Federal authorities seized 127,271 Bitcoin, valued at approximately $15 billion, from Chen Zhi, the alleged leader of a sprawling cybercrime network based in Cambodia, the Justice Department said Tuesday. Officials said it’s the largest financial seizure on record.

“Today’s action represents one of the most significant strikes ever against the global scourge of human trafficking and cyber-enabled financial fraud,” Attorney General Pamela Bondi said in a statement.

Officials said Chen, a 38-year-old United Kingdom and Cambodian national who has renounced his Chinese citizenship, built a business empire under the Prince Group umbrella headquartered in Phnom Penh, Cambodia, that constructs, operates and manages scam compounds that rely on human trafficking and modern-day slavery. 

A criminal indictment against Chen was also unsealed in the U.S. District Court for the Eastern District of New York. He remains at large and the FBI is seeking information about his whereabouts. Chen faces up to 40 years in prison for his alleged crimes.

Chen is accused of founding and running Prince Group since 2015, resulting in a global expansion that has brought the cybercrime network’s operations to dozens of entities spanning more than 30 countries. 

Officials said Chen was directly involved in managing the scam compounds and committed violence against people in the forced labor camps where schemes targeted victims around the world, including in the United States. One network based in Brooklyn, New York, scammed more than 250 people in New York and across the country out of millions of dollars, according to the indictment.

Authorities in the U.S. and U.K also imposed coordinated sanctions against the Prince Group’s cybercrime networks in Southeast Asia accused of long-running investment scams and money laundering operations. 

Officials said the sanctions against people and organizations involved with the Prince Group transnational criminal organization and its severing of Huione Group from the U.S. financial system mark the most extensive action taken against cybercrime operations in the region to date.

“The rapid rise of transnational fraud has cost American citizens billions of dollars, with life savings wiped out in minutes,” Treasury Secretary Scott Bessent said in a statement. 

The agency’s Office of Foreign Assets Control imposed sanctions on 146 people and organizations participating in Prince Group TCO, while the Financial Crimes Enforcement Network issued a rule under the USA PATRIOT Act to sever Cambodia-based financial services conglomerate Huione Group from the U.S. financial system.

OFAC also sanctioned a network of 117 illegitimate businesses affiliated with Prince Group. The agency published a complete list of people and entities sanctioned as part of the sweeping action.

Authorities said Prince Group is prolific and remains a dominant player in Cambodia’s scam economy, responsible for billions of dollars in illicit financial transactions. U.S. government officials estimate Americans lost more than $10 billion to Southeast Asia-based scam operations last year, noting that U.S. online investment scams surpass $16.6 billion.

Huione Group has allegedly laundered proceeds from cyberattacks initiated by North Korea and transnational criminal organizations in Southeast Asia responsible for virtual currency investment scams, authorities said. The organization laundered more than $4 billion in illicit proceeds between August 2021 and January 2025, the Treasury Department said. 

The U.K.’s Foreign, Commonwealth, and Development Office also participated in the crackdown by imposing sanctions on Prince Holding Group, its alleged leader Chen and key associates. 

“Today, the FBI and partners executed one of the largest financial fraud takedowns in history,” FBI Director Kash Patel said in a statement.

The post Officials crack down on Southeast Asia cybercrime networks, seize $15B appeared first on CyberScoop.

FBI cyber division cuts under President Donald Trump will reduce personnel there by half, a top Democratic senator warned Tuesday, while FBI Director Kash Patel countered that arrests and convictions have risen under the Trump administration.

A contentious Senate Judiciary Committee hearing dominated by clashes over political violence, Patel’s leadership and accusations about the politicization of the bureau nonetheless saw senators probing the FBI’s performance on cybersecurity.

“My office received information that cuts to the bureau’s cyber division will cut personnel by half despite the ever-increasing threat posed by adverse foreign actors,” said Illinois Sen. Dick Durbin, the top Democrat on the panel. The Trump administration has proposed a $500 million cut for the FBI in fiscal 2026.

Sen. Alex Padilla, D-Calif., said that as the FBI has shifted personnel toward immigration and politically motivated investigations like the Tesla task force, it has undercut other missions. “It has an impact on other priorities, like nation-state threats and ransomware investigations,” he said.

Padilla was one of several Senate Democrats, like Cory Booker of New Jersey and Mazie Hirono of Hawaii, who said the FBI’s cyber mission was suffering because its personnel were being directed elsewhere.

Patel told Hirono that the FBI’s cyber branch was one of the bureau’s “most impressive” units, and that it had made 409 arrests, a 42% increase compared to the same period last year, and garnered 169 convictions.

As Padilla questioned him about the FBI’s mission to protect against election interference and the Justice Department ending the Foreign Influence Task Force, Patel answered that the FBI did not “in any way divert or reallocate resources from that critical mission set.” He said it was still working on it through its cyber programs, which had seen a “40, 50, 60%” increase in arrests in cyber threat cases involving critical infrastructure and interference with elections.

Patel said he hadn’t shifted any resources away from any critical missions like terrorism toward things like Tesla vandalism or sending federal personnel to cities like Washington, D.C. “They never left their primary job,” he said. “It is a surge in law enforcement.”

Hirono asked Patel to say who had replaced top officials who had exited the cyber division, but he said only that they were “supremely qualified individuals” and wouldn’t give their names “so you can attack them.” Hirono replied, “you don’t know” when he wouldn’t say who they were.

More broadly, Patel said the FBI was taking the fight to Chinese threat groups like Salt Typhoon and Volt Typhoon, and going after ransomware and malware attackers.

Sen. Amy Klobuchar, D-Minn., said she was concerned about a rise in artificial intelligence-generated election interference, including materials directed at her. Patel said the FBI was looking into it, but that the culprits appeared to be “loose groups overseas, without any central cluster.”

The post Senators, FBI Director Patel clash over cyber division personnel, arrests appeared first on CyberScoop.

Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. 

Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering — a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.

Apprehension fueled by the popularity of the 18 packages affected — capturing more than 2 billion downloads per week combined, according to Aikido Security — pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.

“There was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,” Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. “The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That’s a good news story, not a horror story.”

Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.

Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker’s crypto address showed only $66.52, Arda Büyükkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a LinkedIn post Monday. 

Researchers at blockchain analytics platform Arkham have traced about $1,027 in stolen cryptocurrency to the attack as of Wednesday morning.

“While their motivation appears financial, it’s easy to see how this could have been catastrophic and reminds us of the XZ Utils breach in 2024 and others in recent memory,” Bischoping said. 

Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker’s technical actions tipped off other developers.

“The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” Andrey Polkovnichenko, security researcher at JFrog, said in a blog post. 

While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include duckdb, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a blog post Monday. 

“The open-source community are so often the heroes in our industry,” Bischoping said. “The passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.”

The post The npm incident frightened everyone, but ended up being nothing to fret about appeared first on CyberScoop.

Federal authorities on Monday imposed sanctions on 19 people and organizations allegedly involved in major cyberscam hubs in Burma and Cambodia.

“Criminal actors across Southeast Asia have increasingly exploited the vulnerabilities of Americans online,” Secretary of State Marco Rubio said in a statement. “In 2024, Americans lost at least $10 billion to scam operations in Southeast Asia, according to a U.S. government estimate.” That’s a 66% increase from the prior year, officials said. 

People who staff these scam centers are often victimized as well. Criminal organizations in Southeast Asia recruit workers under false pretenses and use debt bondage, violence, and threats of forced prostitution to coerce them to scam strangers online via messaging apps or text messages, authorities said.

The Treasury Department’s Office of Foreign Assets Control levied sanctions against nine targets operating in Shwe Kokko, Burma, which it described as a “notorious hub for virtual currency investment scams under the protection of the OFAC-designated Karen National Army.” KNA was sanctioned as a transnational criminal organization in May. 

Tin Win, Saw Min Min Oo, Chit Linn Myaing Co., Chit Linn Myaing Toyota Co., Chit Linn Myaing Mining & Industry Co., Shwe Myint Thaung Yinn Industry and Manufacturing Co., She Zhijang, Yatai International Holdings Group and Myanmar Yatai International Holding Group Co. were all sanctioned for their alleged involvement in these scam centers near Burma’s border with Thailand.

She Shijiang and Saw Chit Thu, the leader of the KNA who was previously sanctioned in May, are accused of transforming a small village in Shwe Kokko into a city built for gambling, drug trafficking, prostitution and a compound of scam centers. Tin Win and Saw Min Min Oo allegedly control property that hosts the scam centers and personally run organizations that support the operations.

“Southeast Asia’s cyber scam industry not only threatens the well-being and financial security of Americans, but also subjects thousands of people to modern slavery,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement.

The Treasury Department also sanctioned four people and six organizations for their alleged involvement in forced labor compounds in Cambodia that operate virtual currency investment scams targeting victims in the United States, Europe, China and elsewhere. 

T C Capital Co., K B Hotel Co., K B X Investment Co., M D S Heng He Investment Co., Heng He Bavet Property Co., HH Bank Cambodia, Dong Lecheng, Xu Aimin, Chen Al Len and Su Liangsheng were all sanctioned for their alleged involvement in scam centers in Cambodia. 

“These sanctions protect Americans from the pervasive threat of online scam operations by disrupting the ability of criminal networks to perpetuate industrial-scale fraud, forced labor, physical and sexual abuse, and theft of Americans’ hard-earned savings,” Rubio said.

The post Treasury Department targets Southeast Asia scam hubs with sanctions appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.

The Treasury Department on Wednesday expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions. 

Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government. 

Officials accuse the regime of hatching and maintaining an expansive operation that funnels money to its weapons and missiles programs by placing teams of specialized workers in IT jobs in the United States and elsewhere using fraudulent documents, stolen identities and false personas to hide their North Korean nationality.

“The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a written statement.

As the sanctions-evading scheme has grown, so too has the U.S. government’s response. Officials continue to target people and organizations involved, and Wednesday’s action follows the Justice Department’s seizure of $7.74 million from North Korean nationals who allegedly attempted to launder cryptocurrency obtained by IT workers who gained illegal employment as part of the scheme. 

Andreyev, a 44-year-old Russian national, allegedly facilitates payments to Chinyong Information Technology Cooperation Co., an outfit associated with North Korea’s Ministry of Defense that was targeted in the cryptocurrency seizure and previously sanctioned, according to the Treasury Department. Chinyong employs teams of IT workers in Russia and Laos, according to officials.

“Since at least December 2024, Andreyev has worked with Kim Ung Sun, a Russia-based Democratic People’s Republic of Korea economic and trade consular official, to facilitate multiple financial transfers worth a total of nearly $600,000, by converting cryptocurrency to cash in U.S. dollars,” the Treasury Department said in the sanctions announcement.

Officials said Shenyang Geumpungri is a Chinese front company for Chingyong, which manages a group of North Korean IT workers that have earned more than $1 million in profits for Chinyong and Sinjin, an affiliate of the regime’s General Political Bureau.

The Treasury Department earlier this summer imposed another set of sanctions on people and organizations allegedly involved in the North Korea IT worker scheme. In late July, the State Department announced a reward up to $15 million for information leading to the arrest of seven North Korean nationals accused of multiple crimes, including cryptocurrency theft, fraudulent remote IT work and tobacco smuggling.

The post Treasury sanctions North Korea IT worker scheme facilitators and front organizations appeared first on CyberScoop.

A court injunction in the long fight between Fortnite publisher Epic Games and Google could have “catastrophic results for the nation’s security” and “risks creating massive cybersecurity vulnerabilities in the online ecosystem,” a group of former top government officials said in a filing Monday.

At issue, they wrote, is a district court injunction requiring Google to work with Epic Games to establish a technical committee on the Google Play Store. This committee would review disputes over the store’s business practices and regulations. The former officials filed an amicus curiae brief siding with Google, which lost in the latest legal salvo, saying that any such committee would sorely lack the ability to mediate the myriad cybersecurity threats presented to users through the store.

“The district court and the Technical Committee are woefully ill-equipped to manage the complex, numerous, and dynamic cybersecurity threats to millions of Android users that will result from allowing countless new apps to flood the Google Play Store and third-party app stores,” they wrote.

Rather, they contend, “Google, with state-of-the-art cybersecurity practices and a trusted app ecosystem, is best positioned to manage those security risks, but the injunction would hamstring Google’s ability to secure its platforms by requiring it to allow developers to provide links directly to users, to distribute third-party app stores, and to allow third-party app stores access to the Google Play Store catalog.”

And “even one mis-clicked link or one nefarious downloaded app can have catastrophic results, allowing malicious actors to access Android devices and data,” they contend.

Signing onto the filing were Tatyana Bolton, former cyber policy lead at the Cybersecurity and Infrastructure Security Agency; Joel Brenner, former inspector general and senior counsel at the National Security Agency and counterintelligence head in the Office of the Director of National Intelligence; Paul Lekas, former deputy general counsel at the Defense Department; John Shanahan, former DoD director at the Joint Artificial Intelligence Center; Joseph Anderson, a former Army official; Steven Bellovin, former chief technologist at the Federal Trade Commission; David Shedd, former deputy director of the Defense Intelligence Agency and a former National Security Council official; and Gene Tsudik, a computer science professor at the University of California, Irvine.

The brief is tied to a ruling in a 2020 case where Epic leveled allegations of monopolistic practices against Google over in-app purchase fees. Epic Games has won antitrust rulings against Google, most recently on July 31. Google itself has been arguing that the rulings will raise privacy and security risks, as have others who are siding with Google on the debate.

The Google Play Store is one of the most popular ad marketplaces in existence, with the company claiming it’s used by more than 2.5 billion monthly users across 190 markets worldwide.

It differs from its main competitor, Apple, by allowing users to download apps from third-party sources. In contrast, Apple’s App Store operates within a closed ecosystem, strictly controlling the installation of apps and prohibiting third-party stores. Additionally, Google typically enforces a less stringent app review process compared to Apple’s often rigorous approval standards, giving developers a faster and more accessible route to publishing their apps on Android devices.

Due to the differences, malicious or fraudulent apps are constantly found on Google’s store. 

The latest court ruling disputed the extent of any security woes that would arise.

“Though Google may decry the inconvenience of having to design ‘new protocols’ to address the security risks of carrying app stores, its own expert conceded that Google would be able to meet these difficulties with the same technological criteria it uses for other third-party software applications already on the Play Store,” the U.S. Court of Appeals for the Ninth Circuit ruling reads.

The officials who signed on to Monday’s include those who have notable current or past industry ties; Bolton, for instance, worked for Google from 2022 to 2024.

The potential interplays between monopolistic practices and cybersecurity have been a source of debate amid the rise of U.S. tech giants.

You can read the brief below.

Greg Otto contributed reporting to this story.

The post Court ruling in Epic-Google fight could have ‘catastrophic’ cyber consequences, former gov’t officials say appeared first on CyberScoop.

A globally coordinated operation involving support from 18 countries in Africa, the United Kingdom and nine security organizations resulted in the arrest of 1,209 alleged cybercriminals, Interpol said Friday.

Authorities said they recovered $97.4 million and dismantled 11,432 pieces of malicious infrastructure between June and August. Financial losses attributed to the crimes allegedly committed by people involved in this widespread string of ransomware, online scams and business email compromise neared $485 million, officials said.

Operation Serengeti 2.0 identified 87,858 victims from multiple criminal syndicates and operations spanning Africa. Authorities in Zambia took down an online investment fraud scheme that impacted at least 65,000 victims who lost an estimated $300 million combined.

In Angola, authorities dismantled 25 cryptocurrency mining centers where 60 Chinese nationals were allegedly validating blockchain transactions to generate cryptocurrency. Officials said they confiscated 45 illegal power stations, mining and IT equipment valued at more than $37 million, which the government has earmarked to support power distribution in vulnerable areas. 

TRM Labs, one of the private organizations that supported the crackdown, shared details about ransomware-related operations impacted by the law enforcement action.

“In Ghana, investigators pursued leads tied to the Bl00dy ransomware group, a Conti spin-off that has targeted education, healthcare, and public sector victims. Analysis suggested elements of Bl00dy’s laundering infrastructure were active in the country,” the company said in a LinkedIn post. 

Investigators in Seychelles acted on intelligence connected to RansomHub, broadening the range of targets and dismantling additional infrastructure, TRM Labs added.

Interpol said Operation Serengeti 2.0 also disrupted a suspected human trafficking network in Zambia and a transnational inheritance scam in Côte d’Ivoire that caused about $1.6 million in losses. 

“Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of Interpol, said in a statement. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Countries involved in the crackdown include: Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro and Uppsala Security also aided the investigation.

The post Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses appeared first on CyberScoop.

U.S. officials imposed sanctions Thursday on Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates, while also targeting its leaders for arrest with financial rewards. These measures are part of intensified efforts to halt the flow of ransomware proceeds facilitated by the platforms.

The Treasury Department’s Office of Foreign Assets Control re-designated Garantex for sanctions, accusing its operators of processing more than $100 million in illicit transactions since 2019. The State Department announced financial rewards totaling up to $6 million for information leading to the arrest or conviction of Garantex’s leaders, including up to $5 million for Russian national Aleksandr Mira Serda, the exchange’s co-founder and chief commercial officer.

Authorities expanded their targeting of Garantex, its leaders and associated companies following a sweeping international law enforcement operation in March when officials seized three domains linked to the exchange, confiscated servers, froze more than $26 million in cryptocurrency and indicted its leaders. 

One of those leaders, Aleksej Besciokov, was arrested in March while on vacation in India shortly after the Justice Department unsealed indictments against him and Mira Serda, officials said. OFAC also imposed sanctions on Sergey Mendelev, co-founder of Garantex, and Pavel Karavatsky, co-owner and regional director of Garantex.

“According to the U.S. Secret Service and FBI, Garantex received hundreds of millions in criminal proceeds and was used to facilitate various crimes, including hacking, ransomware, terrorism, and drug trafficking, often with substantial harm to U.S. victims,” Tammy Bruce, spokesperson for the State Department, said in a statement Thursday. “Between April 2019 and March 2025, Garantex processed at least $96 billion in cryptocurrency transactions.” 

Before Garantex moved its operations and funds to Grinex following the globally coordinated law enforcement disruption, the exchange received millions of dollars in cryptocurrency from Russia-linked ransomware affiliates. Officials traced those transactions to Conti, Black Basta, LockBit, Ryuk, NetWalker and Phoenix Cryptolocker. 

Grinex, which was created to avoid the sanctions placed on Garantex, has since facilitated the transfer of billions of dollars in cryptocurrency transactions, the Treasury Department said. The Treasury Department’s OFAC initially sanctioned Garatex in April 2022.

OFAC sanctioned six additional organizations Thursday, including A7, A7 Agent, Old Vector, InDeFi Bank and Exved for their alleged involvement with and material support of Garantex and Grinex.

“Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security, but also tarnishes the reputations of legitimate virtual asset service providers,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “By exposing these malicious actors, Treasury remains committed to and supportive of the digital asset industry’s integrity.”

The post US widens sanctions on Russian crypto exchange Garantex, its successor and affiliate firms appeared first on CyberScoop.

As the U.S. government contemplates additional sanctions on Moscow, the United Kingdom went ahead and levied its own Friday against what it said was a group of Russia’s hackers and spies. 

The sanctions target 18 military intelligence officers and three divisions of the Russian military unit known as the GRU. Cyber operations in support of Russia’s war against Ukraine drew the U.K. targeting of the hackers.

“The GRU routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world with devastating real-world consequences,” reads a news release.

But the sanctions also go after the use of malware tied to an attempted assassination of a former Russian double agent residing on U.K. soil and the related poisoning of his daughter.

“Today’s action also hits GRU military intelligence officers responsible for historically targeting Yulia Skripal’s device with malicious malware known as X-Agent — five years before GRU military intelligence officers’ failed attempt to murder Yulia and Sergei Skripal with the deadly Novichok nerve agent in Salisbury,” the release states.

According to a 2018 U.S. grand jury indictment, X-Agent is custom malware that Russia developed to hack the Democratic National Committee and Democratic Congressional Campaign Committee to interfere in the 2016 election.

The U.K. sanctioned some of the military officers for spying operations like those involved in the 2022 bombing of Mauripol Theatre, which had been sheltering Ukrainian civilians.

In the U.S. Congress, lawmakers have been demonstrating some rare bipartisan consensus on the notion of slapping Moscow with more sanctions. That legislation would likewise seek to punish Russian cyber operations in Ukraine, among other Russian aggression in the former Soviet satellite nation.

President Donald Trump, too, has grown impatient with Russian President Vladimir Putin over the Ukraine war and has threatened further sanctions against Moscow and its trade partners.

The United Kingdom warned in a separate alert Friday that GRU cyber operations could spill over from the Ukraine war.

“The future trajectory of this threat remains uncertain and international partners need to prepare for its redirection and a range of potential scenarios,” the alert states.

The three units drawing U.K. sanctions have been connected to a range of hacking activity, from meddling in elections across the globe to the massive 2017 NotPetya attack.

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens,” said U.K. Foreign Secretary David Lammy. “The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. …  Putin’s hybrid threats and aggression will never break our resolve.”

Also Friday, the European Union agreed to sanctions targeting Russia’s energy and banking sectors, the bloc’s 18th set of sanctions against Moscow.

You can read the full list of those sanctioned on the U.K. government’s website.

This article has been updated to reflect news about the additional EU sanctions.

The post UK sanctions Russian hackers, spies as US weighs its own punishments for Russia appeared first on CyberScoop.

United Natural Foods said the cyberattack that prompted the food distributor and wholesaler to completely shut down its network last month resulted in lost sales of up to $400 million. Executives, during a business update call Wednesday with analysts and investors, said the financial impact from the attack is largely contained to the current quarter, which ends in early August.

The operational interruption caused by the cyberattack, which the company discovered June 5 and disclosed four days later, will result in a net income loss of up to $60 million. Executives did not mention a ransom demand or payment during the call.

The attack on Whole Foods Market’s primary distributor was part of an ongoing attack spree linked to Scattered Spider, a financially motivated cybercrime collective that’s hit dozens of companies in the retail, insurance and aviation industries since it regrouped earlier this year.

The orders United Natural Foods was unable to fill — resulting in empty store shelves and spoilage in the wake of the attack — shows the wide financial impact of cybercrime. The company operates 52 distribution centers that fulfill about 250,000 products from more than 11,000 suppliers to 30,000 customer locations in North America.

“Because of the unique role UNFI plays in the food-supply chain, we recognize that this cyber incident impacted our customers and the industry we serve. We never want to be the reason that a local grocer is out of stock on a product that their shoppers count on,” CEO Sandy Douglas said during the call.

Direct costs related to the attack include an estimated $20 million incurred as the company used manual workarounds while systems were offline, and $5 million for remediation costs, including third-party cybersecurity, legal and governance experts brought in to assist with response and recovery efforts.

United Natural Foods expects its cyber insurance policy to sufficiently offset those recovery and remediation costs, but noted that reimbursement will likely arrive in fiscal year 2026, which starts in August.

Meantime, the company has mostly recovered and returned to normal operations. “As of this week, our commercial operating capacity has been restored to normalized levels, average outbound fill rates, on-time deliveries and units shipped are at or close to pre-incident levels, with some variation across distribution centers. We expect continued improvement as we complete our recovery in the coming weeks,” Douglas said.

United Natural Foods restored its primary electronic ordering systems June 16, 10 days after it took systems down, Douglas added. While the restoration is ongoing for some less critical tools, including customized reporting platforms, the company has achieved the bulk of its recovery requirements.

“By June 26 we had safely restored our core systems and broadly returned to more normal operating capacity across our distribution network,” Douglas said. “Since then, we’ve continued working closely with our customers and suppliers to catch up on various business processes, including purchase orders, invoicing and payments that were temporarily delayed during the disruption period.”

The post United Natural Foods loses up to $400M in sales after cyberattack appeared first on CyberScoop.