- There were multiple disruptions in the services of the Health Insurance Fund and in the digital signature process. An Estonian company lost €1.6 million due to invoice fraud.
- We published a blog post reviewing the new model of Anthropic, Claude Mythos. We invite startups to apply for the new round of the Cyber Accelerator. We released a new version of the cyber test.
- The financial platform Drift confirmed that $280 million was stolen from its platform during a cyber incident. The Ukrainian CERT published a report on cyber attacks that took place in Ukraine in the second half of 2025. Sweden has accused a Russian hacker group of attempting to attack its energy infrastructure.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On two occasions, the website of the e-Business Register was unavailable. On 7 April, between 7.16 and 8.41 a.m., and on 10 April, between 3.08 and 5.58 a.m., the website ariregister.rik.ee was inaccessible. In the first case, the issue was caused by the database running slowly; in the second, by an expired certificate.
There were multiple disruptions in the services of the Health Insurance Fund. On 1 April, between 2.30 and 3.00 p.m., disruptions occurred in the services of the Health Insurance Fund. For half an hour, it was not possible to issue prescriptions or to sell medicines or provide services based on previously issued prescriptions. The outage was caused by a software error, which was resolved by restarting the systems. On 16 April, between 1.15 and 1.43 p.m., and on 17 April, between 11.10 and 11.40 a.m., it was not possible to use the following services of the Health Insurance Fund: digital prescriptions, insurance verification, and benefits for incapacity for work. The disruptions were caused by a failure in the platform of an external service provider.
There were a couple of interruptions in the operation of the digital signature process. On 17 April, between 1.54 and 3.25 p.m., it was not possible to provide digital signatures in the DigiDoc4 application using any eID method – Smart-ID, ID card, or Mobile-ID. Users were shown the error message: ‘Check your internet connection’. Furthermore, checking for updates in the DigiDoc4 application was not possible. The outage was caused by a configuration error. On 26 April, between 9.01 and 11.36 p.m., there were disruptions in the operation of the state’s Signature Gateway service (SiGa). The impact was likely broader, but it is known that ambulance crews were unable to sign documents as a result. The disruptions were caused by an error that occurred during certificate renewal.
The Central Criminal Police identified more than 1,600 young people in Estonia who used an online platform to order cyber attacks against targets such as school websites, eKool, and Stuudium. Thirteen individuals, including several underage school students, are facing criminal charges. The police will also send a warning email to all Estonian users registered on the platform to encourage lawful behaviour and raise awareness about the consequences of ordering denial-of-service attacks.
In April, an Estonian company lost €1.6 million due to invoice fraud. According to available information, the company received an email appearing to be from a business partner, requesting that future invoices be paid to a different bank account. The fraudsters created the impression that the message came from the representatives of the partner, but in reality, it originated from a fraudulent account. We covered invoice fraud schemes in more detail on the RIA blog and recommend reviewing the guidance on how to avoid falling victim to invoice fraud.
A phishing email campaign purporting to be from LHV has once again been circulating widely. The email claimed that the banking credentials of the user were about to expire and urged them to update their details in time. It warned that failure to do so would result in restricted access to internet banking. The message included a link directing users to a phishing site. Unfortunately, we again received multiple reports of Estonian residents falling victim to this scam and losing thousands of euros.
Activities of the Estonian Information System Authority
The 2026 version of the cyber test was released at the beginning of April. Like previously, the cyber test consists of two parts: a training on cyber hygiene and a practical test. In the course, we cover all of the most important topics related to cyber hygiene – password security, the spreading of malware, recognising phishing emails, secure remote working, using social media and artificial intelligence, and much more. The cyber test is free of charge for anyone who wants to take it and you can find out more about it on the RIA website.
On 16 April, another RIA CyberMeetUp event took place. On this occasion, presentations were given by Priit Turk from the Ministry of Foreign Affairs and Ago Ambur from Glazer Technologies, who discussed the cyber and digital diplomacy of Estonia as well as how to use AI agents efficiently and securely. In addition, a short presentation session was held, where graduates of the latest round of the RIA Cyber Accelerator introduced themselves. Recordings of the event can be viewed on YouTube. The next RIA CyberMeetUp will take place on 21 May.
We also published a summary on the RIA blog of a study examining whether AI agent-based systems can be manipulated. The post highlights some of the most interesting cases from the research that users may encounter when interacting with chatbots or other AI solutions. Read more on the RIA blog.
We published an overview of the new model of the US-based AI company Anthropic – Claude Mythos. As there are many differing opinions about the capabilities of the new model – ranging from claims that it is merely a PR stunt to expectations of fundamental changes in cyber security – we compiled an overview to map the available public information and distinguish facts from assessments. Read the post on our blog.
In April, we identified several phishing attacks targeting the cryptocurrency wallets of users. In particular, schemes targeting MetaMask and Ledger users were widespread. In both cases, users first received a phishing email directing them to a fake website where they were asked to enter their credentials. Read more about these phishing scams on our blog and learn how to protect yourself.
We also published a blog post explaining a security vulnerability found in the DigiDoc application and how it was resolved. In August 2025, experts from Cybernetica identified a vulnerability in DigiDoc applications related to digital signature validation, which was linked to an underlying software library. We fixed the vulnerability as soon as possible and made the update available to end users. Read more on our blog.
We invite applications for the new round of the Cyber Accelerator from startups operating in the field of cyber security, who are focused on combating cyber fraud and developing research-based solutions. Teams who are chosen for the accelerator will get financial support in the amount of up to 60,000 euros to develop their product or service. Throughout the programme, teams are provided support in product development, market validation, and building business capabilities, as well as in preparing to raise seed capital. The Cyber Accelerator is being held in collaboration between Tehnopol and RIA for the fourth time. For further information, visit the website startupincubator.ee/en/cyberaccelerator/. You can also listen to the podcastKriitiline Intsident (Critical Incident), in which Lauri Tankler, Head of the R&D Coordination Department at RIA, discusses the Cyber Accelerator.
International situation
Financial platform Drift confirmed that $280 million was stolen during a cyber incident that took place on 1 April. The attack was a multi-week cyber operation, during which the attackers managed, among other things, to bypass transaction limits imposed on the platform. According to blockchain analytics company Elliptic, the attack is attributed to North Korean hackers, and in the first months of this year alone, North Korean groups have already stolen more than $300 million.
The Ukrainian CERT published a report on cyber attacks that took place in Ukraine in the second half of 2025. According to the report, Russian threat actors actively leveraged previously compromised systems to regain access to networks. The objective of repeated attacks is to escalate privileges where possible, conduct cyber espionage, and prepare for further operations. Attackers are focused on establishing and maintaining long-term access. They are also investing more effort in manipulating targets: phishing emails are increasingly preceded by phone and video calls to build trust and improve the effectiveness of the attacks. In this way, Ukrainian government officials and members of the armed forces have been particularly targeted.
The FBI, NSA, and 15 international partners, including Estonia, issued a warning on 7 April about a cyber operation conducted by Russian military intelligence (GRU), in which thousands of routers worldwide have been compromised since 2024. The attackers modified router DNS settings to redirect the internet traffic of users, enabling the theft of passwords and login credentials, even when the connection appeared to be encrypted. Users are advised to update router firmware, change default passwords, and disable remote management interfaces exposed to the internet.
The Minister for Civil Defence of Sweden, Carl-Oskar Bohlin, stated that pro-Russian hacker activity has become more aggressive. Several groups that previously focused on denial-of-service attacks are now attempting to carry out more serious cyber attacks in Europe. According to the minister, in April 2025, a group linked to Russian intelligence services attempted to disrupt a district heating plant in western Sweden through a cyber attack, but the attempt failed. Similar cases have reportedly occurred in Norway and Denmark. In the assessment of the minister, this reflects the recklessness of the attackers and increased risk tolerance, which could potentially lead to attacks causing significant societal disruption.
Cyber security authorities from the United States, United Kingdom, Germany, Japan, the Netherlands, Sweden, and 10 additional countries issued a joint warning that threat actors linked to China are using global botnets to carry out data theft, service disruptions, and other cyber attacks. These botnets are built from compromised routers and other Internet of Things (IoT) devices, and several such networks are reportedly operated by Chinese information security companies. The warning includes recommendations for organisations on how to better protect their edge devices against compromise.
The Dutch cosmetics company Rituals announced that customer data from its MyRituals loyalty program database was leaked at the beginning of the month. The leaked data included the names, addresses, phone numbers, email addresses, and dates of birth of customers. The MyRituals program has more than 40 million members, but the company has not disclosed how many customers were affected by the breach. The company operates stores in nearly thirty countries.
Last updated: 07.05.2026
