Arapahoe County Data Breach (Ransomware, 2025–2026): What Happened and How to Avoid the Scams That Follow

S
ScamSandbox Team
9 min read
19 views
ransomware breach

Table of Contents

If you searched for "Arapahoe County data breach ransomware 2025 2026," you're probably an Arapahoe or Douglas County resident who received a notice about your emergency-alert account — or you saw a headline and want to know whether your information is at risk.

Here's the short version: Arapahoe County's own systems were not hacked. The breach happened at a third-party vendor — the CodeRED emergency notification platform, operated by Crisis24 (OnSolve) — which the county used to send residents alerts about wildfires, floods, severe weather, and other emergencies. That vendor was hit by ransomware in November 2025, and the fallout has stretched well into 2026.

That distinction matters, because it's exactly the gap that scammers are now exploiting. Below is what was actually exposed, and a clear, no-nonsense guide to telling a legitimate re-registration request from a phishing scam.

What actually happened

In November 2025, the ransomware group INC Ransom attacked Crisis24, the company behind the OnSolve CodeRED emergency alert platform. According to the attackers' own timeline, they gained access around November 1 and encrypted the systems on November 10, 2025.

The damage was severe enough that Crisis24 permanently decommissioned the legacy CodeRED platform and began rebuilding it on new, isolated infrastructure ("CodeRED by Crisis24"). Because the rebuild relied on an older backup dated March 31, 2025, many residents who registered after that date were simply gone from the system — which is why counties had to ask everyone to re-enroll.

This type of attack follows a pattern we've seen with other government systems. Similar to the McDonough County ransomware attack, third-party vendors managing government data have become prime targets for cybercriminals.

Crucially, the national Emergency Alert System (EAS) — the federal warning system behind TV/radio alerts — was not affected. This incident was limited to the opt-in CodeRED service that local agencies subscribe to.

What data was exposed

Crisis24 and the affected agencies have confirmed that stolen CodeRED profile data included:

  • Full names
  • Home and mailing addresses
  • Email addresses
  • Phone numbers
  • CodeRED account passwords — and the attackers published leak samples showing some passwords in clear text

The ransom negotiation reportedly stalled (an initial demand near $950,000 was lowered to $450,000; counter-offers of $100,000 and $150,000 were rejected), after which the group threatened to sell or auction the stolen data. In plain terms: this information may circulate on criminal marketplaces, and you should treat it as compromised.

According to the FBI's Internet Crime Complaint Center (IC3), ransomware attacks on critical infrastructure and government services increased by 42% in 2025, making incidents like this increasingly common.

Why "Arapahoe County" specifically?

CodeRED was used by hundreds of agencies across at least 15 states. In Colorado, the impact landed hard on the south Denver metro:

  • Arapahoe and Douglas counties had to switch emergency-alert systems after the attack. As of early 2026, reporting indicated at least 100,000 residents across the two counties were left unregistered for alerts — a serious safety gap heading into wildfire and severe-weather season.
  • Douglas County terminated its CodeRED contract entirely and moved to a different vendor.
  • Arapahoe County has been steering residents toward its replacement system, branded ArapAlert, and the Arapahoe County Sheriff's Office moved off CodeRED while publicly criticizing how slowly the breach was disclosed.

The Colorado Division of Homeland Security and Emergency Management has been working with affected counties to ensure continuity of emergency alert services during this transition.

So when people search "Arapahoe County data breach," what they're really describing is the CodeRED/Crisis24 ransomware breach as it affected Arapahoe County residents — plus the messy 2026 transition to new alert systems.

The real danger now: the scams that follow a breach

A data breach is rarely the end of the story. It's the opening move. The combination of factors here makes Arapahoe and Douglas County residents an unusually attractive target for fraud:

  1. Everyone knows they have to re-register. When a population is expecting a "sign up again for emergency alerts" message, they're primed to click without scrutiny. Scammers love a legitimate excuse to contact you.
  2. Real passwords leaked. If you reused your CodeRED password anywhere else (email, banking, social media), criminals can try those same credentials across other sites — a tactic called credential stuffing.
  3. Your contact details are confirmed and current. Names tied to verified phone numbers and addresses make for far more convincing, personalized phishing.

This pattern mirrors what cybersecurity experts have observed with other major breaches. As detailed in our guide on email phishing attacks, criminals often use legitimate security incidents as cover for their own malicious campaigns.

Expect to see these scam patterns:

  • Fake re-registration pages: "Your CodeRED / ArapAlert account was affected. Click here to re-verify and keep receiving emergency alerts." The link leads to a look-alike site that harvests your login, address, and sometimes payment info.
  • Phishing "breach notification" emails and texts impersonating Crisis24, CodeRED, the County, or the Sheriff's Office, urging urgent action.
  • Fake credit monitoring / "settlement" offers tied to the breach, asking for your SSN or a "small fee."
  • Phone and SMS (smishing) scams referencing the real breach to build trust before asking for codes, passwords, or payment.

How to tell a real alert message from a scam

This is where a little discipline protects you. Use these checks before you click anything:

  • Go direct, don't click. Never re-register through a link in an email or text. Open a browser and type the official county or sheriff's office address yourself, or search for the county's official .gov website. Re-enroll from there.
  • Verify the domain. Legitimate Arapahoe County services live on official government domains. Treat any look-alike (extra words, odd hyphens, .info/.net/.org knock-offs of a .gov site) as hostile.
  • Distrust urgency. "Act now or lose emergency alerts" is pressure designed to stop you from thinking. Real agencies give you time and repeat the message through multiple official channels.
  • No legitimate alert sign-up needs your SSN, bank details, or a payment. Emergency alert registration is free and asks only for contact info.
  • Watch for password-reset bait. A real provider may ask you to set a new password on their official site. A scam asks you to "confirm your old password" or enter it on a page you reached by clicking a link.

If you accidentally clicked a suspicious link, don't panic. Our step-by-step guide on what to do if you clicked a phishing link can help you secure your accounts and minimize any damage.

What Arapahoe County residents should do right now

  1. Re-register for alerts the safe way. Visit Arapahoe County's official website (or the Sheriff's Office) directly and sign up for ArapAlert. Douglas County residents should use their county's newly selected system.
  2. Change your CodeRED password everywhere you reused it. If that password protected your email or bank, change those first, and don't reuse passwords across accounts again. A password manager makes this painless.
  3. Turn on two-factor authentication (2FA) on your important accounts, especially email — it blocks most credential-stuffing attacks even if a password leaks.
  4. Be skeptical of any breach-related message for the next several months. Phishing waves often arrive weeks or months after the headlines fade.
  5. Report suspicious messages. Forward phishing emails to the impersonated agency and report scams to the FTC at reportfraud.ftc.gov.

Frequently asked questions

Was Arapahoe County itself hacked?
No. The breach was at CodeRED/Crisis24, the third-party vendor the county used for emergency alerts. The county's internal systems were not reported as compromised — but residents' alert-account data held by the vendor was exposed.

Is the breach a "2025" or "2026" event?
Both. The ransomware attack occurred in November 2025, and the consequences — system replacement, re-registration drives, missing-alert coverage gaps, and ongoing scam activity — have continued through 2026.

Did my Social Security number leak?
Based on disclosures, the exposed CodeRED data was contact information and account passwords — names, addresses, emails, phone numbers, and passwords. SSNs were not reported as part of the CodeRED profile data. Treat any message demanding your SSN "because of the breach" as a scam.

I got an email saying I need to re-verify my emergency alert account. Is it real?
Maybe — but don't trust the link. Go directly to your county's official website and re-register there. If the email's link or sender domain doesn't match the official county/sheriff site, it's almost certainly phishing.

How can I protect myself from future data breaches?
The Cybersecurity and Infrastructure Security Agency (CISA) recommends using unique passwords for each account, enabling two-factor authentication, and staying informed about cybersecurity best practices.

This article is published by ScamSandbox to help residents recognize and avoid fraud that follows real data breaches. If you received a suspicious "emergency alert" message, you can check the link or sender before you act — verifying first is always safer than clicking.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: