ALL POSTS

Key Findings Polish authorities have arrested a 47-year-old man accused of being an affiliate for the Phobos ransomware group. The suspect faces up to five years in prison for producing, obtaining, and sharing computer programs used to conduct cyberattacks. The arrest was part of a larger Europol-led operation called "Phobos Aetor" that targeted individuals involved with Phobos ransomware attacks. Background Phobos ransomware has claimed over 1,000 victims globally and receiv

Key Findings Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr) confirmed cyber attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities Attacks exposed employee contact information, including names, work emails, and phone numbers European Commission also detected a cyberattack on its mobile device management platform, exposing some staff names and phone numbers Ivanti acknowledged vulnerabilities (CVE-2026-1281 and CVE-2026-1340) have b

Key Findings Google and partners disrupted IPIDEA, one of the world's largest residential proxy networks, through legal domain takedowns, intelligence sharing, and ecosystem-wide enforcement. IPIDEA's proxy infrastructure was heavily abused by cybercrime groups, espionage actors, and botnets like BADBOX 2.0, Aisuru, and Kimwolf. Over 550 tracked threat groups used IPIDEA's exit nodes in a single week, exposing users' devices and networks to compromise and abuse. Google's acti

Key Findings Nicholas Moore, 24, from Tennessee, pleaded guilty to repeatedly hacking the U.S. Supreme Court's electronic filing system. He used stolen credentials to access the Supreme Court's filing system, an AmeriCorps account, and a veteran's VA MyHealthEVet account. Over 25 days, he posted screenshots and personal data from his victims on his Instagram account, @ihackedthegovernment, exposing names and sensitive information publicly. Moore could serve up to one year in

Key Findings Ukrainian and German police raided homes linked to alleged Black Basta ransomware members, identifying two Ukrainian suspects. Law enforcement issued an international wanted notice for the group's alleged Russian ringleader, Oleg Nefedov. Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, impacting over 500 organizations worldwide and causing hundreds of millions of dollars in damage. The cybercrime group has infected over 329 victims, i

Key Findings Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. The group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists. The accused individuals specialized in technical hacking, including credential theft and "has

Key Findings A new ransomware family called DeadLock was discovered in July 2025, distinguished by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure. DeadLock embeds the proxy URL directly into the blockchain via a `setProxy` function, creating an immutable and resilient communication channel that is difficult for law enforcement to take down. This "EtherHiding" technique echoes methods previously observed with North Korean

Key Findings Microsoft, in collaboration with law enforcement authorities, has taken coordinated legal action to disrupt the cybercrime subscription service called RedVDS, which has allegedly fueled millions in fraud losses. RedVDS provided criminals with access to disposable virtual computers running unlicensed software, enabling them to operate anonymously and carry out various illicit activities, including phishing, business email compromise (BEC), and financial fraud. Sin

Europol Raids Disrupt Black Axe Cybercrime Ring in Spain Key Findings: International law enforcement agencies have dealt a major blow to the criminal network known as Black Axe. 34 people were arrested across Spain, with the majority in Seville. Black Axe is a large, organized criminal group originating in West Africa, with an estimated 30,000 members worldwide. The group is known for online fraud schemes, including romance scams, phishing, and business email compromise (BEC)

Key Findings Ilya Lichtenstein, the cybercriminal behind the 2016 Bitfinex hack, has been released from prison early thanks to the 2018 First Step Act signed by former President Donald Trump. Lichtenstein was sentenced to 5 years in prison in November 2024 for his role in a money laundering conspiracy related to the Bitfinex hack, where he stole approximately 120,000 bitcoins. The First Step Act allows inmates to earn credits for good behavior and rehabilitation, potentially

Key Points The cybercrime group known as Silver Fox has shifted its focus to Indian users, using income tax-themed phishing emails to distribute the ValleyRAT remote access trojan. Silver Fox is a Chinese hacking group that has been active since 2022, targeting Chinese-speaking individuals and organizations initially, but has now expanded its victimology to include Indian users. The phishing emails contain malicious PDF attachments that lead victims to download a ZIP file con

Key Findings Encrypted vault backups stolen in the 2022 LastPass breach are still being cracked, enabling crypto theft as late as 2025. Attackers have drained over $28 million in crypto by exploiting weak master passwords to decrypt the stolen vaults. The funds were laundered through Russian cybercrime infrastructure, including mixers and high-risk exchanges. TRM Labs' analysis indicates likely Russian criminal involvement in monetizing the LastPass breach. Background In 2022

Key Findings The U.S. Justice Department (DoJ) seized the domain web3adspanels[.]org, which was used as a backend web panel to host and manipulate illegally harvested bank login credentials. The criminal group behind the scheme used fraudulent advertisements on search engines like Google and Bing to redirect users to fake bank websites, where their login credentials were harvested through malicious software. The stolen credentials were then used by the criminals to access vic

Key Findings Zahid Hasan, a 29-year-old Bangladeshi national, has been indicted on a nine-count federal charge for operating a sophisticated network of websites selling digital templates for fake government documents, including U.S. passports and Montana driver's licenses. Hasan allegedly ran businesses like Techtreek.com, Egiftcardstorebd.com, and Idtempl.com from 2021 to 2025, selling these templates to over 1,400 customers worldwide and generating over $2.9 million in reve

Key Findings The U.S. Department of Justice has indicted 54 individuals over a multi-million-dollar ATM jackpotting fraud scheme. The crimes are linked to the cybercrime group Tren de Aragua (TdA), including charges of fraud, money laundering, and material support to a terrorist organization. ATM jackpotting is a type of cyber-enabled bank robbery where criminals infect an ATM with malware or use physical access to force it to dispense cash. The conspiracy used a malware stra

Key Findings: Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. Stryzhak faces up to 10 years in jail for conspiracy to commit fraud, including extortion. Authorities are still looking for Stryzhak's alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for informatio

Key Findings The original founder of the BreachForums hacking forum has been arrested and sentenced to prison. Numerous reincarnations of BreachForums have continued to surface, despite several being shut down. Users who had previously registered on BreachForums recently received emails claiming the forum had reopened. The emails were sent from the domain pppj-sdpj92-ger2@interieur.gouv.fr, which belongs to the French Ministry of the Interior. This incident coincides with a r

Key Findings React2Shell (CVE-2025-55182), a critical vulnerability in React Server Components, was disclosed on December 3, 2025, carrying a maximum CVSS score of 10.0 and enabling unauthenticated remote code execution. Shortly after disclosure, the Google Threat Intelligence Group (GTIG) observed widespread exploitation across various threat actor groups, ranging from opportunistic cybercriminals to suspected espionage groups. Several distinct campaigns were identified, inc

Key Findings Ransomware payments reported to FinCEN exceeded $4.5 billion by 2024 2023 marked a record year with $1.1 billion in ransomware payments across 1,512 incidents From 2022 to 2024, organizations reported 4,194 ransomware incidents and over $2.1 billion in payments In comparison, from 2013 to 2021, FinCEN logged 3,075 reports totaling about $2.4 billion Background FinCEN analyzed ransomware trends using Bank Secrecy Act (BSA) reports filed from January 2022 to Februa

Key Findings Phishing attacks have surged 400% year-over-year, with nearly 40% of the 28+ million recaptured phished records containing a business email address, compared to just 11.5% in recaptured malware data. Enterprises are now three times more likely to be targeted with phishing attacks than infostealer malware. Phishing has become the preferred gateway into enterprise environments, and is now the leading entry point for ransomware, accounting for 35% of all ransomware