On the evening of December 7, 2023, an employee at a food industry company in southern France clicked a link in a phishing email. The URL read "mlcrosoft" — with a lowercase L replacing the I in Microsoft. Within hours, 350,000 organizations across France were paralyzed, over 1,200 accounting firms lost access to their tools, and healthcare facilities were cut off from critical patient data. The attacker was LockBit, and the target was Coaxis — a small IT hosting company in the rural Lot-et-Garonne region that nobody outside the industry had heard of. Until that night.
This story is now the subject of a documentary released in March 2026. Titled Don't Go to the Police, the 56-minute film was produced by Orange Cyberdefense and directed by Ludoc. It traces the Coaxis ransomware attack from its origins through to the global takedown of LockBit's infrastructure, interviewing 18 cybersecurity experts including FBI agents, NSA analysts, and investigators from the U.S. Treasury's Office of Foreign Assets Control (OFAC). The documentary premiered at the Grand Rex cinema in Paris and was screened at Insomni'hack 2026 in Switzerland before being made available for free online.
But the film is only the visible surface of a much larger crisis. Behind the Coaxis incident lies a year that saw Orange — one of the world's largest telecommunications companies — hammered by multiple cyberattacks across Romania, France, and Belgium. Behind all of it lies a ransomware economy that, according to Orange Cyberdefense's Security Navigator 2026 report, has tripled its victim count since 2020 and now operates on a fully industrialized, crime-as-a-service model. And behind the statistics lie difficult questions that the documentary does not answer: what should a small company do when facing a ransom demand? What does rebuilding from scratch cost in practice? And why is France's entire telecommunications sector being targeted with increasing frequency?
The Night Everything Changed at Coaxis
Coaxis is a managed IT services provider based in Lot-et-Garonne in southwest France. The company specializes in hosting and outsourcing IT infrastructure, primarily serving accounting firms, small businesses, and healthcare organizations. In the early hours of December 8, 2023, at approximately 5:00 a.m., the on-call team contacted CEO Joseph Veigas. Parts of the infrastructure had gone dark.
"At first we thought it was an outage. But very quickly, when I arrived on site, I understood it was a cyberattack. And then imagine our shock when we realized the attacker was LockBit, one of the most dangerous cybercriminal groups in the world." — Joseph Veigas, CEO of Coaxis, in an interview published by Orange
The scale of the damage quickly became apparent. This was not merely an attack on one company. Through Coaxis's interconnected hosting infrastructure, the LockBit ransomware rippled outward through a supply chain of clients and their customers, ultimately affecting an estimated 350,000 organizations. More than 1,200 accounting firms were abruptly disconnected from their software systems just weeks before Christmas — one of the busiest periods of the fiscal year. Healthcare facilities lost access to patient records. An employment agency in Toulon reported that it could no longer process payroll for its workers, leading to incidents of physical intimidation at its offices.
The attackers demanded a ransom of 10 million euros. Coaxis refused to pay.
How a Phishing Link Became a Digital Bomb
The documentary Don't Go to the Police reconstructs the technical timeline with precision. On the evening of December 7, at 10:43 p.m., an intruder gained access to the Coaxis network using credentials stolen from a commercial employee at one of Coaxis's client companies — a firm in the food and agriculture sector. The stolen credentials were harvested through a phishing page hosted at a domain that substituted a lowercase L for the I in "microsoft." The visual difference between the two characters is nearly imperceptible in many fonts, making it an effective social engineering technique.
Once inside the network, the attacker spent several hours mapping the environment. Critical servers were identified and prioritized. At 4:32 a.m. on December 8, the attacker set a timer and triggered the LockBit encryption payload. By the time Veigas received the call at 5:00 a.m., the ransomware had already locked down critical systems across Coaxis's data centers.
Infostealer malware is frequently used as the initial entry vector in ransomware campaigns. According to LeMagIT's investigation, the threat intelligence platform Hudson Rock had identified six compromised Coaxis employee credentials and 73 compromised credentials belonging to Coaxis end-clients — all stolen by infostealer malware and distributed through Telegram channels. The Citrix Bleed vulnerability (CVE-2023-4966), which security platform Onyphe observed on Coaxis's exposed surface on December 6, was investigated but ultimately ruled out by Coaxis as the initial entry vector.
LockBit: The World's Most Prolific Ransomware Syndicate
Understanding the Coaxis attack requires understanding LockBit. The group first appeared on Russian-language cybercrime forums in January 2020 under the name ".abcd" — a reference to the file extension appended to encrypted files. By 2022, it had evolved into what a joint statement from the FBI, CISA, and international law enforcement agencies called the world's most prolific ransomware operation, responsible for an estimated 44% of all ransomware incidents globally that year.
LockBit operates as a ransomware-as-a-service (RaaS) platform. Core developers maintain the malware, the payment infrastructure, and the data leak sites. Affiliates — essentially freelance criminals — gain initial access to victim networks, conduct lateral movement, exfiltrate data, and deploy the ransomware. Affiliates and operators split the ransom payments. According to the U.S. Department of Justice, LockBit attacked more than 2,500 victims across at least 120 countries, with 1,800 of those in the United States alone. The group extracted at least $500 million in ransom payments and caused billions of dollars in collateral damage including lost revenue and recovery costs.
The group's target list reads like a catalog of critical infrastructure: Boeing, the UK's Royal Mail, the Port of Nagoya in Japan (which handles 10% of the country's trade), the U.S. subsidiary of China's Industrial and Commercial Bank, Taiwan Semiconductor Manufacturing Company (TSMC), and numerous hospitals, schools, and government agencies worldwide. LockBit was also behind a late 2023 attack on a children's hospital in Chicago — a decision that drew condemnation even within cybercriminal forums. The group deliberately avoids targeting Russian entities and allies, a pattern consistent with an implicit non-aggression pact between Russian-speaking cybercriminal operations and the Kremlin.
"A cyberattack is a violent act that affects our infrastructure, but it also affects us, our employees, our customers and our customers' employees. It took me eighteen months to get back to sleeping normally." — Joseph Veigas, CEO of Coaxis
The Decision Not to Pay — and What It Cost
Coaxis made the decision not to pay the 10 million euro ransom. Joseph Veigas acknowledged publicly that paying would have been cheaper in the short term. Instead, the company chose to rebuild its entire infrastructure from scratch, with the direct support of Orange Cyberdefense. Veigas described the Orange Cyberdefense team as working as if they were embedded Coaxis employees, providing technical guidance on every step of the reconstruction while ensuring no vulnerabilities were overlooked in the rush to restore service.
The recovery timeline was grueling. Between December 8 and December 16, the primary work involved forensic investigation, threat elimination, and rebuilding data center infrastructure — the invisible groundwork that had to be completed before any services could come back online. By December 28, approximately 80% of client connections had been restored. Veigas set a target of 95% restoration by New Year's Eve, with the remaining 5% handled during the first week of January 2024.
Critically, Coaxis confirmed that no customer data was exfiltrated during the attack. The cybercriminals did not achieve their primary objective of stealing data to use as leverage in double-extortion negotiations. The company's existing backup architecture and the speed of its response prevented the worst-case scenario.
The financial toll, however, was severe. Veigas described the total cost as running into several million dollars. That figure aligns with broader industry data. According to the 2025 NetDiligence Cyber Claims Study, which analyzed 10,402 insurance claims from incidents between 2020 and 2024, the average total incident cost for small and medium enterprises reached $264,000 — a 29% increase from the prior year. But SME claims that included a business interruption component averaged $1.4 million, roughly 650% higher than claims without one. For a managed service provider like Coaxis, where business interruption cascaded through an entire customer base, the costs would sit well above those averages. Ransomware incidents accounted for 81% of all claims with a business interruption component in that study.
"No one ever comes out of a cyber attack unscathed. Financially, it amounts to several million dollars and on a human scale it's so abrupt, so violent... You never fully come to terms with it." — Joseph Veigas, CEO of Coaxis
The decision not to pay is increasingly the recommended path, but it comes with a reality that rarely gets discussed in policy circles: the average ransomware recovery takes 24 days to reach full operational restoration, according to 2025 data from Total Assure's cost analysis. For Coaxis, it was roughly a month. During that month, clients could not run payroll, could not access financial records, and could not serve their own customers. The downstream economic damage — to the 350,000 organizations affected — is a figure that may never be calculated.
The International Manhunt and Operation Cronos
The Coaxis attack became one thread in a much larger international investigation. In February 2024, a coalition led by the UK's National Crime Agency (NCA), working alongside the FBI and Europol, launched Operation Cronos — a coordinated takedown of LockBit's infrastructure. Agents infiltrated the group's systems, seized servers and its data-leak blog, recovered approximately 2,500 decryption keys for victims, and gathered extensive intelligence on the group's affiliates and financial operations.
The operation also unmasked LockBit's alleged administrator, a Russian national named Dmitry Yuryevich Khoroshev, who operated under the alias "LockBitSupp." Khoroshev had publicly taunted law enforcement, boasting that they would never identify him. The U.S. State Department posted a reward of up to $10 million for information leading to his arrest or conviction. As of March 2026, Khoroshev remains at large, believed to be in Russia and beyond the reach of extradition.
Other members of the conspiracy have been caught. In August 2024, Israeli authorities arrested Rostislav Panev, a 51-year-old dual Russian-Israeli citizen, based on a U.S. provisional arrest request. Panev is alleged to have served as a core developer for LockBit from the group's inception in 2019 through at least February 2024. When Israeli agents searched his computer, they found administrator credentials for LockBit's dark web control panel and source code for multiple versions of the ransomware builder. Panev was extradited to the United States in March 2025, where he appeared before a federal court in Newark, New Jersey, facing 41 criminal counts including conspiracy to commit computer fraud and wire fraud.
According to the U.S. Department of Justice, Panev admitted to Israeli authorities that he had written code for LockBit, including functionality to disable antivirus software, deploy malware across connected networks, and print ransom notes on every printer connected to a victim's system. Court documents showed that between June 2022 and February 2024, Khoroshev transferred approximately $230,000 in laundered cryptocurrency to Panev at a rate of roughly $10,000 per month. Seven LockBit members have now been charged in the District of New Jersey, with three arrested and the others still at large.
LockBit After the Takedown: Fragmentation, Not Extinction
Operation Cronos dealt a significant blow to LockBit, but it did not end the group. Within days of the February 2024 takedown, LockBit operators launched attacks from different servers using updated encryptors. A new variant derived from LockBit 3.0 appeared in April 2024, incorporating self-spreading capabilities. The group's resilience illustrates a broader reality about ransomware enforcement: taking down infrastructure is necessary, but the human operators, the affiliate networks, and the underlying economic incentives persist.
The broader cybercriminal ecosystem responded to LockBit's disruption not with contraction, but with diversification. The Orange Cyberdefense Security Navigator 2026 report documents the fragmentation of the ransomware landscape in granular detail. Where a single dominant group once defined the threat environment, the study now identifies 89 distinct active threat actors — nearly triple the 33 tracked in 2020. In Europe, victims of the Qilin and Akira ransomware groups rose by 324% and 168%, respectively. The dissolution of LockBit and Black Basta did not create a void; it created a marketplace in which dozens of smaller operators now compete for the same target pool.
The crime-as-a-service model has made this proliferation possible. Initial access brokers sell stolen credentials and network footholds. Bulletproof hosting providers offer infrastructure. Cryptocurrency mixing services launder payments. Each role in the ransomware supply chain has become a specialized service available for purchase. The barrier to entry for launching a ransomware operation has never been lower, and the operational efficiency of attackers continues to improve — the Security Navigator 2026 found that the victims-per-actor ratio rose from approximately 45 in 2020 to 53 in 2025.
France's Telecom Sector Under Siege
The Coaxis story exists within a broader pattern of sustained attacks against France's telecommunications infrastructure. In the twelve months following the Coaxis incident, Orange — one of the world's largest telecom operators, serving 340 million customers across 26 countries — was hit by three separate cyberattacks from three different threat actors across three different national operations.
In February 2025, a hacker known as "Rey," a member of the HellCat ransomware group, claimed responsibility for breaching Orange's Romanian operations. Rey alleged maintaining undetected access to Orange's systems for over a month, exploiting compromised credentials and vulnerabilities in Orange's Jira issue-tracking software and internal portals. The exfiltrated data reportedly included approximately 380,000 unique email addresses, internal company documents, source code, invoices, contracts, and partial payment card details belonging to Romanian customers. After a ransom note went unanswered, Rey published the stolen data on a hacker forum.
On July 25, 2025, Orange Group itself detected a cyberattack on one of its internal information systems. The company isolated affected services, causing disruptions to management platforms and services for corporate and consumer customers primarily in France. A ransomware group named WarLock later claimed responsibility. Orange stated it found no evidence that customer data had been exfiltrated.
Less than a month later, in August 2025, Orange Belgium disclosed that a separate cyberattack at the end of July had exposed data from approximately 850,000 customer accounts. The compromised information included names, phone numbers, SIM card numbers, PUK codes, and tariff plans. Both Orange Group and Orange Belgium stated to SecurityWeek that the two July incidents were unrelated.
Orange was not alone. In August 2025, French telecom competitor Bouygues Telecom — the country's third-largest mobile operator — confirmed a cyberattack that compromised data from 6.4 million customer accounts, including names, contact details, contractual information, and IBANs (International Bank Account Numbers). The breach was detected on August 4, 2025.
France's national cybersecurity agency ANSSI has been tracking this trend. In its 2025 Panorama of the Cyber Threat, ANSSI reported handling 3,586 security events during the year, with telecommunications accounting for 9% of incidents — ranking fourth behind education (34%), government (24%), and healthcare (10%). The report explicitly confirmed that attack groups linked to Russia and China have been targeting French interests, primarily for espionage and strategic pre-positioning. ANSSI disclosed that a suspected state-sponsored actor had compromised a French mobile network core with the intent to intercept communications from specific individuals, and that intrusions into satellite communications infrastructure had also been detected.
The ANSSI report draws a parallel to the Salt Typhoon campaign in the United States, where Chinese state-linked hackers infiltrated carriers including Verizon, AT&T, and Lumen to access government wiretap systems. The interception of targeted communications was a shared objective across both the French and American incidents, indicating a coordinated or at least parallel pattern of state-sponsored telecom espionage.
Cybercrime Has Industrialized
The Coaxis attack and the subsequent telecom breaches are not isolated events. They are symptoms of a fundamental shift in how cybercrime operates. The Orange Cyberdefense Security Navigator 2026 report, published in December 2025, analyzed over 139,000 security incidents recorded between October 2024 and September 2025. Its findings are stark.
Cyber extortion victims have tripled since 2020, reaching an estimated 19,000 organizations globally. In the reporting period alone, there was a 44.5% increase in victims compared to the previous year. Two-thirds of those targeted were small and medium-sized enterprises — frequently attacked not for their own data, but as a vector to reach larger organizations through supply chain relationships. This is the dynamic that played out in the Coaxis attack, where a regional IT hosting company became the gateway to 350,000 downstream organizations.
"As attackers diversify across geographies and business sizes, what's clear is that the traditional perception of the 'supply chain' as linear is obsolete." — Charl van der Walt, Head of Security Research, Orange Cyberdefense
The geographic reach of cyber extortion is expanding. The Security Navigator 2026 added 35 new countries to its study, documenting victim increases of 47% in Africa, 60% in Latin America, and 82% in Asia. Critical sectors are bearing the heaviest burden: healthcare saw a 69% increase in attacks, finance and insurance 71%, and distribution 80%. In Germany, cyber extortion victims rose by 91%; in France, by 54%.
Law enforcement is scaling up in response. The Security Navigator 2026 includes, for the first time, a dataset of 418 publicly announced law enforcement actions conducted between 2021 and mid-2025. Arrests account for 29% of those actions, takedowns 17%, charges 14%, and sentences 11%. Cyber extortion is the criminal activity most frequently targeted by law enforcement and the one most likely to result in arrest. The United States drives 43% of all enforcement actions globally. But the gap between enforcement capacity and threat volume remains enormous — 19,000 victims versus 418 enforcement actions in a comparable period tells the story of an imbalance that is widening, not closing.
What Organizations Should Be Doing Now
The Coaxis attack is a case study in how a well-run company can still be breached through its clients. Coaxis had invested in security, had worked with Orange Cyberdefense before the incident, and had steadily strengthened its defenses as threats evolved. The entry point was not a weakness in Coaxis's own perimeter — it was a stolen credential from a client employee who clicked a phishing link. That distinction matters enormously for how organizations should think about their exposure.
Credential monitoring is no longer optional. Thousands of machines are compromised by infostealer malware every day, with credentials distributed freely on Telegram channels and dark web marketplaces. Organizations that provide managed services or host infrastructure for other businesses should be conducting continuous monitoring for their own employees' and their clients' credentials appearing in leaked datasets. Hudson Rock had identified compromised Coaxis credentials before the attack occurred. Whether those alerts were actioned is unknown, but the data existed.
Multi-factor authentication remains the single highest-impact control. The February 2025 breach of Orange Spain — a separate incident from the Coaxis attack — was traced to an employee's corporate credentials stolen by Raccoon Stealer infostealer malware in September 2023. The compromised RIPE NCC account lacked MFA and used the password "ripeadmin." That single failure allowed a hacker to manipulate BGP routing and RPKI configurations, causing a three-hour outage for Orange Spain's network. MFA would have stopped it.
Supply chain risk assessments need to extend downward, not just upward. The Coaxis incident demonstrates that it is not only large vendors that pose supply chain risk. A regional IT hosting provider serving small accounting firms and healthcare clinics became the vector for an attack that paralyzed 350,000 organizations. Any business that depends on a service provider for hosting, infrastructure, or critical applications should be evaluating that provider's security posture with the same rigor they would apply to a Fortune 500 vendor.
Incident response planning must account for the time dimension. The 24-day average for full ransomware recovery means that businesses need to plan for weeks of degraded or absent operations, not hours. Immutable offline backups are essential — organizations that maintained them reduced their recovery costs by 44% compared to those that paid ransoms, according to Total Assure's 2025 analysis. Testing those backups regularly, under realistic conditions, is the only way to know if they will function when needed.
Cyber insurance warrants serious consideration for any SME. The NetDiligence 2025 study found that 98% of all cyber insurance claims came from small and medium enterprises. For SMEs, insurance payouts covered 69% of total incident costs over the five-year study period. That is not full coverage, but it is the difference between survival and closure for many businesses. Organizations purchasing or renewing policies should verify that ransomware and business interruption coverage are adequate and that policy exclusions do not create gaps in protection for supply chain attacks or third-party incidents.
Key Takeaways
- Supply chain attacks redefine the blast radius: Coaxis was a small IT hosting provider in rural France. A single phishing email to one of its clients cascaded into an incident affecting 350,000 organizations. Any company that provides infrastructure services to other businesses is a high-value target precisely because of the multiplier effect a breach produces.
- Ransomware enforcement disrupts but does not destroy: Operation Cronos severely damaged LockBit, but the group attempted a comeback within days. The number of active threat actors has nearly tripled since 2020. Takedowns are essential, but the economic incentives and the crime-as-a-service infrastructure that enables ransomware remain intact.
- France's telecom sector is a strategic target: Three separate attacks on Orange in 2025, the Bouygues Telecom breach, and ANSSI's confirmation of state-sponsored intrusions into mobile network cores and satellite communications point to a sustained campaign that blends criminal ransomware operations with nation-state espionage.
- The "don't pay" decision is right but punishing: Coaxis protected its customers' data and denied LockBit its objective. The financial cost ran into several million dollars, the CEO endured 18 months of disrupted sleep, and 350,000 downstream organizations suffered weeks of service disruption. Refusing to pay requires the resources and resilience to absorb that impact.
- Infostealer malware is the overlooked first link: The Coaxis breach began with credentials stolen through infostealer malware. Organizations that do not monitor for credential exposure on dark web marketplaces and messaging platforms are operating blind to one of the primary entry vectors for ransomware.
- Recovery costs eclipse ransom demands: Average SME incident costs now sit at $264,000 and climb to $1.4 million when business interruption is involved. The average cost of a ransomware attack reached $5.75 million in 2025 across all company sizes. Organizations should plan financially for the recovery, not the ransom.
The title of Orange's own article about Joseph Veigas says it plainly: a cyberattack is not a malfunction. It is a robbery. The Coaxis incident and the broader wave of attacks against France's telecom sector demonstrate that cybercrime has matured into a global industry with specialized roles, scalable infrastructure, and a supply chain of its own. The documentary Don't Go to the Police makes this visible in human terms — the 5:00 a.m. phone call, the weeks of sleepless reconstruction, the employment agency workers who could not get paid. But beyond the human drama, this story is a structural warning. When a single phishing email to a single employee at a single client of a single regional IT provider can cascade into an incident affecting 350,000 organizations, the question is no longer whether this could happen to your business. The question is what you will do in the weeks that follow when it does.