Reading view

There are new articles available, click to refresh the page.

Russian spyware ClayRat is spreading, evolving quickly, according to Zimperium

A fast-spreading Android spyware is mushrooming across Russia, camouflaging itself as popular apps like TikTok or YouTube, researchers at Zimperium have revealed in a blog post.

The company told CyberScoop they expect the campaign is likely to expand beyond Russian borders, too.

In three months, Zimperium zLabs researchers observed more than 600 samples, the company wrote in a blog post Thursday. Once implanted, the spyware can steal text messages, call logs, device information and more, and wrest control of a phone to do things like take pictures or place phone calls.

“It’s mainly targeting Russia, but they can always adapt to other payloads, and since every inflected phone then becomes an attack vector, it’s likely to become a global campaign,” said Nico Chiaraviglio, chief scientist at Zimperium. “However, it’s not easy to know the attackers’ intentions.”

The spyware, dubbed ClayRat, has some notable tools it uses to infect victims.

“ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role,” the blog post reads. “This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.”

It’s also been evolving quickly, Zimperium said, “adding new layers of obfuscation and packing to evade detection.”

Zimperium didn’t say who was behind the spyware. The Russian government is a cyberspace power, but typically hasn’t had to rely on spyware vendors, per se, as it has its own capabilities. Often — but not alwaysspyware linked to or suspected to be linked to the Kremlin is turned inwards, snooping on domestic targets.

“ClayRat is distributed through a highly orchestrated mix of social engineering and web-based deception, designed to exploit user trust and convenience,” according to Zimperium. “The campaign relies heavily on Telegram channels and phishing websites that impersonate well-known services and applications.”

ClayRat’s users also rely on phishing platforms.

The post Russian spyware ClayRat is spreading, evolving quickly, according to Zimperium appeared first on CyberScoop.

Oracle zero-day defect amplifies panic over Clop’s data theft attack spree

Federal cyber authorities and threat hunters are on edge following Oracle’s Saturday disclosure of an actively exploited zero-day vulnerability the Clop ransomware group used to initiate a widespread data theft and extortion campaign researchers initially warned about last week. 

Oracle addressed the critical vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Saturday and advised customers to apply the patch as soon as possible. The tech giant previously said it was aware some customers had received extortion emails and said vulnerabilities it addressed in its July security update were potentially involved. 

Rob Duhart, chief security officer at Oracle Security, updated his blog post Saturday to alert customers to the zero-day. Oracle did not say the zero-day is actively exploited but it provided indicators of compromise, which indirectly confirm the defect has been exploited in the wild. 

The Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known exploited vulnerabilities catalog Monday, noting that it has been used in ransomware campaigns. 

Brett Leatherman, assistant director of the FBI’s Cyber Division, described the zero-day as an emergency putting Oracle E-Business Suite environments at risk of full compromise. 

“Oracle E-Business Suite remains a backbone enterprise resource planning system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he said in a LinkedIn post.

The zero-day isn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims in August, according to Mandiant Consulting CTO Charles Carmakal. 

Researchers at watchTowr reproduced the full exploit chain after a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution,” watchTowr researchers wrote in a blog post Monday. The cybersecurity firm said there is a high probability more vulnerabilities will be found in Oracle E-Business Suite tied to this campaign. 

The zero-day vulnerability, which has a CVSS rating of 9.8, can be exploited remotely without authentication, resulting in remote code execution. 

The significant lag time between when the attacks occurred and Oracle’s zero-day vulnerability disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

CrowdStrike researchers said the first known exploitation occurred Aug. 9, eight weeks before Oracle disclosed and patched the zero-day defect. 

The number of organizations impacted by Clop’s attack spree remains unknown, yet researchers have identified victims across multiple sectors and geographies. Clop’s ransom demands have reached up to $50 million, according to Halcyon.

“We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” she said.

Clop is a ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. The threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. 

Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The group is driven by profit, as it operates within a Russia-aligned cybercrime environment, Kaiser said. “Clop’s operations can simultaneously extract financial value and produce outcomes useful to state actors, such as data collection, disruption, or pressure on targeted organizations.”

The post Oracle zero-day defect amplifies panic over Clop’s data theft attack spree appeared first on CyberScoop.

Dem report concludes Department of Government Efficiency violates cybersecurity, privacy rules

Department of Government Efficiency practices at three federal agencies “violate statutory requirements, creating unprecedented privacy and cybersecurity risks,” according to a report that Senate Homeland Security and Governmental Affairs Committee Democrats published Thursday.

The report — drawn from a mix of media reports, legal filings, whistleblower disclosures to the committee and staff visits to the agencies — concludes that the Elon Musk-created DOGE is “operating outside federal law, with unchecked access to Americans’ personal data.” It focuses on DOGE activity at the General Services Administration (GSA), Office of Personnel Management (OPM) and Social Security Administration (SSA).

One previously unreported whistleblower claim is that at the SSA, a June internal risk assessment found that the chance of a data breach with “catastrophic adverse effect” stood between 35% and 65% after DOGE uploaded a computer database file known as Numident, containing personal sensitive information without additional protections against unauthorized access. The potential implications included “widespread PII [personally identifiable information] disclosure or loss of data” and “catastrophic damage to or loss of agency facilities and infrastructure with fatalities to individuals,” according to the assessment.

“DOGE isn’t making government more efficient — it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals,” Michigan Sen. Gary Peters, the top Democrat on the committee, said in a news release. “They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk. We cannot allow this shadow operation to continue operating unchecked while millions of people face the threat of identity theft, economic disruption, and permanent harm. The Trump Administration and agency leadership must immediately put a stop to these reckless actions that risk causing unprecedented chaos in Americans’ daily lives.”

The report recommends stripping all DOGE access to sensitive personal information until agencies certify that the initiative is in compliance with federal security and privacy laws such as the Federal Information Security Management Act, and recommends that DOGE employees complete the same kind of cybersecurity training as other federal employees.

It describes the three agencies blocking access to specific offices or otherwise obstructing access. For example, it says that DOGE installed a Starlink network at GSA, but wouldn’t let staff view it. Starlink is the Musk-owned satellite internet service, and the report concludes that Starlink might have allowed DOGE staffers to circumvent agency IT oversight. Data sent over the network “could be an easy target for foreign adversaries,” the report states.

The report also expands upon an alleged attempt at SSA to create a “master database” that would pool data from multiple federal agencies. According to whistleblower disclosures, former SSA DOGE employee John Koval inquired about uploading agency data into a cloud environment to share with the Department of Homeland Security. He was “rebuffed,” the report states, but later worked at DHS and the Justice Department, where SSA data surfaced in some projects, raising further privacy concerns. 

It revisits concerns about DOGE staffer Edward “Big Balls” Coristine having access to sensitive agency data despite reports that he had been fired from an internship at a cybersecurity company for leaking company information to a competitor, and arrives at further conclusions about the risk posed by the ability of Coristine and others “to move highly sensitive SSA data into an unmonitored cloud environment.”

“It is highly likely that foreign adversaries, such as Russia, China, and Iran, who regularly attempt cyber attacks on the U.S. government and critical infrastructure, are already aware of this new DOGE cloud environment,” the report states.

Two of the agencies that were the subject of the report took issue with its conclusions.

“OPM takes its responsibility to safeguard federal personnel records seriously,” said a spokeswoman for the office, McLaurine Pinover. “This report recycles unfounded claims about so-called ‘DOGE teams’ that simply have never existed at OPM. Federal employees at OPM conduct their work in line with longstanding law, security, and compliance requirements.

“Instead of rehashing baseless allegations, Senate Democrats should focus their efforts on the real challenges facing the federal workforce,” she continued. “OPM remains committed to transparency, accountability, and delivering for the American people.”

The SSA pointed to Commissioner Frank Bisignano’s letter to Congress responding to questions about Numident security concerns. 

“Based on the agency’s thorough review, the Numident data and database — stored in a longstanding secure environment used by SSA — have not been accessed, leaked, hacked, or shared in any unauthorized fashion,” a SSA spokesperson wrote, adding, “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen — SSA’s standard practice.”

The SSA spokesperson emphasized there are no DOGE employees at SSA, only agency employees. 

The GSA did not immediately respond to Scoop News Group requests for comment on the Democratic report.

Miranda Nazzaro contributed reporting to this story.

The post Dem report concludes Department of Government Efficiency violates cybersecurity, privacy rules appeared first on CyberScoop.

Researchers say media outlet targeting Moldova is a Russian cutout

Researchers say a Russian group sanctioned by the European Union and wanted by the U.S. government is behind an influence operation targeting upcoming elections in Moldova.

In a report released Tuesday, researchers at the Atlantic Council’s Digital Forensic Research Lab said that REST Media — an online news outlet launched in June whose posts have quickly amassed millions of views on social media — is actually the work of Rybar, a known Russian disinformation outfit connected to other documented influence campaigns against Western countries and Russian-foes like Ukraine.

REST’s content — spread through its website and social media sites like Telegram, X and TikTok — often hammered Moldova’s pro-EU party, the Party of Action and Solidarity, with claims of electoral corruption, vote selling and other forms of misconduct. The site also sought to explicitly cast Moldova’s anti-disinformation efforts as a form of government censorship.

While REST publishes anonymously-bylined articles on its website meant to mimic news reporting, most of its reach has come from TikTok, which accounts for the overwhelming majority of the 3.1 million views its content has received online.

“The actual scope and reach of REST’s campaign likely extends beyond what is documented in this investigation,” wrote researchers Jakub Kubś and Eto Buziashvili.

REST Media’s social media output received millions of views on platforms like TikTok, X and Telegram. (Source:Digital Forensics Research Lab)

The researchers provide technical evidence that they say shows unavoidable connection and overlap between the online and cloud-based infrastructure hosting REST and online assets from previously known Rybar operations.

For instance, the site shares “identical” server configurations, file transfer protocol settings and control panel software as Rybar’s mapping platform, while a forensic review of REST’s asset metadata found a number of file paths that explicitly reference Rybar.

“These operational security lapses appear to indicate that at least some REST content follows the same production workflow as Rybar,” Kubś and Buziashvili wrote.

Analysis of the domain for REST’s website found it was registered June 20 “through a chain of privacy-focused services that collectively create multiple layers of anonymization.” The registration was processed out by Sarek Oy, a Finland-based domain registrar company with a history of involvement with pirated websites that was denied formal accreditation by international bodies like ICANN.

The listed domain registrant for REST’s website, 1337 (or “LEET”) Services LLC, appears to be a play on common hacker slang, and DFIRLab said the company is tied to a notorious VPN service based in St. Kitts and Nevis in the Caribbean that is known for helping clients hide their identities.

Efforts to reach the site’s operators were not successful. REST’s website, which is still active, contains no information about the identities of editorial staff, regularly publishes stories with anonymous bylines and does not appear to provide any means for readers to contact the publication, though there is a section for readers to leak sensitive documents and apply for employment.

An image from REST Media detailing “electoral corruption” in Moldova targeting Maia Sandu, head of the Pro-EU Party of Action and Solidarity. (Source: Digital Forensics Research Lab)


Kubś and Buziashvili said the new research demonstrates that REST “is more than just another clone in Russian’s information operations ecosystem.”

“It provides granular detail on how actors, such as Rybar, adapt, regenerate, and cloak themselves to continue their efforts to influence,” the authors wrote. “From shared FTP configurations to sloppy metadata, the evidence points to REST being part of a broader strategy to outlast sanctions through proxy brands and technical obfuscation.”

It also underscores “that such influence efforts” from Russia are not siloed “but cross-pollinated across regions, platforms, and political contexts, seeding disinformation that resonates well beyond Moldovan borders.”

No REST from influence campaigns

REST is the latest in a string of information operations targeting Moldova’s elections that have been traced back to the Russian government over the past year, according to Western governments and independent researchers who track state-backed disinformation campaigns.

A risk assessment from the Foreign Information Manipulation and Interference Information Sharing and Analysis Center on Sept. 9 identifies what it described as “persistent Russian-led hybrid threats, including information warfare, illicit financing, cyberattacks, and proxy mobilisation, aimed at undermining the Moldovan government’s pro-EU agenda and boosting pro-Russian actors.”

The assessment pointed to Moldova’s fragmented media landscape — “where banned pro-Russian outlets evade restrictions via mirror websites, apps, and social media platforms such as Telegram and TikTok” — as a vulnerability that is being exploited by Russian actors, alongside the country’s limited regulatory resources and gaps in online political ad regulation. Russian-directed influence activities in Moldova have “evolved significantly” from funding real-life protests and other forms of paid mobilization to “increasingly technology driven operations,” including social media and newer technologies like artificial intelligence.

But such mobilization may still be part of Russia’s plans. Earlier this week, Moldovan authorities carried out 250 raids and detained dozens of individuals that they claimed were part of a Russian-orchestrated plot to incite riots and destabilize the country ahead of next week’s elections.

The goal is to create a society that feels besieged from all sides — facing not only external pressure from Russia abroad but also internal political strife that can prevent a unified front.

“This intersection of external manipulation and internal fragmentation heightens political polarisation, risks disengaging the traditionally pro-European diaspora, and fosters growing public apathy and disillusionment, outcomes that directly threaten electoral integrity and democratic resilience,” the assessment concluded.

It also comes as the U.S. federal government has — often loudly and proudly — moved away from any systemic effort to fight or limit the spread of disinformation domestically and abroad.

The State Department under Secretary Marco Rubio earlier this year shut down the Global Engagement Center, which was created by Congress and functioned as the federal government’s primary diplomatic arm for engaging with other countries on disinformation issues.

In a Sept. 17 statement, State Department principal deputy spokesperson Tommy Pigott confirmed that the department had “ceased all Frameworks to Counter Foreign State Information Manipulation and any associated instruments implemented by the former administration.” 

Pigott added that the decision to shutter the office, which focused mostly on foreign disinformation campaigns waged by autocrats abroad, aligns with an executive order on free speech and freedom of expression issued shortly after Trump took office.

“Through free speech, the United States will counter genuine malign propaganda from adversaries that threaten our national security, while protecting Americans’ right to exchange ideas,” Pigott said.

In addition to the State Department, the Trump administration has shut down the foreign influence task force at the FBI and fired officials and eliminated disinformation research at the Cybersecurity and Infrastructure Security Agency.

The Foreign Malign Influence Center, a key office housed within the Office of the Director of National Intelligence, was responsible for piecing together intelligence around burgeoning foreign influence operations targeting U.S. elections and notifying policymakers and the public. According to sources familiar with the matter, the center’s work has largely ground to a halt under Director of National Intelligence Tulsi Gabbard, who is planning to eliminate the center as part of a larger intelligence reorganization plan.

Lindsay Gorman, a former White House official under the Biden administration, told CyberScoop earlier this year that the U.S. needs a way to coordinate with democratic allies and provide effective interventions when their elections and digital infrastructure are being targeted by intelligence services in Russia, China and other adversarial nations.

One way to fight back, Gorman said, is to have “eyes and ears on the ground” on those countries and “to expose covert campaigns for what they are,” something that outfits like the State Department’s Global Engagement Center were explicitly designed to do.

The post Researchers say media outlet targeting Moldova is a Russian cutout appeared first on CyberScoop.

Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial

Authorities and threat intelligence analysts alike relish taking ransomware operators off the board. Holding cybercriminals accountable through arrest, imprisonment, or genuine reform creates a powerful deterrent and advances the ultimate goal of a safer internet for everyone. 

Getting to that point is a remarkably tough task for defenders. Ransomware attacks are often initiated by people living in countries that aren’t bound by extradition treaties with the United States or don’t cooperate with international law enforcement. When those obstructions aren’t in place, authorities can amass resources to hunt down those responsible for cyberattacks and bring them to justice.

The fight against cybercrime is grueling, and wins don’t typically countervail the losses. For nearly a decade, police have often made high-profile announcements about arresting cybercriminals, keeping them in custody until their court dates and seizing their ill-gotten gains. These acts send a clear message to the public and potential offenders that cybercrime is a serious offense, and authorities are taking swift, visible measures to uphold the law.

Ianis Aleksandrovich Antropenko exemplifies the profile of a modern cybercriminal, yet, unlike many others who have faced strict prosecution for similar offenses, the Justice Department has granted him liberties rarely extended to such suspects.

The 36-year-old Russian national was arrested almost a year ago in California for his alleged involvement in multiple ransomware attacks from at least May 2018 to August 2022. Yet, he was released on bail the day of his arrest and continues to live with few restrictions in Southern California awaiting trial for multiple felonies.

Antropenko is charged with conspiracy to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering. He is accused of using Zeppelin ransomware to attack multiple people, businesses and organizations globally, including victims based in the U.S.

Antropenko pleaded not guilty to the charges in October.

The Justice Department recently announced it seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. His alleged crimes were publicly revealed for the first time last month when authorities unsealed various court documents.

Photo of Antropenko posted to his public Instagram account March 10, 2023.
Photo of Antropenko posted to his public Instagram account March 10, 2023. (Instagram)

Antropenko’s arrest and pending trial marks another potential win against ransomware, but many experts told CyberScoop they are stunned he remains free on bail. This rare flash of deferment in a case involving a prolific alleged cybercriminal is even more shocking considering his multiple run-ins with police since his 2024 arrest.

Antropenko violated conditions for his pretrial release at least three times in a four-month period this year, including two arrests in California involving dangerous behavior while under the influence of drugs and alcohol. Authorities haven’t explained why Antropenko was released pending trial, nor why parole officers and a judge repeatedly allowed him to remain out of jail following these infractions.

“On average, most ransomware actors, if they are brought into custody, are remanded because of a flight risk,” said Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.

“It’s rare to have a ransomware actor in U.S. custody,” the former deputy assistant director at the FBI Cyber Division told CyberScoop. “Typically, if the FBI believes that the person is a flight risk it would make the case for bond to be denied.”

Prosecutors in the U.S. District Court for the Northern District of Texas did not flag Antropenko as a flight risk in this case. 

In the past year, other alleged ransomware suspects or cybercriminals — Noah Urban, Cameron Wagenius, Connor Moucka and Artem Stryzhak among them — were all detained pending trial. Urban, who was sentenced last month to 10 years in prison, and Wagenius, who has pleaded guilty to some charges, were arrested in the United States. Moucka and Stryzhak were arrested elsewhere and extradited to the U.S.

Pretrial treatment of cybercrime suspects hasn’t always adhered to strict norms, especially when the accused’s mental health status was taken into account. Paige Thompson, who was arrested in July 2019 for hacking and stealing data from Capital One and dozens of other organizations for a cryptocurrency mining scheme, was deemed a “serious flight risk” by prosecutors, but still released pending trial four months later.

A U.S. district judge in Seattle determined Thompson didn’t pose a threat to the community and previously told attorneys he was “very concerned” that Thompson would not receive adequate mental health treatment from the Bureau of Prisons. 

Thompson was found guilty of multiple counts and sentenced in October 2022 to time served and five years of probation, much to the chagrin of prosecutors. A federal appeals court overruled the district court judge’s sentence earlier this year, calling the punishment “substantially unreasonable.”

Yevgeniy Nikulin, a Russian national arrested in October 2016 on charges related to breaching a database containing 117 million passwords from LinkedIn, Dropbox and other services, was extradited to the U.S. from the Czech Republic in 2018 and ruled fit to stand trial, despite exhibiting mental illness symptoms throughout his incarceration and trial. He was detained pending trial and sentenced to 88 months in prison in September 2020.

Notwithstanding these variances in previous cases, some experts are struck by other irregularities in Antropenko’s case, including his conditions of release. He is not banned from using the internet or computers, but limited to devices and services disclosed during supervision that are subject to monitoring.

More lenient conditions of release are typically offered in exchange for cooperation, according to threat analysts and a former FBI special agent who specialized in cybersecurity investigations. 

“The investigators that tracked him down will certainly want to know who the bigger fish are, and they’ll want to figure out who else they could take down,” the former FBI special agent, speaking on condition of anonymity, told CyberScoop. “If he’s willing to cooperate, then normally the federal system will do good things for you.”

Authorities imposed travel restrictions on Antropenko, required him to surrender his passport, banned him from entering a Russian embassy or consulate and are monitoring his location.

Bad behavior going back years

The federal case against Antropenko accentuates how finite resources can put law enforcement and federal investigators at a disadvantage as they confront a constant crush of cybercrime. 

The FBI and prosecutors accuse Antropenko of deploying ransomware and extorting victims by email, and implicate him and his ex-wife, Valeriia Bednarchik, in the laundering of ransomware proceeds. Investigators traced the path of ransom payments, money laundering techniques and services, and determined the seized accounts, cash and vehicles were derived from criminal proceeds.

The FBI said it found at least 48 cryptocurrency addresses referenced in Antropenko’s email account — china.helper@aol.com, which he registered in May 2018 — including “emails that received or negotiated ransom payments” and emails about other ransomware attacks. 

A cluster of Bitcoin addresses owned by Antropenko “had received a total of approximately 101 Bitcoin” as of Feb. 5, 2024. Out of this amount, 64.6 Bitcoin was sent to the cryptocurrency mixing service ChipMixer, according to the FBI. As of today’s rates, the current value of 101 Bitcoin is almost $10.9 million.

The 2023 takedown of ChipMixer, which was used by criminals to launder more than $3 billion in cryptocurrency starting in 2017, provided crucial evidence for this investigation, according to Ian Gray, VP of intelligence at Flashpoint.

“Only after law enforcement seized ChipMixer’s infrastructure could investigators trace the funds linked to accounts registered in Antropenko’s name,” he said. “The sophistication of Bitcoin tracing and clustering techniques also likely contributed to the timing, as law enforcement has adopted software and tools more widely.”

Prosecutors allege that Antropenko and Bednarchik funneled money from computer fraud victims through ChipMixer, then back to their own exchange accounts. Antropenko also allegedly arranged in-person cryptocurrency-to-cash swaps in the U.S., depositing the cash in small sums under $10,000 into his bank account.

FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.

In the indictment filed against Antropenko, authorities included two images of U.S. cash in a Louis Vuitton shopping bag that investigators said they found on Bednarchik’s iCloud account. Metadata from the photos showed they were taken within 21 seconds of each other on April 10, 2022.
In the indictment filed against Antropenko, authorities included two images of U.S. cash in a Louis Vuitton shopping bag that investigators said they found on Bednarchik’s iCloud account. Metadata from the photos showed they were taken within 21 seconds of each other on April 10, 2022.
The second photo shows approximately half of the cash removed with a note affixed to the remaining cash written in Cyrillic and English. The English portion of the note reads: “I took half 50000$ from 100000$”
The second photo shows approximately half of the cash removed with a note affixed to the remaining cash written in Cyrillic and English. The English portion of the note reads: “I took half 50000$ from 100000$”

Authorities also seized cash and two luxury vehicles from the apartment Antropenko and Bednarchik once shared in Irvine, Calif. This included a Lexus LX 570 that Antropenko purchased for more than $123,000 in November 2022 and a 2022 BMW X6M that Antropenko and Bednarchik purchased for $150,000 in cash in November 2021. Photos of vehicles matching those descriptions are depicted on Antropenko’s public Instagram account

Ransomware operators have been assisted by their spouses in other cases, but their partners’ involvement is typically limited to money laundering, Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.

While many ransomware operators and affiliates operate outside of Russia now, it is rare for a Russian national to live in the U.S. while initiating ransomware attacks for as long as Antropenko allegedly did, Liska said.

“It sounds like he may have had additional information about other people, maybe bigger fish that law enforcement could go after,” he said.

The U.S. District Court for the Northern District of Texas declined to answer questions or provide additional information. The most recent attorney on record for Antropenko did not respond to a request for comment. 

Antropenko didn’t just inflict damages on his cybercrime victims, as alleged by prosecutors. His volatility erupted around those closest to him, according to Bednarchik, who accused him of domestic violence in temporary restraining orders she filed against Antropenko in April and May 2022. 

Bednarchik has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities said they plan to bring charges against her, no cases are currently pending.

In court filings, Bednarchik painted a picture of a controlling relationship, writing that Antropenko “constantly threatens me with full custody of our son, because he has a lot of money” and expressing fears he might take their child to Russia without permission.

Photo of a BMW X6M posted to Antropenko’s public Instagram account Dec. 14, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024.
Photo of a BMW X6M posted to Antropenko’s public Instagram account Dec. 14, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024. (Instagram)

Court records reveal the family lived together in Miami and later Irvine until 2022. Despite Bednarchik reporting only $800 monthly income from her clothing business, she estimated Antropenko earned $50,000 per month from “cryptocurrency dividends,” describing him as “the breadwinner for the family.”

When Antropenko was arrested in September 2024, Bednarchik posted his $10,000 bail, identifying herself in the affidavit as his ex-wife.

“She’s either being redacted because she’s a victim or because she is collaborating with law enforcement and has been able to get her name redacted,” Zach Edwards, senior threat analyst at Silent Push, told CyberScoop.

Antropenko’s ties to Zeppelin ransomware

Authorities did not describe the extent to which Antropenko was involved with Zeppelin ransomware. Prosecutors mention unnamed co-conspirators in some court documents, indicating they are investigating or aware of others involved in the ransomware-as-a-service operation.

The Cybersecurity and Infrastructure Security Agency said Zeppelin ransomware victims include a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and organizations in the health care and medical industries. 

Zeppelin, a variant of the Delphi-based Vega malware, was used from at least 2019 to mid-2022, the agency said in an August 2022 advisory. A ransom note included in CISA’s advisory listed an AOL address for communication regarding extortion payments.

Prosecutors and investigators working on Antropenko’s case said Zeppelin ransomware affected about 138 U.S. victims since March 2020, including a data analysis company and its CEO based in the Dallas region where Antropenko faces federal charges.

Prosecutors have consistently declared the case against Antropenko “complex,” with evidence surpassing 7 terabytes of data, including personally identifiable information of victims, such as names, addresses, photos and bank account numbers. 

Zeppelin and Antropenko’s alleged activities rose during the second wave of ransomware, when many cybercriminals were winging it and law enforcement activity was at a lull, Liska said. “If you start off with a mistake, that mistake is going to catch up to you,” he said.

Indeed, threat researchers and analysts attribute Antropenko’s capture to “sloppy” behaviors and practices, including his use of major U.S. service providers.

“Antropenko’s operational security was remarkably poor,” Gray said.

“He used a personal PayPal account linked to recovery emails for ransomware operations, shared usernames between banking and ransomware accounts, and stored sensitive information like cryptocurrency seed phrases and photos of large cash amounts in iCloud accounts,” he continued. “These OPSEC failures ultimately led to law enforcement identifying Antropenko.”

Pretrial release violations

While prosecutors push Antropenko’s trial date further down the road — currently set for Feb. 6, 2026 — his personal life has been unraveling. He was hospitalized on a mental health hold on Dec. 31, 2024, and spent a week in a behavioral health hospital, according to a pretrial release violation report.

Antropenko told his probation officer that his ex-wife took his son from him unexpectedly, which led to a significant bout of depression and increase in alcohol consumption. “While walking around his RV park intoxicated, he was approached by an individual who offered him an unknown drug,” which he assumed was some type of methamphetamine, Antropenko’s probation officer wrote in the court filing.

Antropenko said he had little recollection of the events that followed. Once he was placed in a police car after law enforcement arrived the following morning, “he assumed he was being arrested which exacerbated his depression, prompting him to bang his head on the window of the police car, after which he recalls regaining consciousness in the hospital,” the probation officer said. No charges were filed.

Almost two months later, Antropenko was arrested for public intoxication in Riverside County, Calif., when he was found laying unresponsive in the center divider of a roadway. Antropenko told his probation officer he sat down on a curb near his home to smoke a cigarette after consuming four to five beers and was feeling tired, so he fell asleep. He was released the following day.

A U.S. magistrate judge in Texas allowed Antropenko to remain out on bond and modified the conditions of his release to include a ban on alcohol consumption and submit to regular alcohol testing.

“It strikes me as unusual to have so many drug violations and stay out on bail,” Kaiser said. “It would be overly lenient if they were still perpetrating crimes obviously against others. It appears he’s harming himself.” 

In April, Antropenko contacted his parole officer to make an unsolicited admission to cocaine use, according to a court document filed in May. “The defendant stated that he attended a birthday celebration for a friend’s sister. When he went to the restroom some ‘random people’ offered him a ‘bump of cocaine,’” his probation officer said. The court took no further action.

“Even if he is a cooperating witness, he has been given a lot of freedom, a lot more freedom than we normally see in this case,” Liska said. “I can’t think of any case, of anybody this high profile, that has been given this level of freedom, cooperating or not.”

Edwards is also dismayed Antropenko remains out on bail pending trial.

“It’s wild that a citizen from Russia who has been accused of partnering with serious global threat actors and is out on bail for leading a ransomware campaign, has been arrested multiple times for issues associated with alcohol, including passing out on a street in public, and also admitted to using cocaine while out on bail, and yet his bail hasn’t been revoked,” he said.

Former law enforcement officials were less shocked about the circumstances of Antropenko’s case than security analysts.

Adam Marrè, chief information security officer at Arctic Wolf, said the post-arrest privileges granted to Antropenko aren’t that odd, especially since Antropenko’s alleged pretrial release violations don’t have anything to do with cybercrime.

Marrè said Antropenko’s alleged violations would have frustrated him when he was a special agent at the FBI investigating cybercrime, but he understands the court’s decisions, adding “people are innocent until proven guilty.”

It’s important to note the FBI is focused on outcomes, according to Kaiser. “Getting money back to victims who were stolen from is more important than punishing some guy, especially if he’s not doing [ransomware] activities anymore,” she said.

“It’s hard to arrest these people in the first place and stop them, which means it’s very complicated to deter them over a long period of time,” Kaiser added. “There’s no one arrest that’s going to stop these types of activities.”

The post Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial appeared first on CyberScoop.

Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense

Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.

But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers.

Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work.

“What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.”

The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to  deliberately destroy an attacker’s systems or networks.  Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers.

Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law.

The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say.

John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference.

The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.”

By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said.

Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital.

Certainly Congress would have to clarify what companies are able to do legally as well, Wales said.

But that’s just the industry side. There’s plenty more to weigh when stepping up offense.

“However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?”

If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace.

One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too.

And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?”

Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”

The post Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense appeared first on CyberScoop.

Blistering Wyden letter seeks review of federal court cybersecurity, citing ‘incompetence,’ ‘negligence’

Sen. Ron Wyden on Monday urged Supreme Court Chief Justice John Roberts to seek an independent review of federal court cybersecurity following the latest major hack,  accusing the judiciary of “incompetence” and “covering up” its “negligence” over digital defenses.

Wyden, D-Ore., wrote his letter in response to news this month that hackers had reportedly breached and stolen sealed case data from federal district courts dating back to at least July, exploiting vulnerabilities left unfixed for five years. Alleged Russian hackers were behind both the attack and another past major intrusion, and may have lurked in the systems for years.

“The federal judiciary’s current approach to information technology is a severe threat to our national security,” Wyden said. “The courts have been entrusted with some of our nation’s most confidential and sensitive information, including national security documents that could reveal sources and methods to our adversaries, and sealed criminal charging and investigative documents that could enable suspects to flee from justice or target witnesses. Yet, you continue to refuse to require the federal courts to meet mandatory cybersecurity requirements and allow them to routinely ignore basic cybersecurity best practices.”

That, Wyden said, means someone from the outside must conduct a review, naming the National Academy of Sciences as the organization Roberts should choose.

The Administrative Office of the U.S. Courts said on Aug. 7 that it was taking steps to improve cybersecurity “in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system,” but was vague about specific changes. In that statement the office touted its collaboration with Congress and federal agencies about cyber defenses.

But Wyden said in his letter the judiciary “stonewalls” congressional oversight. He cited another intrusion in 2020, revealed by then-House Judiciary Chair Jerrold Nadler, D-N.Y., by “three hostile foreign actors,” where Wyden said the judiciary still hasn’t said what happened.

“There is no legitimate need to keep Congress or the public in the dark about that incident so many years later,” Wyden wrote. “I strongly suspect that the judiciary is covering up its own negligence and incompetence which resulted in the security vulnerabilities that the hackers exploited.”

Wyden especially faulted the courts for its slow, under-reliance on strong multifactor authentication, saying the variety the judiciary adopted was not phishing-resistant.

“The glacial speed with which the federal judiciary adopted this inferior cyberdefense, years after government agencies and businesses have migrated to superior solutions, highlights the fact that the judiciary’s cybersecurity problems are not technical, but rather, are the result of incompetence and the total absence of accountability,” he said.

The press office for the Supreme Court did not immediately respond to a request for comment on Wyden’s letter.

The post Blistering Wyden letter seeks review of federal court cybersecurity, citing ‘incompetence,’ ‘negligence’ appeared first on CyberScoop.

Russian cyber group exploits seven-year-old network vulnerabilities for long-term espionage

A Russian state-sponsored espionage group has been systematically compromising network devices worldwide for over a decade, exploiting a seven-year-old vulnerability to steal sensitive data and establish persistent access to organizations across multiple sectors, according to new research from Cisco Talos Intelligence.

The group, designated “Static Tundra” by Cisco Talos, is linked to the Russian Federal Security Service’s Center 16 unit and operates as a likely sub-cluster of the broader “Energetic Bear” threat group. The operation represents one of the most persistent network device compromise campaigns documented to date, with the group maintaining undetected access to victim systems for multiple years.

According to the researchers, the group has been leveraging CVE-2018-0171, a vulnerability in Cisco IOS software’s Smart Install feature that was patched when initially disclosed in 2018. Despite the availability of patches, the group continues to find success targeting organizations that have left devices unpatched or are running end-of-life equipment that cannot be updated.

The vulnerability allows attackers to execute arbitrary code on affected devices or trigger denial-of-service conditions. 

Researchers believe the group has developed automated tooling to exploit the vulnerability at scale, likely identifying targets through publicly available network scanning data from services such as Shodan or Censys.

Once initial access is gained, the group employs sophisticated techniques to extract device configuration data, which often contains credentials and network information valuable for further compromise. The attackers use a combination of Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP) tools to maintain access and collect intelligence.

The espionage campaign has affected organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Victim selection appears to align with Russia’s strategic interests, with researchers noting a significant escalation in operations against Ukrainian entities following the onset of the Russia-Ukraine conflict.

“One of the clearer targeting shifts we observed was that Static Tundra’s operations against entities in Ukraine escalated at the start of the Russia-Ukraine war, and have remained high since then,” the Cisco Talos report states. The group expanded its targeting within Ukraine from selective, limited compromises to operations across multiple industry verticals.

The campaign exposes ongoing weaknesses in network infrastructure security, with attackers continuing to exploit a vulnerability patched in 2018. This persistence underscores widespread shortcomings in patch and device lifecycle management. The operation also illustrates the high strategic value nation-state actors place on compromising network devices, which offer access to broad organizational communications and facilitate further intrusions. 

Security researchers emphasize that Static Tundra is not unique in targeting network infrastructure. The report notes that “many other state-sponsored actors also covet the access these devices afford,” indicating that similar operations are likely being conducted by multiple nation-state groups.

Cisco Talos assesses with high confidence that Static Tundra operates as a Russian state-sponsored group specializing in network device exploitation based on tactical overlaps with previously identified Russian operations and targeting patterns consistent with Russian strategic interests. The FBI has corroborated connections between Static Tundra and the broader Energetic Bear group, which was formally linked to Russia’s FSB Center 16 unit in a 2022 Department of Justice indictment.

FSB Center 16 is a unit within Russia’s Federal Security Service (FSB). The center is believed to oversee signals intelligence and cyber operations on behalf of the Russian government. Another group linked to the center known as Turla has been spotted waging its own espionage campaigns by Microsoft.

The post Russian cyber group exploits seven-year-old network vulnerabilities for long-term espionage appeared first on CyberScoop.

By gutting its cyber staff, State Department ignores congressional directives

The State Department has demonstrated it does not understand that cyber power is critical to geopolitical power. In the course of reorganizing offices and reducing staff over the past three weeks, the department’s political appointees have gutted President Trump’s ability to work with partners and allies on cybersecurity and technology resilience. Congress will need to intervene to defend its bipartisan effort to bolster cyber diplomacy. 

For years, Washington’s efforts to hold China, Russia, and Iran accountable for malicious cyber activity were hamstrung by an inability to effectively work with allies to quickly identify and punish perpetrators. America’s allies were failing to prevent cyberattacks on critical systems that the U.S. military needed to operate securely overseas. Instead, these attacks cascaded across continents and hit the U.S. homeland. And U.S. adversaries were running circles around the West’s principled stance on privacy and security in cyberspace, instead reshaping telecommunications infrastructure and the internet in their image. 

After watching successive administrations dither, Congress took a stand, passing the Cyber Diplomacy Act in 2022. The law tasked a new State Department Bureau of Cyberspace and Digital Policy (CDP) with promoting reliable and secure internet infrastructure, building the cyber capacity of U.S. partners, and advancing technology and cybersecurity policies globally that bolster U.S. economic and national security interests. 

To accomplish this mission, CDP pulled together existing, disparate economic and international security functions related to cyber and technology into a single, more efficient operation. By all accounts, this consolidation made CDP successful.

When Congress tasked the bureau with managing a unique cyber assistance fund to rapidly respond to incidents overseas, CDP created a mechanism to airdrop expertise into partner countries in as little as two days.

Likewise, when Congress tasked the bureau with securing communications technology, semiconductor supply chains, and other emerging technology, the bureau paired U.S. seed funding with investments from allies and technology companies to box out Chinese firms attempting to dominate telecommunications in the Indo-Pacific. 

On July 1, however, the State Department stepped backwards. Despite its stated goal of creating a “more agile Department” and reducing duplicative offices, Foggy Bottom pulled CDP apart into multiple offices, each of which now holds a piece of the cyber mission. CDP lost its division responsible for responding to cyberattacks to a new bureau on emerging threats. Its strategy team moved to the personal staff of the undersecretary of economic growth. And its internet freedom team went to the undersecretary for public diplomacy. 

CDP will now consist of two slimmed down teams. One will focus on internet governance and technical standards, the other on using U.S. foreign aid to bolster allied cybersecurity. However, after the trifecta of the dissolution of the U.S. Agency for International Development, the foreign aid freezes earlier this year, and Congress’ acquiescence to billions of dollars in cuts to previously allocated foreign aid, it is not clear what funds CDP will have to help U.S. allies. 

Unfortunately, the crippling of State’s cyber diplomacy capabilities is not just the result of the restructuring, but also a significant loss of subject matter expertise. In the course of reducing its overall workforce in mid-July, State fired at least a half dozen people from CDP. The bureau lost two strategists and five of only eight experts working on bilateral and regional affairs. 

CDP had expected to bring in staff from other technology-focused offices as they were dissolved. Instead, quantum, artificial intelligence, and other technology experts were fired. Over the past few months, other CDP staff have accepted the department’s offers of deferred resignation and early retirement. And State reassigned CDP’s acting head, leaving the bureau without a leader. 

At an April hearing about CDP, the House Foreign Affairs Committee’s Europe Subcommittee Chairman Keith Self, R-Texas, affirmed the importance of State’s cyber capabilities. “The U.S. is not facing these real and growing threats alone,” he noted. “Through cooperation with our allies and partners, the U.S. will continue to work to combat malign cyber activities from the PRC, Iran, North Korea and Russia.” 

After a bipartisan show of support for the bureau, the subcommittee staff are drafting components of a State reauthorization bill from Foreign Affairs Committee Chairman Brian Mast, R-Fla., that would bolster CDP’s mandate. If Foggy Bottom keeps undercutting CDP, however, there may be little left to reauthorize. 

Chairman Mast indicated he plans to bring the reauthorization bill to the floor at the end of September. Lawmakers need to weigh in with State Department leadership sooner rather than later, however, to remind Secretary of State Marco Rubio that he himself voted for the Cyber Diplomacy Act when he served in the Senate. He knew then what members know now: Without strong cyber capabilities within the State Department, America’s partners will turn to unreliable associates in China for infrastructure investment and succumb to cyberattacks that place U.S. forces overseas at risk.

It will take years to rebuild State’s capabilities. While Congress should move quickly to re-integrate CDP’s component pieces, reauthorize cyber foreign assistance, and restart secure technology projects, the loss of subject matter experts will take longer to fix. The cyber experts with sought-after skills that State let go are not waiting by the phone to get their old jobs back. They will move on to higher-paying private sector jobs. Only after the department re-commits to its cyber mission and places a Senate-confirmed ambassador at the helm of the bureau will the department have a hope of reconstituting all that it lost over a few weeks in July.

The post By gutting its cyber staff, State Department ignores congressional directives appeared first on CyberScoop.

US widens sanctions on Russian crypto exchange Garantex, its successor and affiliate firms

U.S. officials imposed sanctions Thursday on Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates, while also targeting its leaders for arrest with financial rewards. These measures are part of intensified efforts to halt the flow of ransomware proceeds facilitated by the platforms.

The Treasury Department’s Office of Foreign Assets Control re-designated Garantex for sanctions, accusing its operators of processing more than $100 million in illicit transactions since 2019. The State Department announced financial rewards totaling up to $6 million for information leading to the arrest or conviction of Garantex’s leaders, including up to $5 million for Russian national Aleksandr Mira Serda, the exchange’s co-founder and chief commercial officer.

Authorities expanded their targeting of Garantex, its leaders and associated companies following a sweeping international law enforcement operation in March when officials seized three domains linked to the exchange, confiscated servers, froze more than $26 million in cryptocurrency and indicted its leaders. 

One of those leaders, Aleksej Besciokov, was arrested in March while on vacation in India shortly after the Justice Department unsealed indictments against him and Mira Serda, officials said. OFAC also imposed sanctions on Sergey Mendelev, co-founder of Garantex, and Pavel Karavatsky, co-owner and regional director of Garantex.

“According to the U.S. Secret Service and FBI, Garantex received hundreds of millions in criminal proceeds and was used to facilitate various crimes, including hacking, ransomware, terrorism, and drug trafficking, often with substantial harm to U.S. victims,” Tammy Bruce, spokesperson for the State Department, said in a statement Thursday. “Between April 2019 and March 2025, Garantex processed at least $96 billion in cryptocurrency transactions.” 

Before Garantex moved its operations and funds to Grinex following the globally coordinated law enforcement disruption, the exchange received millions of dollars in cryptocurrency from Russia-linked ransomware affiliates. Officials traced those transactions to Conti, Black Basta, LockBit, Ryuk, NetWalker and Phoenix Cryptolocker. 

Grinex, which was created to avoid the sanctions placed on Garantex, has since facilitated the transfer of billions of dollars in cryptocurrency transactions, the Treasury Department said. The Treasury Department’s OFAC initially sanctioned Garatex in April 2022.

OFAC sanctioned six additional organizations Thursday, including A7, A7 Agent, Old Vector, InDeFi Bank and Exved for their alleged involvement with and material support of Garantex and Grinex.

“Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security, but also tarnishes the reputations of legitimate virtual asset service providers,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “By exposing these malicious actors, Treasury remains committed to and supportive of the digital asset industry’s integrity.”

The post US widens sanctions on Russian crypto exchange Garantex, its successor and affiliate firms appeared first on CyberScoop.

Russia restricts WhatsApp, Telegram calls, alleging criminal, terrorist activity

Russia is restricting calls on the WhatsApp and Telegram messaging apps in what it says is a bid to counter criminal activity, but that WhatsApp contends is a response to its defiance of government efforts to violate user communication rights.

“According to law enforcement agencies’ information and numerous reports from citizens, the foreign messengers Telegram and WhatsApp have become the main voice services used for deceit and extortion and involvement of Russian citizens in sabotage and terrorist activities,” Russian telecommunications agency Roskomnadzor said Wednesday, according to the Russian news outlet Interfax. “The repeated demands for countermeasures to be taken have been ignored by the owners of the messengers.”

WhatsApp and Telegram responded separately.

“WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people,” a spokesperson said in a statement to CyberScoop. WhatsApp said it intends to keep doing what it can to make end-to-end encrypted communications available everywhere, including Russia, and would continue to add layers of protection against scams.

Telegram’s press team offered a statement to CyberScoop via its app.

“Telegram actively combats harmful use of its platform including calls for sabotage or violence and fraud,” the statement reads. “Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports in order to remove millions of pieces of harmful content each day.

“As well, Telegram pioneered granular privacy settings for calls, so every Telegram user can define who to accept calls from or to switch off calls completely,” the statement concludes.

The Roskomnadzor statement follows days of reports of problems making calls via the two apps, and as Russia seeks to introduce its own national messaging app, Max, raising surveillance concerns.

A top Russian lawmaker recently urged WhatsApp to get out of the Russian market to make way for Max. Facebook and Instagram, which share the parent company Meta with WhatsApp, have been banned in Russia since 2022 after the invasion of Ukraine.

WhatsApp recently announced that it had taken down 6.8 million accounts in the first half of 2025 as part of a crackdown on scams. Telegram has long garnered attention as a hub for criminals and extremists.

The post Russia restricts WhatsApp, Telegram calls, alleging criminal, terrorist activity appeared first on CyberScoop.

BlackSuit, Royal ransomware group hit over 450 US victims before last month’s takedown

LAS VEGAS — The Russian cybercrime group behind BlackSuit and Royal ransomware was more prolific and successful at extorting payments from its victims than previously known, according to an update Thursday from an investigative unit inside the Department of Homeland Security.

“Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in healthcare, education, public safety, energy and government sectors,” said a report from Homeland Security Investigations, which operates out of U.S. Immigration and Customs Enforcement. “Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency.”

BlackSuit’s technical infrastructure, including servers, domains and tools used to deploy ransomware, extort victims and launder proceeds, was seized and dismantled in a globally coordinated takedown operation last month. BlackSuit’s leak site has displayed a seizure notice since July 24, but U.S. officials waited two weeks to publicly acknowledge the international takedown.

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” Michael Prado, deputy assistant director of HSI’s Cyber Crimes Center, said in a statement. 

German officials involved in the takedown previously said they identified 184 BlackSuit victims. The group’s combined take from victim extortions was unknown, but in an advisory last year the Cybersecurity and Infrastructure Security Agency said BlackSuit’s total extortion demands surpassed $500 million by August 2024.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” John A. Eisenberg, assistant attorney general for national security, said in a statement.  The majority of BlackSuit’s victims were based in the U.S.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

The impact from the takedown will be limited because BlackSuit associates were already dispersed and abandoned the BlackSuit brand prior to the global law enforcement action on the group’s operations, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

Former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year, according to Boguslavskiy.

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The post BlackSuit, Royal ransomware group hit over 450 US victims before last month’s takedown appeared first on CyberScoop.

Details emerge on BlackSuit ransomware takedown

BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.

The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 

U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 

A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation. 

German officials said the takedown prevented the spread of malware and disrupted BlackSuit’s servers and communication. BlackSuit’s data leak site contained more than 150 entries before the takedown, Bitdefender said in a blog post

The majority of BlackSuit’s victims were based in the U.S. and the industries most impacted by the ransomware group’s attacks included manufacturing, education, health care and construction, according to Bitdefender. The company did not respond to a request for comment.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

BlackSuit associates were already dispersed prior to the global law enforcement action on the group’s operations. 

The impact from the takedown will be limited because members already abandoned the BlackSuit brand early this year, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

BlackSuit’s reputation plummeted as victims learned of the group’s Russian cybercrime lineage and declined to pay extortion demands out of fear that any financial support would evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control, he said.

As part of that pivot, former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year. 

“It’s not that they were concisely preparing for the takedown. Instead, they just felt brand fatigue,” Boguslavskiy said. “They are very prone to rebranding often. It was two years without a rebrand, so the one was coming, and in the meantime, they were using INC as a newer name without baggage.”

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The empowerment of INC is the “most important development in the Russian-speaking ransomware landscape, and the fact that now BlackSuit will double down on using their infrastructure is very concerning,” Boguslavskiy said. 

The ransomware syndicate is composed of about 40 people, led by “Stern,” who has established a massive system of alliances, forming a decentralized collective with links to other ransomware groups, including Akira, ALPHV, REvil, Hive and LockBit, according to Boguslaviskiy. 

INC is currently the second largest Russian-speaking ransomware collective behind DragonForce, he said. 

BlackSuit was prolific, claiming more than 180 victims on its dedicated leak site dating back to May 2023, according to researchers at Sophos Counter Threat Unit. 

The ransomware group’s main members have demonstrated their ability to rebrand and relaunch operations with ease. “It is likely that this latest takedown will have minimal impact on the ability of the individuals behind it to reorganize under a new banner,” Sophos CTU said in a research note.

Former members of BlackSuit emerged under a new ransomware group, Chaos, as early as February, Cisco Talos Incident Response researchers said in a blog post released the same day BlackSuit’s technical infrastructure was seized. Chaos targets appear to be opportunistic and victims are primarily based in the U.S., according to Talos.

The FBI seized cryptocurrency allegedly controlled by a member of the Chaos ransomware group in April, the Justice Department said in a civil complaint seeking the forfeiture of the cryptocurrency last month. Officials said the seized cryptocurrency was valued at more than $1.7 million when it was seized in mid-April.

The post Details emerge on BlackSuit ransomware takedown appeared first on CyberScoop.

Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow

A Russian nation-state threat group has been spying on foreign diplomats, managing continuous access to their  communications and data in Moscow since at least 2024, according to Microsoft Threat Intelligence.

Secret Blizzard is gaining “adversary-in-the-middle” positions on Russian internet service providers and telecom networks by likely leveraging surveillance tools and deploying malware on targeted devices, researchers said in a report released Thursday. 

Microsoft’s discovery marks the first time its researchers have confirmed with high confidence that Secret Blizzard has capabilities at the ISP level, a degree of access that combines passive surveillance and an active intrusion. 

“It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop. 

Secret Blizzard — also known as Turla, Pensive Ursa or Waterbug — is affiliated with Center 16 of Russia’s Federal Security Service (FSB) and has been active for decades.

The Russian nation-state group is “the classic definition of what you think of when you think of advanced persistent threat: creative, persistent, well resourced, highly organized, able to execute projects, able to execute actions on objectives,” DeGrippo said. “Ultimately, I think that the key word is creative.”

Secret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error after targeted victims access a state-aligned network through a captive portal, according to Microsoft.

The error prompts and tricks embassy employees into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploy ApolloShadow malware. The custom malware turns off traffic encryption, tricks the devices to recognize malicious sites as legitimate and enables Secret Blizzard to maintain persistent access to diplomatic devices for espionage. 

“This is an excellent piece of social engineering because it plays on habit, it plays on urgency, it plays on emotions, which are the three holy trinity of social engineering,” DeGrippo said. 

“You see this pop-up that’s telling you you have a security issue, and it’s branded as a security vendor. We’ve been seeing that capability for decades,” she said. “Simply clicking through and not examining and thinking about that, especially when on a state-aligned, state-owned network in one of these surveillance-heavy countries where the government has deep technical and legal controls over those ISPs — that infrastructure is now part of your attack surface.”

Microsoft declined to say how many embassies have been impacted, but noted the group is active. Intrusions linked to this politically motivated espionage campaign allow Secret Blizzard to view the majority of the target’s browsing in plain text, including certain tokens and credentials, researchers said in the report.

“This seems relatively simple, but it’s only made so simple by the likely leveraging of a lawful intercept capability,” DeGrippo said. “Relying on local infrastructure in these high-risk environments — China, Russia, North Korea, Iran — in these surveillance-heavy countries, is of concern.” 

Microsoft previously observed Secret Blizzard using tools from other cybercriminal groups to compromise targets in Ukraine, showing how the group uses various attack vectors and means to infiltrate networks of geopolitical interest to Russia.

The post Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow appeared first on CyberScoop.

Authorities in Ukraine nab alleged admin of Russian-language cybercrime forum

Ukrainian authorities Tuesday arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 

Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.

The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.

Officials accuse the forum’s administrator of running technical operations and playing a central role in enabling cybercrime. Messages intercepted by authorities during the investigation revealed the suspect made more than $8.2 million in advertising and facilitation fees.

“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol said in the new release about the arrest and takedown operation. Authorities also accuse the suspect of running thesecure.biz, a Jabber-powered private messaging service for cybercrime that remains online as of press time.

The cybercrime unit of the Paris public prosecutor’s office opened an investigation into XSS.is in July 2021 and deployed French police investigators on the ground in Ukraine, with Europol’s support, in September 2024. 

The arrest in Kyiv, Ukraine, followed a series of coordinated law enforcement actions, including evidence gathering and the dismantling of the cybercrime forum’s infrastructure. Authorities said data seized during the investigation will be analyzed to support ongoing investigations across Europe and elsewhere.

The Paris public prosecutor’s office said the alleged administrator of XSS.is was identified as part of a wiretap.

The post Authorities in Ukraine nab alleged admin of Russian-language cybercrime forum appeared first on CyberScoop.

Why it’s time for the US to go on offense in cyberspace

The U.S. is stepping into a new cyber era, and it comes not a moment too soon.

With the Trump administration’s sweeping $1 billion cyber initiative in the “Big Beautiful Bill” and growing congressional momentum under the 2026 National Defense Authorization Act (NDAA) to strengthen cyber deterrence, we’re seeing a shift in posture that many in the security community have long anticipated, although often debated: a decisive pivot toward more robust offensive cyber operations.

While many may disagree with the decision to “go on offense,” we need to recognize the changing threat landscape and the failure of our previous restrained approach. The U.S. has the most advanced cyber capabilities in the world. Yet for the past two decades, our posture has been dominated by defense, deterrence-by-denial, and diplomatic restraint. This strategy has not yielded peace or dissuaded our adversaries. On the contrary, it has only served to embolden them.

With geopolitical tensions now at a boiling point and adversaries escalating both the scale and ambition of their cyber campaigns, it is time to remove the handcuffs. This doesn’t mean acting recklessly, but it does mean meeting our adversaries on the same battlefield so that we can use our unmatched capabilities to hold them at risk.

The strategic landscape has changed

The cyber threat environment in 2025 is fundamentally different from what it was even five years ago. Operations like China’s Volt Typhoon and Russia’s relentless campaigns against Ukraine’s infrastructure illustrate a broader shift: our adversaries are no longer limiting themselves to espionage or IP theft. They are actively preparing for conflict.

Volt Typhoon, in particular, marks a strategic evolution as Chinese state actors are actively prepositioning in U.S. critical infrastructure not for surveillance, but for disruption. Salt Typhoon’s operations, targeting civilian infrastructure with apparent tolerance for detection, suggest a loosening of China’s risk calculus. Meanwhile, Russia’s destructive malware targeting industrial control system (ICS) environments, and Iran’s growing reliance on cyber proxies, show how aggressive and emboldened our rivals have become.

Offensive capabilities are a military imperative

The proposed $1 billion investment isn’t about launching retaliatory attacks. It’s about building the infrastructure, tools, and talent needed to make cyber a fully integrated and reliable component of U.S. military and intelligence operations.

While the U.S. possesses world-class cyber capabilities, current policies have kept these tools locked behind layers of classification, bureaucracy, and operational disconnect. As a result, offensive cyber operations have been limited to highly targeted missions. While they’re often executed with surgical precision, they usually lack the speed, adaptability, or scale demonstrated by our adversaries.

When a U.S. technique is exposed, it can take months to retool and mount another operation. In contrast, our adversaries rely on publicly known vulnerabilities, social engineering, and agile teams that can quickly weaponize newly disclosed exploits.

Zero-days are among our most valuable (and expensive) cyber assets. But having the exploit isn’t enough. Effective use requires real-time intelligence, targeting infrastructure, trained operators, and a legal framework that enables rapid deployment.

This new investment represents a serious effort to evolve our approach. It will enable the Department of Defense, U.S. Cyber Command, and the intelligence community to proactively shape the digital battlefield, both independently and in coordination with conventional military operations.

Adversaries respond to force, not diplomacy

Over the past 15 years, we’ve watched top adversaries China and Russia test, prod, and exploit our most sensitive networks, from government systems to critical infrastructure companies, often with minimal consequence. We’ve also sustained numerous damaging attacks, from the massive OPM and Equifax breaches to SolarWinds, NotPetya and Colonial Pipeline. The list goes on and on.

In all of these cases, we’ve responded, at best, with indictments, sanctions, or strongly worded statements. In the meantime, our adversaries have only grown bolder and more sophisticated. Their actions suggest one conclusion: they don’t believe we’ll strike back.

This lack of proportional response is viewed as weakness, not restraint. Deterrence only works when the adversary believes you will act. That belief is fading. But a more muscular cyber posture, backed by operational capacity and political will, can restore it.

Ransomware is now a national security threat

The line between criminal and nation-state activity is becoming blurred amid rising geopolitical tensions. Ransomware, once seen as a law enforcement issue, now poses one of the most serious threats to national infrastructure.

We’ve already seen its disruptive power in attacks on Colonial Pipeline, JBS Foods, Mondelez International, and United Natural Foods Inc. However, as damaging as those were, they pale in comparison to what a determined adversary — especially one that is backed by a state — could accomplish.

Essential services like electricity, water, health care, and transportation are increasingly vulnerable. Many ransomware groups operate in jurisdictions that ignore or even support their activities. U.S. adversaries are now integrating these actors into broader state-aligned campaigns, using them as asymmetric tools of disruption.

The weaponization of ransomware and other destructive malware like “wipers” is a clear and present danger. Countering it requires more than law enforcement.

While the Department of Homeland Security and the FBI play vital roles in tracking threats, they lack the global reach and strategic authority of the military. Offensive cyber capabilities are needed to disrupt operations, dismantle infrastructure, and impose real costs.

There are risks with doing nothing, too

Critics of these operations rightly point out there are plenty of risks: escalation, unintended consequences, and blowback. Yes, these risks are real. Any use of cyber capabilities, especially against state-linked infrastructure, must be carefully weighed, governed by rules of engagement, and aligned with broader geopolitical strategy. 

Historically, cyber has not had clear rules for what constitutes “crossing the line,” though the general assumption has been that loss of life or large-scale disruptions to critical infrastructure would qualify. 

But inaction has its own risks. If we continue playing defense while our adversaries go on offense, we are signaling that they can operate with impunity. This is not de-escalation; it’s appeasement. And it will only invite more aggression. 

On the other hand, offensive action may at times be the most effective path to de-escalation, by showing that the U.S. is both willing and able to impose real costs.

It’s time for real deterrence

Cyber deterrence has long been an elusive concept. Unlike nuclear deterrence, which relies on mutually assured destruction, cyber deterrence is far more ambiguous. The lack of clear red lines, uncertain attribution, and the diverse range of actors all complicate strategy.

But these are not reasons to avoid building deterrence. This is why it’s even more important to build smarter, more flexible capabilities that combine intelligence, cyber offense, and traditional diplomacy to manage escalation while signaling resolve.

The shift we’re seeing now, both from Congress and the administration, is a necessary first step. However, in order to be effective, it must be followed by clear doctrine, strong oversight, and close coordination between military, intelligence, and homeland security stakeholders. 

Offensive cyber operations are not a silver bullet, but they are an essential tool of statecraft in the modern world. 

Dave Kennedy is the founder of TrustedSec and Binary Defense.

The post Why it’s time for the US to go on offense in cyberspace appeared first on CyberScoop.

UK sanctions Russian hackers, spies as US weighs its own punishments for Russia

As the U.S. government contemplates additional sanctions on Moscow, the United Kingdom went ahead and levied its own Friday against what it said was a group of Russia’s hackers and spies. 

The sanctions target 18 military intelligence officers and three divisions of the Russian military unit known as the GRU. Cyber operations in support of Russia’s war against Ukraine drew the U.K. targeting of the hackers.

“The GRU routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world with devastating real-world consequences,” reads a news release.

But the sanctions also go after the use of malware tied to an attempted assassination of a former Russian double agent residing on U.K. soil and the related poisoning of his daughter.

“Today’s action also hits GRU military intelligence officers responsible for historically targeting Yulia Skripal’s device with malicious malware known as X-Agent — five years before GRU military intelligence officers’ failed attempt to murder Yulia and Sergei Skripal with the deadly Novichok nerve agent in Salisbury,” the release states.

According to a 2018 U.S. grand jury indictment, X-Agent is custom malware that Russia developed to hack the Democratic National Committee and Democratic Congressional Campaign Committee to interfere in the 2016 election.

The U.K. sanctioned some of the military officers for spying operations like those involved in the 2022 bombing of Mauripol Theatre, which had been sheltering Ukrainian civilians.

In the U.S. Congress, lawmakers have been demonstrating some rare bipartisan consensus on the notion of slapping Moscow with more sanctions. That legislation would likewise seek to punish Russian cyber operations in Ukraine, among other Russian aggression in the former Soviet satellite nation.

President Donald Trump, too, has grown impatient with Russian President Vladimir Putin over the Ukraine war and has threatened further sanctions against Moscow and its trade partners.

The United Kingdom warned in a separate alert Friday that GRU cyber operations could spill over from the Ukraine war.

“The future trajectory of this threat remains uncertain and international partners need to prepare for its redirection and a range of potential scenarios,” the alert states.

The three units drawing U.K. sanctions have been connected to a range of hacking activity, from meddling in elections across the globe to the massive 2017 NotPetya attack.

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” said U.K. Foreign Secretary David Lammy. “The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. …  Putin’s hybrid threats and aggression will never break our resolve.”

Also Friday, the European Union agreed to sanctions targeting Russia’s energy and banking sectors, the bloc’s 18th set of sanctions against Moscow.

You can read the full list of those sanctioned on the U.K. government’s website.

This article has been updated to reflect news about the additional EU sanctions.

The post UK sanctions Russian hackers, spies as US weighs its own punishments for Russia appeared first on CyberScoop.

Pro-Russian DDoS group NoName057(16) disrupted by international law enforcement operation

An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.

Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.

NoName057(16) used Telegram channels, specialized forums, and messaging applications to distribute attack tools, tutorials, and plans. The group employed gamification techniques including leaderboards, badges, and cryptocurrency rewards to keep members active, particularly targeting younger individuals by claiming the group was defending or working on behalf of Russia.

Group members relied on the open-source “DDoSia” platform and a botnet comprising several hundred servers, which allowed the group to scale attack capacity. Participants downloaded malware that enabled them to contribute computing resources to coordinated attacks, with the most active contributors receiving financial incentives in cryptocurrency.

The group chose its targets based on political events. At first, they attacked websites in Ukraine. Later, they expanded their attacks to countries in NATO and organizations that support Ukraine. Some of their attacks took place during the European elections, affecting Swedish government agencies and bank websites. They also timed attacks with major political events, including the Ukrainian president’s speech to the Swiss parliament and the NATO summit in the Netherlands.

Germany issued six of the seven arrest warrants, with two suspects identified as primary operators residing in Russia. The operation involved help from law enforcement agencies in Czechia, Estonia, Finland, France, Germany, Latvia, Lithuania, the Netherlands, Poland, Spain, Sweden, Switzerland, and the United States.

The post Pro-Russian DDoS group NoName057(16) disrupted by international law enforcement operation appeared first on CyberScoop.

❌