A significant cyberattack on Crisis24’s OnSolve CodeRED platform has disrupted emergency notification systems across multiple US states, affecting police departments, fire agencies and local governments that rely on CodeRED for fast public warnings. The platform is widely used to send alerts for severe weather, missing persons, law enforcement emergencies and public safety incidents.
Crisis24 confirmed that attackers infiltrated the legacy CodeRED environment, forcing the company to permanently shut it down. The breach exposed user data including names, emails, phone numbers, addresses and passwords. Agencies such as University Park, Texas, have already urged their residents to be cautious of potential phishing attempts.
INC Ransomware Takes Credit and Begins Selling Data
The INC Ransomware gang, which has been active since mid-2023, has claimed responsibility. The group posted screenshots and details of the stolen CodeRED customer data on its leak site on the Tor network. Investigators say the gang gained access in early November 2025, encrypted files around mid-month and began selling stolen data after ransom negotiations failed.
The most serious concern is that many compromised passwords were stored in plain text. Users have been advised to reset any passwords used across other accounts.
Emergency Services Face Outages as CodeRED Is Rebuilt
Crisis24 is rebuilding CodeRED from backups dated March 31, 2025, meaning some recent account data and system configurations may be unrecoverable. Public safety agencies are scrambling to restore alerting functions, since thousands of municipalities depend on CodeRED to communicate during life-threatening situations.
This attack follows a rising trend of ransomware groups directly targeting critical civic infrastructure. Analysts warn that emergency systems, which often run on outdated platforms, remain high-value and high-impact targets for threat actors.
A Reminder of the Stakes for Critical Infrastructure Security
The incident reflects growing vulnerabilities across national alerting frameworks, where a single system failure can disrupt entire regions. As ransomware gangs escalate their operations, cybersecurity firms are calling for stronger authentication practices, continuous monitoring and regular system testing across emergency communication networks.
