues to be a safe haven for online piracy.”

There was change afoot, however, as the country enacted new legislation in 2023 that would make it easier to investigate and prosecute piracy cases. While that had not been used until recently, it provided the basis for the crackdown that took place in January.

Bulgaria Removed from Watch List

The implementation of the new legislation and the subsequent torrent tracker crackdown worked. The latest version of the USTR Special 301 Report specifically states that Bulgaria was removed because of the progress it has made. This relates to the shutdowns and associated prosecutions, which remain ongoing.

“Bulgaria is removed from the Watch List this year due to significant enforcement actions and progress in criminal prosecutions during the past year,” USTR writes.

USTR specifically references Article 172a of the updated criminal code, which allows for the criminal prosecution of people who “create conditions” for online piracy through the “development and maintenance” of torrent trackers and other platforms. This law was used as the basis for the January crackdown, which led to the arrest of several individuals.

“In January 2026, Bulgarian law enforcement seized the five most popular Bulgarian piracy domains, executed search and seizure warrants at 30 locations, and arrested several individuals, some of whom have been charged under Article 172a discussed above,” the report reads.

According to local reports, the operation targeted 44 websites, not just the three mentioned trackers. By February, three of the four detained individuals had been formally charged.

While Bulgaria must be happy with this development, the country was previously removed from the watchlist in 2007 and 2018, just to be readded over new concerns within a few years. Time will tell whether this year’s removal will last.

More Removals and Additions

Bulgaria isn’t the only country to see its status change in this year’s Special 301 Report. Argentina and Mexico are both moved from the Priority Watch List to the lower-tier Watch List.

Argentina is credited for its February 2026 agreement with U.S. authorities, where the country promised to address site-blocking, ISP liability, and online enforcement. Mexico’s lowered risk is tied to draft amendments to the Federal Copyright Law and Federal Criminal Code, which would clarify ISP secondary liability and remove the “direct economic benefit” requirement, which was a roadblock for criminal piracy prosecutions.

The European Union, meanwhile, was added to the Watch List for the first time as a bloc since 2006. USTR cites a wide variety of concerns, including parts of the Digital Services Act, which rightsholders believe may impact their rights. The newly applicable AI Act is also flagged for monitoring.

The most notable change related to Vietnam, however, which was the first country in thirteen years to be designated as a Priority Foreign Country. According to the USTR, the country’s failure to take action against copyright infringers has turned it into a safe haven for pirate site operators.

—

A copy of the U.S. Trade Representative’s 2026 Special 301 Report is available here (pdf).

From: TF, for the latest news on copyright battles, piracy and more.

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

Canvas parent firm Instructure [NYSE:INST] responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.

Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers or financial information.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform. “At this stage, we believe the incident has been contained,” Instructure wrote.

However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from ShinyHunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”

“We anticipate being up soon, and will provide updates as soon as possible,” reads the current message on Instructure’s status page.

While the data stolen by ShinyHunters may or may not contain particularly sensitive information (ShinyHunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers and email addresses), this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.

The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data — regardless of whether Instructure decides to pay.

“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.

In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.

“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”

In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.

ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance. BleepingComputer says ShinyHunters recently has taken credit for a number of extortion attacks against high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.

The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said “there are multiple concurrent and discreet ShinyHunters intrusion and extortion campaigns happening right now.”

Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.

“The history of education-vendor incidents suggests the path of least resistance is the second one,” he concluded.

Before feeds, before algorithms, there was the Class of 1996: websites & organizations founded (or expanded) in 1996, like the Internet Archive.

On the occasion of the Internet Archive’s 30th anniversary, we’re opening the internet’s yearbook to celebrate the sites, services & scrappy experiments that helped shape the web as we know it. From class leaders like Center for Democracy and Technology to cultural icons like The Onion to the archivists making sure none of it disappears, this is a reunion worth attending.

Some are still thriving. Some have changed beyond recognition. Some are already gone. All of them remind us: the early web wasn’t just built, it was lived in.

THE MORE YOU KNOW: Did you know that some publishers are blocking the Wayback Machine from archiving their sites, putting decades of reporting and cultural history at risk of disappearing from the public record? If the web’s past matters — and the Class of 1996 reminds us that it does — now is the time to speak up. Add your name to the petition calling on publishers to stop blocking the Wayback Machine and help ensure the internet’s history remains accessible for future generations.

Class of 1996

Class President — Center for Democracy and Technology

The Center for Democracy and Technology didn’t just show up—they helped write the rules of the internet. And 30 years later, they’re still fighting to keep it open.

Go Wayback to 1996: https://web.archive.org/web/19961022174718/https://cdt.org/

Most Likely to Fix Your Computer — CNET

Before YouTube & TikTok tutorials, there was CNET, walking you through every crash, install & “have you tried turning it off and on again?”

Go Wayback to 1996: https://web.archive.org/web/19961221064020/http://www.cnet.com/

Best Dressed — eBay

eBay—Where the outfit and the backstory come with it. Vintage, rare, unforgettable…just like the early web.

Go Wayback to 1999: https://web.archive.org/web/19990117033159/http://pages.ebay.com/aw/index.html

Most Popular (Or Knows Who Is) — Alexa Internet

Before “trending,” there were rankings, and Alexa told us who ruled the web. (RIP to a real one.)

Go Wayback to 1997: https://web.archive.org/web/19970530104435/http://www.alexa.com/

Most Changed Since Freshman Year — Google

From a dorm room experiment to organizing the world’s information. Some people really did peak after high school.

Go Wayback to 1998: https://web.archive.org/web/19981111183552/http://google.stanford.edu/

Most Helpful — Ask Jeeves

Ask a question. Get an answer. Preferably in complete sentences. The internet had a butler once & he was awesome.

Go Wayback to 1996: https://web.archive.org/web/19961219064854/http://www.askjeeves.com/

Class Clown — The Onion

Making us laugh at the news online since 1996 & occasionally making it feel a little too real.

Go Wayback to 1996: https://web.archive.org/web/19961219015005/http://theonion.com/

Best Hair — Unofficial Spice Girls Fan Site

Before social media, fandom lived here: glitter text, tiled backgrounds & serious ‘Wannabe’ hair.

Go Wayback to 1996: https://web.archive.org/web/19961229144915/http://spicegirls.com/

Cutest Couple — World Wide Web Consortium & Cascading Style Sheets

Structure meets style. The web’s ultimate power couple & still going strong.

Go Wayback to 1996: https://web.archive.org/web/19961227091242/https://www.w3.org/

Most Athletic — 1996 Summer Olympics Website

One of the first times the whole world followed the games online. Faster, higher, more digital.

Go Wayback to 1996: https://web.archive.org/web/19961223003700/http://www.atlanta.olympic.org/

Most Talkative — ICQ & Hotmail

The beginning of being always reachable…for better or worse.

Go Wayback to 1997: https://web.archive.org/web/19971210072826/http://www.icq.com/

https://web.archive.org/web/19971210171246/http://hotmail.com

Most Likely to Save Everything — Internet Archive

Because the web isn’t forever, unless someone saves it.

Go Wayback to 1996: https://web.archive.org/web/19970126045828/http://www.archive.org/

Most Likely to LAN Party — Quake

Before Twitch streams there were cables, pizza & Quake. You had to be there (literally).

Go Wayback to 1996: https://web.archive.org/web/19961220085409/http://www.idsoftware.com/

Most Quotable — Salon

Smart, sharp & written to be shared.

Go Wayback to 1998: https://web.archive.org/web/19981212032509/http://www.salon1999.com/