A federal judge sentenced a Latvian national to 102 months in prison for his involvement in a series of ransomware attacks for more than two years prior to his arrest in 2023, the Justice Department said Monday.

Deniss Zolotarjovs, a resident of Moscow at the time, helped an organization led by former leaders of the Conti ransomware group extort payments from more than 54 companies. 

The 35-year-old was mostly tasked with putting pressure on the crew’s victims. In one case, Zolotarjovs urged co-conspirators to leak or sell children’s health records stolen from a pediatric healthcare company and ultimately sent a collection of sensitive data to “hundreds of patients,” according to court records. 

The ransomware crew identified itself in ransom notes under multiple names during Zolotarjovs’ involvement, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, Akira and others. 

Zolotarjov and his co-conspirators extorted nearly $16 million in confirmed ransom payments from their victims. Officials estimate the group’s crimes resulted in hundreds of millions of dollars in losses, not including the psychological and future financial exposure confronting tens of thousands of people whose personal data was stolen.

“Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline,” A. Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division, said in a statement. 

Officials said Zolotarjovs searched for points of leverage after researching victim companies and analyzing stolen data. Many of the victims impacted during his active participation between June 2021 and August 2023 were based in the United States.

Zolotarjov was arrested in the country of Georgia in December 2023 and extradited to the United States in August 2024. He pleaded guilty to money laundering and wire fraud in July 2025. 

“Cybercriminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries,” Dominick S. Gerace II, U.S. attorney for the Southern District of Ohio, said in a statement. “But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”

The Russian ransomware crew was prolific and spread across multiple teams, relying on companies registered in Russia, Europe and the United States to conceal its operations. Authorities said the group included former Russian law enforcement officers whose connections allowed members to access Russian government databases to harass detractors and identify potential new recruits.

Conti was among the most prolific ransomware groups globally for a time, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

The post Latvian national sentenced for ransomware attacks run by former Conti leaders appeared first on CyberScoop.

A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 

Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 

The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.

Victims included high net worth individuals and businesses in the entertainment, telecom, technology, business process outsourcing, IT, cloud and virtual currency sectors, officials said.

Buchanan and his co-conspirators were part of an aggressive subset of The Com coined Scattered Spider. While The Com and its offshoots don’t operate with formal leaders in the traditional sense, Buchanan played a crucial role in the operation, according to Allison Nixon, chief research officer at Unit 221B.

“[Buchanan] was the glue that held this gang together. His success at wiping out victims’ savings made him a target for both law enforcement and rival Com gangs,” Nixon told CyberScoop.

“[Buchanan] is part of an older generation that came from certain toxic gaming servers before the pandemic. People from this generation learned hacking in order to steal vanity usernames and bully kids before using it to steal peoples’ savings,” she added.

Federal authorities filed charges against five individuals with links to the Scattered Spider cybercrime outfit in 2024. Buchanan and Urban’s alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans — still face charges in the case, officials said. 

Nixon lauded law enforcement for acting decisively to arrest Buchanan during a brief window of opportunity while he was traveling internationally. 

“Com members are obsessed with private jets and foreign vacations, and the feds took that dream away with one arrest,” she said. 

The tactic, which U.S. officials also use against Russian cybercriminals, works because most countries are willing to support in the arrest of foreign criminals, thereby keeping them out of their respective jurisdictions, Nixon said. 

“As a foreigner, he was caught in a weaker legal position than if he was arrested at home, and cases following this tactic tend to have very long sentences,” she added. “The takeaway for Com members watching this case is that criminal foreigners associated with violence are the lowest class in every country. And that’s what Com members are when they travel.”

The Justice Department said Buchanan and his co-conspirators defrauded at least a dozen companies and their employees throughout the United States. A digital device police found at his residence in April 2023 contained personal data on numerous individuals and victim companies, according to his plea agreement.

It’s unclear what transpired between that search in April 2023 in Scotland and his June 2024 arrest at a resort city on the Spanish island of Mallorca. Moreover, his plea agreement doesn’t include the entirety of his alleged crimes. 

Buchanan attracted a lot of attention and successfully coordinated many attacks before a rival Com gang allegedly broke into his home and used a blowtorch on him to extract crypto keys in his possession, according to Nixon. 

Following his arrest, Spanish police said Buchanan had gained control of bitcoin worth more than $27 million at that time. 

While early leaders of Scattered Spider have been arrested or sentenced for their crimes, others have filled those roles with even more exceptional impact. 

The Com has grown to thousands of members, typically between 11 and 25 years old, splintered into three primary subsets the FBI describes as Hacker Com, In Real Life Com and Extortion Com.

Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes. 

You can read the indictment against Buchanan and some of his co-conspirators below.

The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.

A 41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint. 

Five of Angelo John Martino III’s alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their clients’ behalf — putting him in a position to play both sides, as the criminal responsible for the attack and the lead negotiator for his alleged victims, according to federal court records unsealed Wednesday.

Martino allegedly obtained an affiliate account on ALPHV, also known as BlackCat, and conspired with other former cybersecurity professionals to break into victims’ networks, steal and encrypt data, and extort companies for ransoms over a six-month period in 2023.

Martino was an unnamed co-conspirator in an indictment filed in November 2025 against Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia. Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

Prosecutors accuse Martino of providing confidential information regarding ransomware negotiations to ALPHV co-conspirators to maximize the ransom payment. His attorney did not immediately respond to a request for comment.

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Goldberg and Martin were not specifically named as co-conspirators in those attacks. Prosecutors previously said they only successfully extorted a financial payment from one of their victims for nearly $1.3 million.

Cybersecurity firm that employed Martino responds

DigitalMint said they suspended Martino’s access to systems when the Justice Department notified the company they were investigating him on April 3 and fired him the next day. The company, which is not accused of any knowledge or involvement with the crimes, added it was not aware that Martino and Martin were already involved in ransomware-related schemes before they were hired. 

“We strongly condemn these former employees’ criminal behavior, which violated our values, ethical standards and the law,” DigitalMint CEO Jonathan Solomon said in a statement to CyberScoop.

“DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges,” Solomon added. “While no organization can completely eliminate insider risk, we take incidents like this extremely seriously and have strengthened safeguards and internal controls to further reduce the likelihood of similar conduct.”

DigitalMint did not directly answer questions about whether it refunded its clients who were allegedly victimized by Martino. “We are not able to discuss specific client relationships or fee arrangements due to confidentiality obligations,” a spokesperson said in a statement. “We remain committed to our clients and have addressed any commercial matters directly with those parties.”

The company also declined to describe the circumstances under which it was hired and assigned Martino to conduct ransomware negotiations on the attacks he allegedly committed. Yet, in a statement it noted: “The charging documents do not allege that Martino referred or brought these victims to DigitalMint.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Authorities seize about $12M in assets, set $500K bond

Martino is charged with conspiracy to interfere with commerce by extortion and faces up to 20 years in prison. He is scheduled to enter a plea March 19. 

Authorities seized nearly $9.2 million in five types of cryptocurrency from 21 wallets controlled by Martino. Other items seized from Martino include a 1999 Nissan Skyline, a 2024 Polaris RZR, a 2023 trailer and a 29-foot boat manufactured in 2023.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. The bayfront home was reported as the second-largest real estate transaction of the week when Martino and his wife purchased the home for $1.791 million in February 2024.

Martino surrendered to the U.S. Marshals in Miami Tuesday and was released on a $500,000 bond. He is restricted from traveling outside the Southern District of Florida and is prohibited from working in the cybersecurity industry.

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Two of Martino’s alleged victims paid even higher ransoms in 2023, according to prosecutors, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company.

You can read the formal charge prosecutors filed against Martino below.

The post Feds say another DigitalMint negotiator ran ransomware attacks and helped extort $75 million appeared first on CyberScoop.

A 37-year-old Nigerian man was sentenced to eight years in prison for participating in a five-year cybercrime spree to steal money from the U.S. government through fraudulent tax returns, the Justice Department said Wednesday.

Matthew Abiodun Akande was living in Mexico when he and at least three co-conspirators broke into the networks of tax preparation firms, stole sensitive data on their clients and filed fraudulent tax returns, claiming tax refunds with victims’ personal data, according to court records. 

Akande and his co-conspirators filed more than 1,000 fraudulent tax returns seeking more than $8.1 million in phony tax refunds during a five-year period ending in June 2021, prosecutors said. The crew collectively obtained more than $1.3 million in fraudulent tax refunds.

Officials said Akande also advanced the scheme by sending phishing emails to five Massachusetts-based tax preparation firms that were designed to trick employees into downloading remote access trojan malware, including Warzone RAT. Four of those firms were listed as victims in the indictment.

Akande has been in detention since he was arrested at Heathrow Airport in the United Kingdom in October 2024 and extradited to the United States in March 2025. A month later, Akande pleaded guilty to all 33 counts in the indictment prosecutors filed against him in July 2022.

His crimes include conspiracy to obtain unauthorized access to protected computers, wire fraud, unauthorized access to protected computers, theft of government money, and aggravated identity theft.

Akande and his alleged co-conspirators — Kehinde Hussein Oyetunji, a Nigerian national living in North Dakota, and two people that prosecutors declined to name — directed the fraudulent tax refunds to be deposited in U.S. bank accounts. Co-conspirators living in the United States withdrew some of the stolen money in cash then, at Akande’s direction, transferred a portion of the funds to third parties in Mexico, officials said.

In a sentencing memo submitted to the court, Akande’s lawyer insisted his client was not living an extravagant lifestyle in Mexico. Yet, he was ordered to pay almost $1.4 million in restitution as part of his sentencing.

You can read the full indictment below.

The post Nigerian man sentenced to 8 years in prison for running phony tax refund scheme appeared first on CyberScoop.

A 23-year-old New York man allegedly affiliated with 764 was arrested and charged with receiving child sexual abuse material. Aaron Corey of Albany, N.Y., faces up to 20 years in prison for trafficking CSAM during a three-month period ending in December.

Corey, also known as “Baggeth,” is accused of running multiple 764-related chats, seeking CSAM from other people affiliated with the nihilistic violent extremist collective. Investigators said they found multiple images and videos of children, some as young as 2 years old, depicting child sexual abuse on Corey’s mobile device, according to a court records.

Officials also found evidence on Corey’s computer also, including a search for “parks near me for kids” and multiple visited URLs about relationships with minors. An FBI agent investigating Corey said his online moniker was potentially derived from his attempts to get girls to place bags over their heads, according to a criminal complaint filed in the U.S. District Court for the Northern District of New York. 

“The 764 network is a depraved criminal group that exploits vulnerable children and revels in their abuse,” Deputy Attorney General Todd Blanche said in a statement. “The very serious crimes alleged in this indictment will be aggressively prosecuted until justice is served, as the Justice Department and federal partners continue efforts to take down this violent extremist network.”

Authorities have arrested multiple members of 764 during the past year, reflecting heightened law enforcement activity targeting the violent extremist collective and other offshoots affiliated with The Com. The FBI has long been investigating the group’s use of cybercriminal tactics to carry out their crimes.

The sprawling nihilistic network of thousands of people, typically between 11 and 25 years old, engages in a growing online threat to coerce vulnerable children to produce CSAM of themselves, gore material, self mutilation, sibling abuse, animal abuse and other acts of violence. 

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April. The two men are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Tony Christopher Long, of California, pleaded not guilty in November to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group. 

Erik Lee Madison, of Maryland, was arrested in November and is accused of victimizing at least five children this fall, including one as young as 13 at the time. His alleged criminality dates back to 2020 when he was a minor.

Alexis Aldair Chavez, of San Antonio, pleaded guilty in December to multiple crimes involving the sexual exploitation of children while acting as an administrator and leader of 8884, a splinter group of 764. He faces up to 60 years in prison.

“Preying on our nation’s children, who are among the most vulnerable members of society, is beyond comprehension,” Christopher Raia, co-deputy director of the FBI, said in a statement.

Corey was arrested Monday, appeared in federal court Tuesday and is being detained pending his next court appearance. You can read the full criminal complaint below.

The post Alleged 764 member arrested, charged with CSAM possession in New York appeared first on CyberScoop.

A trio of domains that allegedly distributed pirated content, including movies, TV shows, video games and other content was seized by the U.S. government as part of a globally coordinated crackdown on copyright infringement, the Justice Department said Friday.

The sites — zamunda.net, arenabg.com and zelka.org — were among the most popular domains in Bulgaria and likely generated significant revenue from ads, officials said. Seizure notices are currently displayed on all three sites warning visitors that illegal distribution of copyrighted works is a crime.

Officials said the U.S.-registered domains received tens of millions of visits a year, including one that often ranked in the top 10 most visited sites in Bulgaria. Multiple Bulgarian agencies assisted with the investigation alongside Homeland Security Investigations, the U.S. Attorney’s Office for the Southern District of Mississippi and the National Intellectual Property Rights Coordination Center.

The sites offered visitors thousands of infringed works, resulting in millions of downloads that carry a collective retail value of millions of dollars, prosecutors said. 

The seizures were announced just days after similar actions in Italy where police seized three allegedly illegal IPTV services that distributed pirated content to millions of users. The operation, dubbed “Switch off,” dismantled IT infrastructure the unnamed sites used to distribute content owned by Sky, Dazn, Mediaset, Amazon Prime, Netflix, Paramount, Disney+ and other media companies, officials said.

Italian police said they found evidence linking the IPTV sites to 31 members of a transnational organized crime group and searched the suspects’ residences in Italy. Authorities identified an additional 14 suspects in the United Kingdom, Spain, Romania and Kosovo. 

“The suspects adopted advanced anonymization strategies that have materialized in a series of operations, such as investing in cryptocurrencies, the fictitious heading of assets and the establishment of fictitious companies,” Italian State Police said in a statement.

The actions in Italy were announced about a week before the country hosts the Winter Olympics in Milan, which gets underway Feb. 6.

The post DOJ seizes piracy sites, Italian police dismantle illegal IPTV operation appeared first on CyberScoop.

There’s a growing question on Capitol Hill as the expiration of sweeping U.S. government surveillance powers looms: Where is the Trump administration?

The Senate Judiciary Committee held a hearing Wednesday on the 2024 law that revised the surveillance authorities known as Section 702, a part of the Foreign Intelligence Surveillance Act. Advocates have said that information collected under Section 702 — under which national security officials controversially can use U.S. citizens’ personal information to query a database for collection of their electronic communications with foreign targets without a warrant — accounts for 60% of the intelligence included in the President’s Daily Briefing.

But no Trump administration witnesses testified at the hearing. Nor did any testify at a recent House hearing. Sen. Chris Coons, D-Del., said at Wednesday’s hearing that he wanted to scrutinize the changes to Section 702 under the 2024 law, which came in the wake of significant abuses of the authorities and is set to expire at the end of April.

“Today I had hoped to hear from witnesses about whether those reforms had been appropriately implemented and whether they’ve been effective, but I can’t ask those questions of officials from the government who are actually implementing those reforms because they’re not here,” he said. “We are three months from the expiration of Section 702, and the Trump administration, as best as I can discern, still has no official position on it. That is stunning.” 

“I think it’s unacceptable that with just 90 days [before expiration the administration doesn’t know how it thinks about the program and has nobody here to explain or defend it,” Coons continued.

The top Democrat on the panel, Illinois Sen. Dick Durbin, also said he was “disappointed” the administration wasn’t at the hearing. When Durbin led the panel, he had administration witnesses appear before the committee six months before Section 702 was then set to expire at the end of 2023, and administration officials began a public push for renewal almost a year in advance of its sunset.

Frustration toward the Trump administration over its communication about Section 702 wasn’t just limited to committee Democrats. Chairman Chuck Grassley, R-Iowa, complained about how he and Durbin had written to Attorney General Pam Bondi about President Joe Biden and now Donald Trump not allowing — “despite a statutory mandate to do so” — panel members and staff to attend hearings of the Foreign Intelligence Surveillance Court that makes important decisions about the use of Section 702 authorities.

“We’ve yet to receive a meaningful response,” Grassley said.

Commenting on the administration’s absence, Grassley said Congress had a duty to consider reauthorizing Section 702 regardless of the administration’s views.

“If the administration would like to brief us in an open or closed setting, I will work to set it up,” he said. “In the meantime, the Senate Judiciary Committee needs to move ahead.”

Experts and other lawmakers have also observed the Trump administration’s relative quiet about Section 702. Trump himself has repeatedly thrown the stipulation’s future into turmoil during past renewal debates.

The National Security Agency referred a question about the administration’s views and discussions with Congress to the Defense Department. Spokespeople for the DOD, Office of the Director of National Intelligence, FBI, Justice Department  and Central Intelligence Agency did not immediately respond to requests for comment.

During his nomination hearing to lead the FBI, Kash Patel testified on the importance of Section 702 authorities and not impeding them with a warrant requirement. As a member of Congress, Director of National Intelligence Tulsi Gabbard opposed renewal of Section 702, but has offered mixed signals since, including during her own nomination hearing.

The post Lawmakers wonder when Trump administration will weigh on soon-expired surveillance powers appeared first on CyberScoop.

Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.

Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.

The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14. 

Goldberg and Martin confirmed in their respective plea agreements that the total losses caused by their crimes exceeded $9.5 million, according to federal court records. 

A spokesperson for DigitalMint said the company cooperated with the Justice Department throughout its investigation and supports the outcome as a step toward accountability. 

“We strongly condemn his actions, which were undertaken without the knowledge, permission or involvement of the company,” the spokesperson said in a statement. “His behavior is a clear violation of our values and ethical standards.”

Sygnia did not immediately respond to a request for comment.

Goldberg and Martin each pleaded guilty to one of the three counts brought against them — conspiracy to interfere with interstate commerce by extortion — effectively reducing their maximum penalty from 50 years in federal prison to 20 years. 

Victims impacted by the attacks over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia, according to the indictment.

Prosecutors said Goldberg, Martin and their co-conspirator received a nearly $1.3 million ransom payment from the medical company in May 2023, but did not successfully extort a financial payment from the other victims. 

Goldberg and Martin are each ordered to forfeit $342,000, which represents the value of proceeds traced to their crimes, according to their plea agreements. The court may also fine each of them up to $250,000 and additional restitution.

Officials said they will recommend reduced sentences for Goldberg and Martin as long as they make full, accurate and complete disclosures of their offenses and do not commit any further crimes. 

Goldberg and Martin “abused a position of public or private trust, or used a special skill, in a manner that significantly facilitated the commission or concealment” of their crimes, prosecutors said.

The unnamed co-conspirator, who also worked at DigitalMint, allegedly obtained an affiliate account on ALPHV, which the trio used to commit ransomware attacks.

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for last year’s attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

The crew is alleged to have stopped operations in March 2024.

The post Former incident responders plead guilty to ransomware attack spree appeared first on CyberScoop.

The Justice Department notched a few more wins in the fight against North Korean cryptocurrency heists and the regime’s expansive scheme to get remote IT workers hired at U.S. businesses. 

Officials’ countermeasures to these schemes, which ultimately launder ill-gotten money to North Korea’s government, involve the targeting of U.S.-based facilitators who provide forged or stolen identities and laptop farms for North Korean operatives, and the seizure of cryptocurrency linked to theft. Law enforcement wins on both fronts are stacking up.

Oleksandr Didenko, a 28-year-old Ukrainian national, pleaded guilty to wire fraud conspiracy and aggravated identity theft in the U.S. District Court for the District of Columbia Monday for stealing the identities of U.S. citizens and selling them to overseas IT workers. His years-long scheme helped North Korean IT workers gain employment at 40 U.S. companies, officials said. 

Didenko ran a site, upworksell.com, to sell stolen identities and paid co-conspirators to receive and host laptop farms in Virginia, Tennessee and California, according to court records. Didenko managed up to 871 identities through the laptop farms and collaborated with other co-conspirators in the United States.

In late 2023, following a request from one of his customers, Didenko sent a computer to a laptop farm run by Christina Chapman in Arizona, officials said. Chapman was arrested in May 2024 and sentenced to 102 months in prison for participating in the scheme.

Didenko’s site was seized following Chapman’s arrest. In late 2024, he was arrested by Polish police later extradited to the United States. Didenko agreed to forfeit more than $1.4 million, and his sentencing is scheduled for Feb. 19, 2026.

Justice Department officials applauded other recent court case wins, demonstrating the arduous work required to find and punish those who facilitate the North Korean remote IT worker scheme.

Three U.S. nationals — Audricus Phagnasay, 24, Jason Salazar, 30, and Alexander Paul Travis, 34 — each pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Georgia Thursday for providing U.S. identities to remote North Korean IT workers. 

The trio hosted U.S. company-provided laptops at their homes and installed remote-access software so the North Korean operatives could appear to be working in the country. The group also helped remote IT workers pass employer vetting and, in the case of Travis and Salazar, took drug tests on behalf of the North Koreans, officials said.

The scheme supported by the three men facilitated about $1.28 million in salary from victim U.S. companies from September 2019 through November 2022. Yet, the financial cuts for their assistance was relatively low. Travis, an active-duty member of the U.S. Army at the time, received about $51,000 while Phagasay and Salazar each pocketed about $3,500 and $4,500, respectively.

Last week, another U.S. national, 30-year-old Erick Ntekereze Prince, pleaded guilty to wire fraud conspiracy in the U.S. District Court for the Southern District of Florida for his yearslong involvement in the North Korean IT worker scheme. Prince’s company Taggcar was contracted to supply IT workers to victim U.S. companies from June 2020 through August 2024.

Officials said Prince earned more than $89,000 from the scheme, which also involved hosting company-provided laptops at Florida residences and installing remote-access software. Prince was indicted and charged in January along with his alleged co-conspirators, who collectively obtained work for North Korean IT workers at 64 U.S. companies, earning nearly $950,000 in salary payments.

The five people who pleaded guilty during the past week impacted more than 136 U.S. victim companies, officials said. Their crimes generated more than $2.2 million for North Korea’s regime and compromised the identities of at least 18 U.S. residents. 

“These actions demonstrate the department’s comprehensive approach to disrupting North Korean efforts to finance their weapons program on the backs of Americans,” John A. Eisenberg, assistant attorney general for national security, said in a statement. “The department will use every available tool to protect our nation from this regime’s depredations.”

Finally, the Justice Department said it seized more than $15 million in cryptocurrency from APT38, a nation-state hacking group with ties to North Korea. Officials said the seized funds were traced to four separate virtual currency heists in 2023.

The post DOJ lauds series of gains against North Korean IT worker scheme, crypto thefts appeared first on CyberScoop.

Federal law enforcement said a leader of 764, a violent extremist group, has been in federal custody since he was arrested in December and faces 29 charges for running a loose-knit collective involved in child exploitation, cyberstalking, kidnapping, animal torture, wire fraud and murder.

Baron Cain Martin, 21, of Tucson, Arizona, allegedly joined the child sextortion ring as early as 2019, eventually acting as a leader until his arrest late last year, according to an indictment unsealed Thursday in the U.S. District Court for the District of Arizona.

Martin is charged with providing material support to terrorists, producing and distributing child sexual abuse material (CSAM), coercing minors to engage in sexual activity, cyberstalking, animal crushing and conspiracy to commit wire fraud. He faces up to life in prison, many times over.

“This man’s alleged crimes are unthinkably depraved and reflect the horrific danger of 764 — if convicted, he will face severe consequences as we work to dismantle this evil network,” Attorney General Pamela Bondi said in a statement. “I urge parents to remain vigilant about the threats their children face online.”

Martin’s arrest and indictment comes amid a flurry of law enforcement activity targeting 764 and its alleged members.

Federal authorities announced Martin’s arrest and unsealed charges filed against him shortly after another alleged 764 member, Tony Christopher Long, a 19-year-old California man, pleaded not guilty to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group.

Two alleged leaders of 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

“Law enforcement is dogpiling these people and I think that’s great,” Allison Nixon, chief research officer at Unit221B, told CyberScoop.

“They don’t stop until they are physically ripped off the computer,” she said. “The enormous amount of charges isn’t surprising.”

764 is an offshoot of The Com, a global collective of loosely associated groups spanning thousands of people, typically between 11 and 25 years old, that commit financially motivated, sexual and violent crimes. The FBI previously said members of 764 and related groups are driven by a range of personal motives, including notoriety, sexual gratification or a sense of belonging. 

“[Martin’s] actions as a leader of this criminal network were so atrocious and extreme that he is charged with supporting terrorism,” FBI Director Kash Patel said in a statement. “It’s alleged that Martin not only committed these crimes but wrote and posted a guide for others to use to identify, groom, and extort their own victims.”

Nixon, who has tracked the rise of English-speaking cybercrime for more than a decade, said she found the grooming guide Martin allegedly produced and distributed online. The guide included details about how to identify, groom and extort vulnerable children and advised readers to target victims struggling with mental health, officials said.

Other federal law enforcement officials described Martin’s alleged crimes as “so depraved they defy comprehension,” “an assault on the basic foundations of human decency,” and “promoting some of the sickest forms of human depravity.”

Martin, also known by the online moniker “Convict” among many others, allegedly provided assistance as personnel, service and expert advice to carry out a conspiracy to kill or main a person in a foreign country, according to authorities. He is also accused of conspiring with others to coerce a victim living outside the United States to self-harm, self-main and self-kill, officials said. 

“He was respected in these communities because of his acts and was influential,” Nixon said. “I would agree he was a leader, and his friends will be reading his court documents with admiration.”

Martin is charged with five counts of producing CSAM, 11 counts of distributing CSAM and three counts of coercing minors to engage in sexual activity. He is accused of victimizing at least nine victims, eight of which were between the ages of 11 and 15 years old at the time.

“The FBI will not stop until we find those who perpetrate these horrific crimes that prey on the most vulnerable members of our communities,” Patel said.

You can read the full indictment below.

The post Alleged 764 leader arrested in Arizona, faces life in prison appeared first on CyberScoop.