Recently, the online news outlet WebProNews published a story on a supposed cyberattack against Black Knight, a major mortgage-technology provider. The article framed it as a live incident crippling the U.S. mortgage pipeline, complete with major lenders scrambling and regulators circling. Then, without explanation, the story vanished from the site, leaving only broken links and unanswered questions.
While there was a real incident in the same corner of the mortgage market, the purported victim in this story was not. The sector was dealing with a genuine breach at a different mortgage vendor, but Black Knight appears to have been dragged in by name only.
While I was writing this, I also saw mortgage journalist James Kleimann at The Mortgage Scoop cover the same WebProNews episode from a different angle. Where I was reconstructing the story based on OSINT signals and what was publicly visible, he did the obvious thing: called ICE/Black Knight and was told directly that the report was false. My theory about what went wrong and his confirmation from the source pointed to the same conclusion: this was a bad incident story that never should have run.
My best guess about what happened is avoidable and straightforward. In a now-removed Reddit thread in r/worldnews, a user floated a theory about a large mortgage vendor being compromised, using Black Knight as shorthand for the kind of player that could cause serious trouble if it were hit. At the same time, there was already a confirmed, well-covered breach at another provider. It’s easy to imagine WebProNews treating that Reddit speculation and the real breach as if they described the same event, stitching them together, and publishing a confident “Black Knight cyberattack” story that was never actually verified. Whether this was a human making an overconfident connection or an LLM workflow gone awry that nobody stopped, for the outside reader it doesn’t really matter.
In an interconnected CTI news ecosystem, that’s exactly how bad information spreads. One speculative thread becomes one overconfident article; other cyber blogs and OSINT feeds start echoing it as “reports” or “multiple sources,” and suddenly a misattributed incident is showing up on dashboards and in threat briefings as if it were established fact. Nobody has to intend to lie; they just fail to distinguish between raw signals and confirmed events.
This isn’t just a WebProNews problem. Look at how the recent Lynx ransomware claim against DeKalb County has been handled. On its leak site, Lynx explicitly lists dekalbcountyga.gov and describes DeKalb County as a Georgia government entity, and most breach trackers simply repeat that wording as fact. At almost the same time, DeKalb County, Indiana issued a public “cyber incident” notice saying an attack had knocked out workstation logins, but without naming a threat actor — all the signs of a ransomware event. Georgia’s DeKalb County, by contrast, has not publicly acknowledged any incident tied to that claim. It’s tempting to treat these as two different events, but I think it’s more likely that a non-U.S. group simply Googled “DeKalb County,” grabbed the more prominent Georgia result, and went with it. All of this is to say that it’s OK — and expected — to make educated speculations in CTI, but if you’re going to be wrong, you at least want to be wrong in a way that was probable, transparent, and clearly labeled as a hypothesis, not a fact.
It’s worth saying that we spotted the WebProNews report almost immediately. Fresh incident claims from news outlets are the low-hanging fruit in our OSINT process. Right now you can see the default state of CTI noise in the CodeRED/Crisis24 situation: dozens of county-level alerts and local TV hits all describing the same vendor incident in slightly different ways. At first glance, it’s hard to tell what actually happened, which environment was hit, and whether each jurisdiction was truly breached or “CodeRED by Crisis24” itself was the target. We see plenty of echoes of past events and a fair amount of speculation around outages that aren’t clearly cyberattacks. We’ve even seen an organization insist it was the victim of a targeted operation when the root cause was almost certainly a vulnerable WordPress plugin exploited in an opportunistic attack. But we’ve rarely seen a publication flatly assert that an organization was under active attack when it so clearly was not.
For DysruptionHub, this is the cautionary tale. When we see an unverified “incident” from a CTI publisher or threat group, rather than a local outlet, regulator, or the organization itself, our default is to stop and pull the thread: Where did this claim actually start? Is it just a theory attached to the wrong logo? Is it really a new attack, or a mislabeled version of a known breach? In messy situations like CodeRED, where the same vendor bulletin ripples through dozens of local stories, it’s not easy work, but it’s imperative to be conservative about which organization we say was actually attacked. Until those questions have solid answers, we treat CTI stories as leads to investigate, not headlines to repeat. That extra pause is the difference between adding clarity to the cyber landscape and accidentally amplifying the next Black Knight that never was.
For WebProNews, the damage to credibility is done. The story may be gone from their site, but people saw it, screenshotted it, and talked about it. The better lesson for the rest of us is making sure we never have to make that call ourselves.
