Cybercriminals have attacked the OnSolve CodeRED emergency alert system used by police, fire departments, and local governments across the US, stealing personal data and compromising passwords. The attack was claimed by the INC Ransom gang, which is now selling the stolen information.
The CodeRED emergency notification platform, used by dozens of American counties and cities, has been hit by a major cyberattack. As a result, attackers stole names, addresses, emails, phone numbers, and even clear-text passwords.
Crisis24 confirmed that the legacy CodeRED environment had to be fully decommissioned, causing disruptions to emergency alerts, weather warnings, and other critical notification systems.
Although Crisis24 claims the incident was contained to CodeRED, the company confirmed a data breach occurred. Because the attack damaged the system, CodeRED is being rebuilt from backups — the most recent of which is from March 31, 2025, meaning many newer accounts and data have been lost.
According to BleepingComputer, the INC Ransom gang has taken responsibility for the attack, posting screenshots — including clear-text passwords, a severe security lapse. The gang claims it infiltrated CodeRED on November 1st and encrypted files on November 10th, demanding ransom. After Crisis24 refused to pay, the attackers announced they were selling the stolen data. INC Ransom has previously targeted numerous organizations worldwide, including NHS Scotland, Yamaha Motor Philippines, Ahold Delhaize, Xerox XBS, and others. The FBI is investigating the incident, although its director stated there is no operational impact to banking services or critical infrastructure.
The attack on CodeRED highlights the growing threat of supply-chain compromises, where one vulnerable vendor can expose hundreds of dependent organizations. The presence of clear-text passwords makes the breach even more severe, especially for users who reused passwords across services.
This incident underscores the fragile state of US critical infrastructure and the increasing focus of ransomware groups on systems supporting public-sector operations.
