In a novel maneuver for a disruption operation against cyber attackers, industry and law enforcement teamed up to conduct a court takedown of two widely-used criminal tools at once rather than individually, Microsoft said Tuesday.

The takedown simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer. Cybercriminals often use them in conjunction and they rely on the same infrastructure, Microsoft said.

“When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”

Microsoft had been tracking Amadey with ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Meanwhile, Europol had been investigating StealC alongside law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police as well as IBM X-Force and Proofpoint.

They then joined forces and turned to the Racketeer Influenced and Corrupt Organizations (RICO) Act, used to help authorities go after organized crime, to disrupt more than 200 command-and-control servers. Microsoft said it gained insights from its artificial intelligence product Copilot that “allowed the legal team to treat both malware families as part of a single criminal conspiracy.”

Microsoft regularly leads court-authorized disruption operations, but the industry and law enforcement partnerships combined with AI to expand data collection and identify connections beyond what one company could normally do, it said.

Amadey and StealC were linked to more than 140,000 infected computers around the globe in the first week of May alone, the company said. StealC has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.

Amadey dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.

Their interaction shows the assembly line-like structure of modern cybercrime, Microsoft said. Even if the cybercriminals behind both tools never coordinate, their tools are designed to work together, it said.

“StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote in a separate blog post. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.”

The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.

Authorities on Thursday disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.

The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.

“The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 

Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.

Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 

The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown. 

Proofpoint, which also participated in the disruption, described Evil Corp as one of the most prominent cybercrime groups in operation and the “grandfather” of a threat type that compromises websites and uses TDS to redirect users to malware.

Following the takedown, the FBI issued a public service announcement warning about cybercriminals using TDS to break into victim networks for ransomware or other financial scams. 

Cybercriminals redirect traffic from sites to bypass firewalls, obscure their activity, identify potential victims and send them to phishing pages to steal credentials, initiate financial scams, access networks, deliver other malware, and sell access to other cybercriminals, officials said.

The law enforcement action was part of Operation Endgame, a multinational effort targeting cybercrime since 2024, and more narrowly for the FBI part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post Authorities disrupt Evil Corp’s SocGholish botnet appeared first on CyberScoop.

CrowdStrike has dismantled the Glassworm botnet in an operation aided by Google and Shadowserver, stripping the operators’ access to infrastructure that helped threat actors infect hundreds of pieces of open-source software with malware since early 2025, the company said Tuesday. 

The coordinated effort involved the simultaneous takedown of four attacker-controlled servers that were designed to obscure the botnet’s operations and remain resilient against disruptions.

CrowdStrike and partners took down infrastructure, severed access to the botnet’s most critical services, impeded operation momentum and slowed the attackers’ ability to scale, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told CyberScoop.

“The broader goal is sustained pressure that forces the adversary to spend time, resources, and operational energy reconstituting infrastructure instead of targeting victims,” Meyers added. “By exposing tradecraft and sharing intelligence, defenders can harden developer environments, CI/CD pipelines, and software supply chains against similar activity. That raises the operating cost for the adversary and gives defenders an advantage.”

Glassworm has targeted software developers in order to access source code repositories, cloud platforms, integration and delivery processes, and open-source package registries to push malware into the supply chain and trigger compromises downstream. 

The threat group behind the botnet, which is likely based in Russia, according to CrowdStrike, fed malware into VSCode extensions, npm and Python packages and more than 300 GitHub repositories, researchers said. 

Glassworm affected Windows, macOS and Linux systems with data and credential theft, and a remote-access tool called GlasswormRAT.

“What stood out about Glassworm was the operational sophistication around propagation and automation,” Meyers said. “This wasn’t just a smash-and-grab compromise of a package repository. The operation was designed to move through trusted developer workflows in a way that could expand reach very quickly if left unchecked.”

The botnet relied on four layered channels that CrowdStrike disrupted, including the Solana blockchain, BitTorrent’s peer-to-peer network, Google Calendar and virtual private servers hosted by commercial providers. 

“As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” John Hultquist, chief analyst at Google Threat Intelligence Group, said in a post on X.

Piotr Kijewski, CEO of the Shadowserver, said the non-profit organization assisted with some analysis and data sharing but noted the disruption was mostly CrowdStrike work.

The countermeasures took down “the connective tissue of the operation to create cascading operational pain,” Meyers said. “This forces the adversary to rebuild, while exposing tradecraft.”

CrowdStrike said the takedown demonstrates how the security industry can effectively thwart supply-chain threats by proactively disrupting the precise infrastructure attackers use without waiting for lengthy judicial processes. 

“When threat actors operate from jurisdictions where law enforcement cooperation is limited or nonexistent, disruption becomes one of the most effective tools available. If you can’t put handcuffs on the operator, you focus on dismantling the infrastructure, trust relationships, and operational dependencies,” Meyers added. 

The security company shared indicators of compromise to help organizations hunt for potential infections in their environments and called for other vendors, law enforcement agencies, platform operators and the open-source ecosystem to muster equal determination in responding to threats in the software supply chain.

“The more visibility and alignment you create across the ecosystem, the harder it becomes for the actor to quietly stand the operation back up,” Meyers said. “You may not eliminate the threat actor entirely, but you can absolutely reduce effectiveness, limit reach, and raise the cost of doing business.”

The post CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain appeared first on CyberScoop.

Authorities arrested and unsealed charges against a Canadian man accused of running Kimwolf, one of the most far-reaching DDoS botnets on record, the Justice Department said Thursday.

Jacob Butler was arrested Wednesday in Ottawa, Canada, and awaits extradition to the United States where he is charged with aiding and abetting computer intrusions and, if convicted, faces up to 10 years in prison.

Investigators said the 23-year-old, also known as “Dort,” was a principal administrator of Kimwolf, a variant of the record-setting Aisuru DDoS botnet that spread like wildfire and eventually took over more than 2 million Android TV devices after its operators figured out how to abuse residential-proxy networks for local control.

Authorities in March seized infrastructure powering the Kimwolf, Aisuru, JackSkid and Mossad botnets, which hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively.

Kimwolf, which operated as a DDoS-for-hire service for other cybercriminals, initiated more than 25,000 attacks, resulting in network outages, disruptions and financial losses exceeding millions of dollars, officials said. Officials also said they found evidence linking Kimwolf to DDoS attacks targeting Department of Defense Information Network IP addresses.

“Kimwolf and the botnets associated with this operation have supported persistent corporate intrusion efforts and been used by a wide range of serious threat actors,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop.

Authorities searched Butler’s residence during the globally coordinated operation, but did not arrest him until Wednesday, roughly two months later. Officials filed a criminal complaint against Butler in the U.S. District Court for the District of Alaska in April, and unsealed the complaint following his arrest.

A special agent with the Defense Criminal Investigative Service confirmed Butler’s identity and involvement in the Kimwolf botnet after Butler used the same IP address to access multiple email accounts he controlled and Discord accounts linked to Kimwolf. 

“I have observed significant operational security lapses on Butler’s part resulting in patterns of overlapping IP usage among a Google account in Butler’s true name, other Google accounts that I believe to be controlled by Butler due to use of the same machine cookies, and Discord accounts which have been used in support of the KimWolf operation,” the special agent said in an affidavit. 

“The Discord accounts show patterns of overlapping IP usage with the KimWolf backend server. These IP addresses appear to be proxy or VPN IPs which were likely used by Butler in an unsuccessful attempt to evade law enforcement scrutiny. However, like many cybercriminals, Butler did not use proxy or VPN IP addresses exclusively,” the special agent added. 

Authorities described the botnet takedowns in March in nearly conclusive terms at the time, yet court records indicate the Kimwolf botnet is back in operation. 

“While today’s announcement is encouraging to see, there are still hundreds of millions of insecure IoT and network devices connected to sensitive government, corporate and home networks, and these remain a priority target for threat actors looking to build the next version of Kimwolf,” Edwards said.

“Until we find solutions to this underlying problem,” he added, “we’ll unfortunately continue to play Whac-A-Mole with botnet operators year after year.”

You can read the affidavit supporting the criminal complaint against Butler below.

The post Alleged leader of Kimwolf, a sweeping botnet for cybercriminals, arrested in Canada appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday.

The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

The globally coordinated operation, aided by law enforcement actions targeting the botnets’ operators in Canada and Germany, disrupted the command-and-control infrastructure for all four botnets. Two of the botnets set records before the takedown, attracting widespread attention from security researchers and vendors.

The Kimwolf botnet, an Android variant of Aisuru, spread like wildfire after its operators figured out how to abuse residential-proxy networks for local control, according to Sythient. It eventually took over more than 2 million Android TV devices by January. In September, just as Kimwolf was forming, Cloudflare clocked the Aisuru botnet hitting a record-breaking 29.7 terabits-per-second DDoS attack that lasted 69 seconds.

Officials ultimately attributed roughly 200,000 DDoS attacks to Aisuru, 90,000 to JackSkid, 25,000 to Kimwolf and about 1,000 DDoS attack commands to the Mossad botnet. Yet, DDoS attacks from financially-motivated attackers are typically a distraction or misdirection.

“Oftentimes a DDoS attack is just advertising for the size of an operator’s botnet,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop. Botnet operators cash out by renting these controlled devices to cybercriminals for account abuse, password reset attacks, ad fraud schemes and residential proxy nodes, he added.

Devices infected by the four botnets include digital video recorders, web cameras, Wi-Fi routers and TV boxes. Hundreds of thousands of these devices are located in the United States, federal prosecutors said. 

Authorities did not name the people involved or formally announce any arrests. Yet, they describe the operation in nearly conclusive terms, claiming the action disrupted the botnets’ communications infrastructure — domains, virtual servers and other systems — to prevent further infection and limit or eliminate the botnets’ ability to launch future attacks.

“Cybercriminals infiltrate infrastructure beyond physical borders and Defense Criminal Investigative Service participates in international operations to help safeguard the Department’s global footprint,” Kenneth DeChellis, special agent in charge at the Defense Department’s DCIS cyber field office, said in a statement. Some of the DDoS attacks attributed to these botnets reached IP’s owned by the Department of Defense Information Network.

Botnets often compete for devices to infect and opportunities to scale. As Kimwolf spread and hit those objectives, it captured sweeping interest from researchers, authorities and vendors in a position to help stop it. 

Kimwolf was the largest DDoS botnet ever detected, according to Tom Scholl, vice president at Amazon Web Services, which assisted the operation. “The scale of this botnet is staggering,” he said in a LinkedIn post. 

“Kimwolf represented a fundamental shift in how botnets operate and scale,” Scholl added. “Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks.”

Under this mechanism, any organization with vulnerable devices connected to the internet could unwittingly have those devices turned into a node for a botnet or a foothold for a targeted attack.

“This isn’t just some problem that your cousin has because he bought some cheap TV box that promised him free TV channels,” Edwards said. Infoblox previously said nearly 25% of customers had at least one endpoint device in a residential proxy service targeted by Kimwolf.

While it’s intellectually interesting whenever a botnet scales to extraordinary size, it’s also a “sad reminder that oftentimes security takes a back seat to convenience and cost,” Edwards said. 

“The botnets are growing because more and more people are buying weird internet-connected stuff,” he added. “Nothing in this world is free.”

The takedowns mark a continuation of a consistent, ongoing crackdown targeting large-scale botnets, cybercrime marketplaces, malware, infostealers and other cybercrime tools. Some of the malicious networks hampered or rendered nonoperational by disruptions and arrests during the past year include: DanaBot, Rapper Bot, Lumma Stealer, AVCheck and SocksEscort.

More than 20 companies and organizations assisted with the coordinated disruption, including law enforcement from the Netherlands and Europol. Efforts to stop botnets will continue as these malicious networks proliferate in new places and new ways. 

“We’re living in a device-compromise–DDOS-botnet-merry-go-round and while many of us wish something could slow it down, the challenges continue to grow,” Edwards said. “This is still a bad day for serious threat actors, and any day like that is something we should all celebrate.”

The post Justice Department disrupts botnet networks that hijacked 3 million devices appeared first on CyberScoop.

Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.

Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.

The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.

“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.

The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.  

SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.

The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research. 

The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.

“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop. 

“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”

Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.

The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.