A joint investigative sweep across three states kicked off this week aimed at identifying companies that aren’t following opt-out laws for collecting consumer data.
The efforts, led by the state attorneys general, the California Privacy Protection Agency and other state regulators, will involve contacting businesses across all three states who may not be processing opt-out requests or using Global Privacy Control (GPC), and ensuring they start following the required regulations.
“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” Attorney General Rob Bonta said in a statement. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law.”
California, Connecticut and Colorado all have laws requiring companies to adopt GPC, a browser extension that allows consumers to automatically and universally opt out of invasive data collection. The use of GPC is also required in other states, such as Texas, that aren’t part of this week’s enforcement actions.
According to the Privacy Tech Lab at Wesleyan University in Connecticut, GPC will “automatically send a signal or raise a privacy flag from your browser every time you visit a website.”
“This signal tells the website that you want to opt out of having your personal data sold or used for targeted advertising,” the lab noted.
Some browsers, like Mozilla’s Firefox, have this feature built into their product, while others, like Google’s Chrome, require a third-party extension to use it. But in most cases, it only takes a few minutes to set the protections up on your device or browser.
Connecticut Attorney General William Tong said in a statement that while “many businesses have been diligent in understanding these new protections and complying with the law,” the sweep was about “putting violators on notice today that respecting consumer privacy is non-negotiable.”
In response to questions about the scope of the joint investigation, when it began and whether noncompliant firms would face fines or other sanctions, a spokesperson for the California Department of Justice said in a statement to CyberScoop that the state has used the California Consumer Privacy Act in the past to get court orders and fine privacy offenders, including companies that failed to follow opt-out laws, citing a $1.2 million state fine paid by Sephora in 2022. The spokesperson described the current investigative sweep as “ongoing.”
“We’ve enforced the CCPA against companies, including for failing to honor opt-out requests via the GPC, and obtained both injunctive relief and civil penalties,” the spokesperson said. “Beyond this, to protect their integrity, we’re unable to comment on, even to confirm or deny, any potential or ongoing investigations.”
The sweep represents one of the larger nationwide efforts by states to enforce data privacy opt-out laws — one of the few legal protections U.S. consumers have to prevent wanton data collection and targeted advertising by companies.
Many states have privacy laws that require businesses to give consumers the option to opt-out of having their data being collected or sold to third parties. However, some businesses that profit from buying and selling data simply don’t comply with those laws or make the opt-out process so complicated that it can frustrate and discourage consumers from exercising their rights.
Last year, the CPPA conducted its own sweep of data brokers out of compliance with state laws amid evidence that at least 40% of the companies on the state’s data broker registry were not complying — or flat out ignoring — requests from consumers to delete their data or opt out of collection.
In April regulators from California, Colorado and Connecticut — along with four other states — formed a bipartisan consortium to work together on implementing and enforcing common privacy laws across state borders. The other states in the coalition are Delaware, Indiana, New Jersey and Oregon.
This story was updated Sept. 11, 2025, with comments from the California Department of Justice.
Authorities and threat intelligence analysts alike relish taking ransomware operators off the board. Holding cybercriminals accountable through arrest, imprisonment, or genuine reform creates a powerful deterrent and advances the ultimate goal of a safer internet for everyone.
Getting to that point is a remarkably tough task for defenders. Ransomware attacks are often initiated by people living in countries that aren’t bound by extradition treaties with the United States or don’t cooperate with international law enforcement. When those obstructions aren’t in place, authorities can amass resources to hunt down those responsible for cyberattacks and bring them to justice.
The fight against cybercrime is grueling, and wins don’t typically countervail the losses. For nearly a decade, police have often made high-profile announcements about arresting cybercriminals, keeping them in custody until their court dates and seizing their ill-gotten gains. These acts send a clear message to the public and potential offenders that cybercrime is a serious offense, and authorities are taking swift, visible measures to uphold the law.
Ianis Aleksandrovich Antropenko exemplifies the profile of a modern cybercriminal, yet, unlike many others who have faced strict prosecution for similar offenses, the Justice Department has granted him liberties rarely extended to such suspects.
The 36-year-old Russian national was arrested almost a year ago in California for his alleged involvement in multiple ransomware attacks from at least May 2018 to August 2022. Yet, he was released on bail the day of his arrest and continues to live with few restrictions in Southern California awaiting trial for multiple felonies.
Antropenko is charged with conspiracy to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering. He is accused of using Zeppelin ransomware to attack multiple people, businesses and organizations globally, including victims based in the U.S.
Antropenko pleaded not guilty to the charges in October.
The Justice Department recently announced it seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. His alleged crimes were publicly revealed for the first time last month when authorities unsealed various court documents.
Photo of Antropenko posted to his public Instagram account March 10, 2023. (Instagram)
Antropenko’s arrest and pending trial marks another potential win against ransomware, but many experts told CyberScoop they are stunned he remains free on bail. This rare flash of deferment in a case involving a prolific alleged cybercriminal is even more shocking considering his multiple run-ins with police since his 2024 arrest.
Antropenko violated conditions for his pretrial release at least three times in a four-month period this year, including two arrests in California involving dangerous behavior while under the influence of drugs and alcohol. Authorities haven’t explained why Antropenko was released pending trial, nor why parole officers and a judge repeatedly allowed him to remain out of jail following these infractions.
“On average, most ransomware actors, if they are brought into custody, are remanded because of a flight risk,” said Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.
“It’s rare to have a ransomware actor in U.S. custody,” the former deputy assistant director at the FBI Cyber Division told CyberScoop. “Typically, if the FBI believes that the person is a flight risk it would make the case for bond to be denied.”
Prosecutors in the U.S. District Court for the Northern District of Texas did not flag Antropenko as a flight risk in this case.
In the past year, other alleged ransomware suspects or cybercriminals — Noah Urban, Cameron Wagenius, Connor Moucka and Artem Stryzhak among them — were all detained pending trial. Urban, who was sentenced last month to 10 years in prison, and Wagenius, who has pleaded guilty to some charges, were arrested in the United States. Moucka and Stryzhak were arrested elsewhere and extradited to the U.S.
Pretrial treatment of cybercrime suspects hasn’t always adhered to strict norms, especially when the accused’s mental health status was taken into account. Paige Thompson, who was arrested in July 2019 for hacking and stealing data from Capital One and dozens of other organizations for a cryptocurrency mining scheme, was deemed a “serious flight risk” by prosecutors, but still released pending trial four months later.
A U.S. district judge in Seattle determined Thompson didn’t pose a threat to the community and previously told attorneys he was “very concerned” that Thompson would not receive adequate mental health treatment from the Bureau of Prisons.
Thompson was found guilty of multiple counts and sentenced in October 2022 to time served and five years of probation, much to the chagrin of prosecutors. A federal appeals court overruled the district court judge’s sentence earlier this year, calling the punishment “substantially unreasonable.”
Yevgeniy Nikulin, a Russian national arrested in October 2016 on charges related to breaching a database containing 117 million passwords from LinkedIn, Dropbox and other services, was extradited to the U.S. from the Czech Republic in 2018 and ruled fit to stand trial, despite exhibiting mental illness symptoms throughout his incarceration and trial. He was detained pending trial and sentenced to 88 months in prison in September 2020.
Notwithstanding these variances in previous cases, some experts are struck by other irregularities in Antropenko’s case, including his conditions of release. He is not banned from using the internet or computers, but limited to devices and services disclosed during supervision that are subject to monitoring.
More lenient conditions of release are typically offered in exchange for cooperation, according to threat analysts and a former FBI special agent who specialized in cybersecurity investigations.
“The investigators that tracked him down will certainly want to know who the bigger fish are, and they’ll want to figure out who else they could take down,” the former FBI special agent, speaking on condition of anonymity, told CyberScoop. “If he’s willing to cooperate, then normally the federal system will do good things for you.”
Authorities imposed travel restrictions on Antropenko, required him to surrender his passport, banned him from entering a Russian embassy or consulate and are monitoring his location.
Bad behavior going back years
The federal case against Antropenko accentuates how finite resources can put law enforcement and federal investigators at a disadvantage as they confront a constant crush of cybercrime.
The FBI and prosecutors accuse Antropenko of deploying ransomware and extorting victims by email, and implicate him and his ex-wife, Valeriia Bednarchik, in the laundering of ransomware proceeds. Investigators traced the path of ransom payments, money laundering techniques and services, and determined the seized accounts, cash and vehicles were derived from criminal proceeds.
The FBI said it found at least 48 cryptocurrency addresses referenced in Antropenko’s email account — china.helper@aol.com, which he registered in May 2018 — including “emails that received or negotiated ransom payments” and emails about other ransomware attacks.
A cluster of Bitcoin addresses owned by Antropenko “had received a total of approximately 101 Bitcoin” as of Feb. 5, 2024. Out of this amount, 64.6 Bitcoin was sent to the cryptocurrency mixing service ChipMixer, according to the FBI. As of today’s rates, the current value of 101 Bitcoin is almost $10.9 million.
The 2023 takedown of ChipMixer, which was used by criminals to launder more than $3 billion in cryptocurrency starting in 2017, provided crucial evidence for this investigation, according to Ian Gray, VP of intelligence at Flashpoint.
“Only after law enforcement seized ChipMixer’s infrastructure could investigators trace the funds linked to accounts registered in Antropenko’s name,” he said. “The sophistication of Bitcoin tracing and clustering techniques also likely contributed to the timing, as law enforcement has adopted software and tools more widely.”
Prosecutors allege that Antropenko and Bednarchik funneled money from computer fraud victims through ChipMixer, then back to their own exchange accounts. Antropenko also allegedly arranged in-person cryptocurrency-to-cash swaps in the U.S., depositing the cash in small sums under $10,000 into his bank account.
FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.
In the indictment filed against Antropenko, authorities included two images of U.S. cash in a Louis Vuitton shopping bag that investigators said they found on Bednarchik’s iCloud account. Metadata from the photos showed they were taken within 21 seconds of each other on April 10, 2022.The second photo shows approximately half of the cash removed with a note affixed to the remaining cash written in Cyrillic and English. The English portion of the note reads: “I took half 50000$ from 100000$”
Authorities also seized cash and two luxury vehicles from the apartment Antropenko and Bednarchik once shared in Irvine, Calif. This included a Lexus LX 570 that Antropenko purchased for more than $123,000 in November 2022 and a 2022 BMW X6M that Antropenko and Bednarchik purchased for $150,000 in cash in November 2021. Photos of vehicles matching those descriptions are depicted on Antropenko’s public Instagram account.
Ransomware operators have been assisted by their spouses in other cases, but their partners’ involvement is typically limited to money laundering, Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.
While many ransomware operators and affiliates operate outside of Russia now, it is rare for a Russian national to live in the U.S. while initiating ransomware attacks for as long as Antropenko allegedly did, Liska said.
“It sounds like he may have had additional information about other people, maybe bigger fish that law enforcement could go after,” he said.
The U.S. District Court for the Northern District of Texas declined to answer questions or provide additional information. The most recent attorney on record for Antropenko did not respond to a request for comment.
Antropenko didn’t just inflict damages on his cybercrime victims, as alleged by prosecutors. His volatility erupted around those closest to him, according to Bednarchik, who accused him of domestic violence in temporary restraining orders she filed against Antropenko in April and May 2022.
Bednarchik has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities said they plan to bring charges against her, no cases are currently pending.
In court filings, Bednarchik painted a picture of a controlling relationship, writing that Antropenko “constantly threatens me with full custody of our son, because he has a lot of money” and expressing fears he might take their child to Russia without permission.
Photo of a BMW X6M posted to Antropenko’s public Instagram account Dec. 14, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024. (Instagram)
Court records reveal the family lived together in Miami and later Irvine until 2022. Despite Bednarchik reporting only $800 monthly income from her clothing business, she estimated Antropenko earned $50,000 per month from “cryptocurrency dividends,” describing him as “the breadwinner for the family.”
When Antropenko was arrested in September 2024, Bednarchik posted his $10,000 bail, identifying herself in the affidavit as his ex-wife.
“She’s either being redacted because she’s a victim or because she is collaborating with law enforcement and has been able to get her name redacted,” Zach Edwards, senior threat analyst at Silent Push, told CyberScoop.
Antropenko’s ties to Zeppelin ransomware
Authorities did not describe the extent to which Antropenko was involved with Zeppelin ransomware. Prosecutors mention unnamed co-conspirators in some court documents, indicating they are investigating or aware of others involved in the ransomware-as-a-service operation.
The Cybersecurity and Infrastructure Security Agency said Zeppelin ransomware victims include a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and organizations in the health care and medical industries.
Zeppelin, a variant of the Delphi-based Vega malware, was used from at least 2019 to mid-2022, the agency said in an August 2022 advisory. A ransom note included in CISA’s advisory listed an AOL address for communication regarding extortion payments.
Prosecutors and investigators working on Antropenko’s case said Zeppelin ransomware affected about 138 U.S. victims since March 2020, including a data analysis company and its CEO based in the Dallas region where Antropenko faces federal charges.
Prosecutors have consistently declared the case against Antropenko “complex,” with evidence surpassing 7 terabytes of data, including personally identifiable information of victims, such as names, addresses, photos and bank account numbers.
Zeppelin and Antropenko’s alleged activities rose during the second wave of ransomware, when many cybercriminals were winging it and law enforcement activity was at a lull, Liska said. “If you start off with a mistake, that mistake is going to catch up to you,” he said.
Indeed, threat researchers and analysts attribute Antropenko’s capture to “sloppy” behaviors and practices, including his use of major U.S. service providers.
“Antropenko’s operational security was remarkably poor,” Gray said.
“He used a personal PayPal account linked to recovery emails for ransomware operations, shared usernames between banking and ransomware accounts, and stored sensitive information like cryptocurrency seed phrases and photos of large cash amounts in iCloud accounts,” he continued. “These OPSEC failures ultimately led to law enforcement identifying Antropenko.”
Pretrial release violations
While prosecutors push Antropenko’s trial date further down the road — currently set for Feb. 6, 2026 — his personal life has been unraveling. He was hospitalized on a mental health hold on Dec. 31, 2024, and spent a week in a behavioral health hospital, according to a pretrial release violation report.
Antropenko told his probation officer that his ex-wife took his son from him unexpectedly, which led to a significant bout of depression and increase in alcohol consumption. “While walking around his RV park intoxicated, he was approached by an individual who offered him an unknown drug,” which he assumed was some type of methamphetamine, Antropenko’s probation officer wrote in the court filing.
Antropenko said he had little recollection of the events that followed. Once he was placed in a police car after law enforcement arrived the following morning, “he assumed he was being arrested which exacerbated his depression, prompting him to bang his head on the window of the police car, after which he recalls regaining consciousness in the hospital,” the probation officer said. No charges were filed.
Almost two months later, Antropenko was arrested for public intoxication in Riverside County, Calif., when he was found laying unresponsive in the center divider of a roadway. Antropenko told his probation officer he sat down on a curb near his home to smoke a cigarette after consuming four to five beers and was feeling tired, so he fell asleep. He was released the following day.
A U.S. magistrate judge in Texas allowed Antropenko to remain out on bond and modified the conditions of his release to include a ban on alcohol consumption and submit to regular alcohol testing.
“It strikes me as unusual to have so many drug violations and stay out on bail,” Kaiser said. “It would be overly lenient if they were still perpetrating crimes obviously against others. It appears he’s harming himself.”
In April, Antropenko contacted his parole officer to make an unsolicited admission to cocaine use, according to a court document filed in May. “The defendant stated that he attended a birthday celebration for a friend’s sister. When he went to the restroom some ‘random people’ offered him a ‘bump of cocaine,’” his probation officer said. The court took no further action.
“Even if he is a cooperating witness, he has been given a lot of freedom, a lot more freedom than we normally see in this case,” Liska said. “I can’t think of any case, of anybody this high profile, that has been given this level of freedom, cooperating or not.”
Edwards is also dismayed Antropenko remains out on bail pending trial.
“It’s wild that a citizen from Russia who has been accused of partnering with serious global threat actors and is out on bail for leading a ransomware campaign, has been arrested multiple times for issues associated with alcohol, including passing out on a street in public, and also admitted to using cocaine while out on bail, and yet his bail hasn’t been revoked,” he said.
Former law enforcement officials were less shocked about the circumstances of Antropenko’s case than security analysts.
Adam Marrè, chief information security officer at Arctic Wolf, said the post-arrest privileges granted to Antropenko aren’t that odd, especially since Antropenko’s alleged pretrial release violations don’t have anything to do with cybercrime.
Marrè said Antropenko’s alleged violations would have frustrated him when he was a special agent at the FBI investigating cybercrime, but he understands the court’s decisions, adding “people are innocent until proven guilty.”
It’s important to note the FBI is focused on outcomes, according to Kaiser. “Getting money back to victims who were stolen from is more important than punishing some guy, especially if he’s not doing [ransomware] activities anymore,” she said.
“It’s hard to arrest these people in the first place and stop them, which means it’s very complicated to deter them over a long period of time,” Kaiser added. “There’s no one arrest that’s going to stop these types of activities.”
There are few laws at the state or federal level to constrain data brokerage, the process by which companies collect and sell bulk data on people they’ve never met or done business with.
States at the forefront of regulating the industry, like California, currently require hundreds of companies to register with the government and provide consumers with the means to opt out of collection or request deletion of their data.
Now, a study from the University of California, Irvine shows that many registered brokers may be ignoring these requirements, and experts tell CyberScoop that state regulators should strengthen their enforcement of current privacy laws.
In the study, researchers exercised their rights under the California Consumer Privacy Act by contacting all registered data brokers and requesting details about the data the companies had collected on them. Of the 543 companies contacted, 40% failed to respond in any way, showing “rampant non-compliance” among the registered brokers.
“Our findings reveal rampant non-compliance and lack of standardization of the data access request process,” wrote authors Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou and Gene Tsudik. “These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers’ privacy protections and improve data broker accountability.”
In addition to brokers that didn’t respond, those that did often created numerous hurdles for people trying to access their data. There was no standard process for submitting such requests: some companies required a phone call, others an email, and others asked users to fill out an online form.
The study measured six types of friction in these requests: individual burden, identity verification challenges, response time, response quality, the data collected, and the privacy issues related to the requests.
One key finding was that inconsistent identity procedures across brokers are confusing and “taxing” to the average consumer, forcing them to navigate a patchwork of different requirements.
Caption: Even when data brokers (DBRs) do respond to consumers, many offer a confusing and unreliable process to contact them and request data or opt out. (Source: UC Irvine)
Many brokers that collect and sell personal data require strict identity verification for consumer data requests, which helps prevent unauthorized access.
On the other hand, the study’s authors say this creates an “unintended privacy paradox” for consumers looking to limit the exposure of their personal data by engaging with brokers directly, as they must often provide additional forms of personal and personally identifiable information along the way.
“Paradoxically, this means that exercising one’s privacy rights under CCPA introduces new privacy risks,” the authors wrote.
The study, which focused solely on companies registered as data brokers in California, may actually understate the problem, as other research has shown that many data brokers don’t carry their disclosures across state lines.
Justin Sherman, a privacy expert and scholar-in-residence at the Electronic Privacy Information Center, told CyberScoop that many brokers seem to hold an odd commitment to privacy principles in one particular instance: verifying the identity of people who object to having a third-party company collect and use their personal information.
“It is beyond irony that there are data brokers who will sell to basically anybody and … yet when someone is saying, ‘I don’t consent to you having collected my data behind my back,’ everything is all of a sudden, ‘how are we going to verify?’ and ‘how are we going to do ‘Know Your Customer’” rules, Sherman said. “It’s talking out of both sides of your mouth. They know that if you create some friction, then people are less likely to cancel.”
Additionally, Sherman noted that for opt-out rights to be effective, “the consumer has to be able to easily exercise them.” A process that forces them to personally contact hundreds of different companies without a standardized process for doing so, he argued, is a recipe for frustration and dark patterns.
He added “there’s no gray area” about how registered brokers are obligated to handle such requests.
“I think the law is very clear. The law says: accept the requests and respond, or reject the requests and respond with the exception you’re setting,” Sherman said, something hundreds of registered brokers failed to do, according to the study.
The California Privacy Protection Agency did not respond to questions from CyberScoop about the UC Irvine study or its own research on data broker noncompliance under the CCPA.
Login
