Chinese Sub-Crew 'CylindricalCanine' Fingered for DigiCert Break-In

Researchers link the April 2026 intrusion at the certificate giant to an offshoot of a Chinese cybercrime group best known for chasing gambling firms.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a dimly lit server room with rows of humming racks, one open cabinet showing a glowing blue cable bundle, subtle red war
Share

Key points

  • Researchers at Expel have attributed the April 2026 break-in at DigiCert to a group they call CylindricalCanine.
  • CylindricalCanine is described as a sub-crew of GoldenEyeDog, a Chinese cybercrime group also tracked as APT-Q-27, Dragon Breath and Miuuti Group.
  • The parent group is best known for targeting gambling and gaming companies across Asia.
  • DigiCert issues the digital certificates that websites and software makers use to prove they are who they claim to be.
  • The attribution links a mainstream trust provider to a criminal cluster previously focused on the casino underworld.

A Chinese cybercrime offshoot is now being blamed for one of the most awkward security incidents of the year.

Researchers at the security firm Expel say the April 2026 intrusion at DigiCert, one of the world's largest issuers of digital certificates, was the work of a group they have named CylindricalCanine. Digital certificates are the small cryptographic files that let your browser confirm a website is genuine, and that let software you install prove it came from the company it says it did.

The finding was first reported by The Hacker News.

Who is CylindricalCanine?

Expel describes CylindricalCanine as a sub-group of a larger Chinese cybercrime crew called GoldenEyeDog. Other security firms track that parent group under different names: APT-Q-27, Dragon Breath, and Miuuti Group. Different labels, same people.

GoldenEyeDog is not a household name in the West. Its usual hunting ground is the gambling and gaming sector across Southeast Asia, where it has spent years slipping malicious software onto the machines of casino operators, betting platforms and the smaller firms that supply them.

That makes the DigiCert attribution unusual. A crew that normally chases casino back offices is now accused of breaking into a company whose products underpin trust on the wider internet.

Why does a certificate company matter to ordinary people?

Certificates are the plumbing of online trust. When your bank's website shows a padlock, a certificate is what makes that padlock mean something. When Windows lets a program install without warning, it is often because that program carries a valid code-signing certificate, a stamp that says "this file really is from the company on the label".

If criminals get inside a certificate issuer, the fear is simple. They could potentially obtain those stamps of approval for malicious software of their own, making viruses look like legitimate updates from trusted brands.

DigiCert has not, at the time of writing, publicly confirmed the full scope of what CylindricalCanine accessed, and Expel's writeup focuses on the technical fingerprints that tie the intrusion to the group rather than on the volume of data taken.

What should customers do?

For most people reading this, there is nothing to click and nothing to patch. You do not hold a DigiCert certificate personally. Your bank, your employer and the makers of the apps on your phone might.

A few sensible habits still apply. Keep your operating system and browser set to update automatically, because that is how revoked or abused certificates get pulled from circulation. Be wary of software update prompts that arrive by email or pop-up rather than from inside the application itself. And if you work in IT at a company that relies on DigiCert for code signing or website certificates, this is the week to check your vendor advisories.

What happens next

Expel's attribution will need to be tested by other researchers before it hardens into consensus. Chinese groups are notoriously fluid, with operators moving between clusters and sharing tools, and the gambling-focused history of GoldenEyeDog does not obviously explain what its people wanted from a certificate authority.

One working theory in the research community is straightforward. Code-signing certificates are valuable on criminal markets, and a group with the skills to breach casinos has the skills to monetise what it stole.

The more uncomfortable theory is that someone paid them to try.

© 2026 Threat Vectr