Authorities from 21 countries took down 53 domains and arrested four people allegedly involved in distributed denial-of-service operations used by more than 75,000 cybercriminals, Europol said Thursday. 

The globally coordinated effort dubbed “Operation PowerOFF” disrupted booter services and seized and dismantled infrastructure, including servers and databases, that supported the DDoS-for-hire services, officials said.

Law enforcement agencies obtained data on more than 3 million alleged criminal user accounts from the seized databases, and ultimately sent more than 75,000 emails and letters to participants, warning them to halt their activities.

Officials from the countries involved in the operation also served 25 search warrants, removed more than 100 URLs advertising DDoS-for-hire services in search engine results and created search engine ads to target young people searching for DDoS-for-hire tools.

The operation, which is ongoing, primarily targets IP stressors or DDoS booters that cybercriminals use to inundate websites, servers and networks with junk traffic, rendering legitimate services inaccessible. 

Officials described DDoS-for-hire tools as prolific and easily accessible, often including tutorials that allow non-tech savvy people to initiate attacks on various organizations.

“Attacks are often regionally focused, with users targeting servers and websites within their continent, and directed at a wide range of targets including online marketplaces, telecommunications providers and other web-based services,” Europol said in a news release. “Motivations vary from curiosity to ideological purposes linked to hacktivism, as well as financial gain through extortion or the disruption of competitors’ services.”

Operation PowerOFF is supported by multiple law enforcement agencies from the United States, United Kingdom, Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Norway, Poland, Portugal, Sweden and Thailand.

The international crackdown disrupted other popular DDoS-for-hire services in late 2024, netting three arrests and 27 domain takedowns. Authorities in Poland in May arrested four alleged administrators of DDoS-for-hire tools that cybercriminals used to launch thousands of attacks from 2022 to 2025.

The post Officials seize 53 DDoS-for-hire domains in ongoing crackdown appeared first on CyberScoop.

Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.

Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.

The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.

“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.

The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.  

SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.

The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research. 

The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.

“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop. 

“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”

Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.

The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.

Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.

Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.

The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.

“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown. 

“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added. 

The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.

The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.

Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said. 

Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added. 

Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.

Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro. 

Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint. 

“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.

“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.

Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.

Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.

The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.

The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.

Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.

LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said. 

The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information. 

“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement. 

Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.

Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.

“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.

Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.

“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”

Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages. 

Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.

The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.

“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”

The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.

A global law enforcement effort has taken root to combat The Com, a sprawling nihilistic network of thousands of minors and young adults engaged in various forms of cybercrime, including physical violence and extortion.

Project Compass, an operation coordinated by Europol with support from 28 countries, including all members of the Five Eyes, has resulted in the arrest of 30 perpetrators since the initiative got underway in January 2025, authorities said in a news release Thursday. 

Officials said sustained countermeasures have contributed to the full and partial identification of 179 perpetrators, while the operation has also safeguarded four victims and identified up to 62 victims. 

The Com is splintered into three primary subsets with different objectives the FBI describes as Hacker Com, In Real Life Com and Extortion Com. Crimes attributed to group members have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. 

“These networks deliberately target children in the digital spaces where they feel most at ease,” Anna Sjöberg, head of Europol’s European Counter Terrorism Centre, said in a statement.

Various branches of The Com have been linked to high-profile crimes over the past few years, and law enforcement has responded with heightened activity and interest in the group’s activities. 

The Com is vast — many perpetrators remain at large and even more victims are still suffering and awaiting aid. 

This growing global effort to thwart shifting crime trends with appropriate resources has built a foundation that will foster results beyond those achieved to date, said Allison Nixon, chief research officer at Unit 221B.

“How do you eat an elephant? One bite at a time,” she told CyberScoop. “The Com represents a major social problem impacting youth, and peoples’ expectations need to be realistic. These early numbers and ramping up effort over time is what success looks like and we need to encourage that.”

An effective police response to The Com requires a different way of thinking and retooling, “but it is more solvable than crime originating from hostile nations,” Nixon said.

Project Compass is built around an information-sharing network, which enables each of the partner nations to assist with investigations across various specialized units. Countries are also sharing advice for preventative measures and mobilizing data sprints to bring intelligence together for ongoing cases.

“Project Compass allows us to intervene earlier, safeguard victims and disrupt those who exploit vulnerability for extremist purposes,” Sjöberg said. “No country can address this threat alone — and through this cooperation, we are closing the gaps they try to hide in.”

Europol did not identify the 30 people arrested under Project Compass thus far. Yet, at least some of those cases are public. 

Authorities during the past year have arrested multiple members of a Com offshoot known as 764, which is a growing online threat to coerce vulnerable children to produce child sexual abuse material of themselves, gor material, self mutilation, sibling abuse, animal abuses and other acts of violence. 

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April.

Tony Christoper Long and Alexis Aldair Chavez both pleaded guilty late last year to multiple crimes linked to their involvement with the extremist group. Other alleged 764 members have been arrested in the United States more recently, including Erik Lee Madison and Aaron Corey.

The post Project Compass is Europol’s new playbook for taking on The Com appeared first on CyberScoop.

Law enforcement agencies from multiple European countries are still pursuing leads on people involved in the Black Basta ransomware group, nearly a year after the group’s internal chat logs were leaked, exposing key details about its operations, and at least six months since the group claimed responsibility for new attacks.

Officials in Ukraine and Germany said they raided the homes of two Russian nationals accused of participating in Black Basta’s crimes and effectively halted their operations. The pair of alleged criminals who were living in Ukraine were not named.

German police publicly identified a third Russian national — Oleg Evgenievich Nefedov — as Black Basta’s alleged leader. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally. Nefedov’s current whereabouts are unknown, but he is believed to be living in Russia.

Authorities said Nefedov may have previously been involved with the Conti ransomware group, which disbanded in 2022 after its internal messages were also leaked. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024. 

Police said they seized data and cryptocurrency assets during their searches of the alleged Black Basta participants’ residences in Ivano-Frankivsk and Lviv, Ukraine, but they did not provide further detail about what the evidence revealed.

The pair of alleged Black Basta co-conspirators are accused of specializing in stealing credentials, which were used to break into targeted companies’ networks, steal confidential data and launch malware to encrypt data for extortion attempts.

International law enforcement agencies’ ongoing efforts to target Black Basta and its alleged participants underscores a sustained effort to track cybercriminals despite the group’s relative dormancy. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment, said Allan Liska, threat intelligence analyst at Recorded Future.

“Even if Black Basta hasn’t been active, it doesn’t mean that the people behind it haven’t been,” he said.

Ransomware experts said Nefedov’s ringleader position at Black Basta and his previous involvement with Conti was already known in law enforcement and threat intelligence circles.

“The accusation signals less about the impact of Black Basta and more about the significance of Nefedov,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. 

The formal naming and request for information on Nefedov aligns with a broader law enforcement strategy to target core leadership responsible for orchestrating cyberattacks, Gray added.

Ransomware response is a never-ending pursuit that consistentely attracts new players and new groups at a faster clip than law enforcement can manage. 

“You cut one head off and two appear,” Liska said. “You still have to cut the head off, you still have to stop the activity.”

While ransomware activity remains elevated, law enforcement is sticking to multidimensional countermeasures by targeting operators and affiliates, initial access brokers, infostealers, infrastructure providers and key services criminals use to deploy or facilitate the ransomware ecosystem.

These takedowns, seizures, indictments and arrests are sometimes organized under ongoing international sting operations such as Operation Endgame, which has neutralized malware networks, remote access trojans, botnets and other cybercrime enablers. 

“These operations can’t be one-and-done,” Liska said. “They have to be interconnected and use that intelligence to build more cases against other actors.”

The post Black Basta’s alleged ringleader identified as authorities raid homes of other members appeared first on CyberScoop.

Microsoft announced Wednesday that it worked with international law enforcement to seize infrastructure used to run cybercrime subscription service RedVDS and organized civil actions in the United States and United Kingdom to disrupt its further use. 

RedVDS has enabled at least $40 million in fraud losses in the U.S. since March 2025, according to Microsoft. Victims that are joining Microsoft as co-plaintiffs in the civil action include Alabama-based H2 Pharma, a pharmaceutical company that lost more than $7.3 million, and Florida-based Gatehouse Dock Condominium Association, which was tricked out of nearly $500,000. 

“For as little as US $24 a month, RedVDS provides criminals with access to disposable virtual computers that make fraud cheap, scalable and difficult to trace,” Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said in a blog post. “It provides access to cheap, effective, and disposable virtual computers running unlicensed software, including Windows, allowing criminals to operate quickly, anonymously and across borders.”

Microsoft said a joint operation with Europol and authorities in Germany allowed it to seize RedVDS’s infrastructure and take the marketplace offline. Cybercriminals used the site, which included a loyalty program and referral bonuses for customers, to send high-volume phishing attacks, host infrastructure for scams and facilitate fraud such as business email compromise.

Microsoft customers were among those impacted by RedVDS’s tools and services. 

“Since September 2025, RedVDS‑enabled attacks have led to the compromise or fraudulent access of more than 191,000 Microsoft email accounts across over 130,000 organizations worldwide,” Masada said in the blog post. “These figures represent only a subset of the impacted accounts across all technology providers, illustrating how quickly this infrastructure increases the scale of cyberattacks.”

Over the course of a month, more than 2,600 RedVDS virtual machines sent Microsoft customers an average of one million phishing messages per day, Masada added. 

RedVDS facilitated payment diversion fraud against organizations like H2 Pharma and the Gatehouse Dock Condominium Association through business email compromise. The marketplace was also used to compromise the accounts of realtors, escrow agents and title companies to divert payments, according to Microsoft.

More than 9,000 customers, many in Canada and Australia, were directly impacted by real estate-related fraud aided by RedVDS. Microsoft Threat Intelligence said other scams enabled by RedVDS hit organizations in construction, manufacturing, healthcare, logistics, education and legal services.

Researchers said the marketplace’s user interface was loaded with features that allowed eager cybercriminals to purchase unlicensed and inexpensive Windows-based remote desktop protocol servers with full administrator control. RedVDS reused a single, cloned Windows host image across the service, which allowed researchers to find unique technical fingerprints.

The group that develops and operates RedVDS is tracked by Microsoft as Storm-2470. At least five additional cybercrime groups and cybercriminals who used the Racoon0365 phishing service prior to its takedown in October were also using RedVDS infrastructure, according to Microsoft Threat Intelligence.

RedVDS’s site first launched in 2019 and has remained in operation since providing servers in the U.S., U.K., Canada, France, the Netherlands and Germany. The marketplace “has become a prolific tool for cybercriminals in the past year, facilitating thousands of attacks, including credential theft, account takeovers and mass phishing,” researchers said in a report.

RedVDS rented servers from third-party hosting providers, including at least five hosting companies in the U.S., Canada, U.K., France and the Netherlands. This allowed RedVDS to provision IP addresses in geolocations close to targets, allowing cybercriminals to evade location-based security filters and blend in with normal data center traffic, researchers added. 

“Cybercrime today is powered by shared infrastructure, which means disrupting individual attackers is not enough,” Masada said. “Through this coordinated action, Microsoft has disrupted RedVDS’s operations, including seizing two domains that host the RedVDS marketplace and customer portal, while also laying the groundwork to identify the individuals behind them.”

The post Microsoft seizes RedVDS infrastructure, disrupts fast-growing cybercrime marketplace appeared first on CyberScoop.

Authorities arrested 34 alleged cybercriminals in Spain, including some leaders of Black Axe, a transnational criminal organization responsible for adversary-in-the-middle scams such as business email compromise, money laundering and vehicle trafficking, the Spanish National Police said Friday.

A coordinated law enforcement operation that fanned out to Seville, Madrid, Malaga and Barcelona significantly disrupted the group’s activities, according to Europol, which supported the takedown alongside officers from Germany.

Officials targeted the organized crime network’s leadership and froze $139,000 in bank accounts. Police also seized $77,000 in cash, five vehicles and devices allegedly used for criminal activity.

Europol described Black Axe as a highly structured, hierarchical group that generates billions of dollars in criminal proceeds annually from many small-scale operations spanning dozens of countries. The group’s leaders, including 10 people arrested last week, are Nigerian nationals, authorities said. 

The Spanish National Police began investigating the group, which specializes in corporate fraud through business email compromise, in September 2023. Black Axe used an extensive network to conceal their money and recruited money mules throughout Europe to receive, transfer and withdraw funds from the scams, officials said. 

The group also allegedly established shell companies to acquire vehicles and then deliberately defaulted on payments before renting or selling the vehicles. Europol investigators estimate Black Axe is responsible for more than $6.9 million in fraud. 

Black Axe was involved in other criminal activities, including drug trafficking, human trafficking and prostitution, kidnapping and armed robbery, officials said. 

The Spanish National Police said four of Black Axe’s main leaders remain in custody and face charges for aggravated fraud, membership in a criminal organization, money laundering, document forgery and obstruction of justice.

The post Spanish police disrupt Black Axe, arrest alleged leaders in action spanning four cities appeared first on CyberScoop.

European authorities shut down and seized the assets of Cryptomixer, a cryptocurrency mixing service that allegedly facilitated more than $1.5 billion in money laundering for cybercriminals and other illegal activity, Europol said Monday. 

The weeklong operation, part of “Operation Olympia,” netted the seizure of nearly $28 million in Bitcoin, three servers in Switzerland, the cryptomixer.io domain and more than 12 terabytes of data, officials said. The site currently displays a seizure notice, warning that anyone using or operating cybercriminal services is subject to investigation and prosecution. 

The takedown is part of a broader global law enforcement effort to disrupt, confiscate and obtain additional information on the various services cybercriminals rely upon and the individuals leading these operations. 

Cryptomixer, which was accessible on the clear and dark web, mixed more than $1.5 billion in Bitcoin through its infrastructure since its founding in 2016, according to Europol. Officials described the mixing service as “the platform of choice” for cybercriminals and various crimes, including ransomware, payment card fraud, and drugs and weapons trafficking. 

“Deposited funds from various users were pooled for a long and randomised period before being redistributed to destination addresses, again at random times,” Europol said. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges.”

North Korean-linked Lazarus Group used Cryptomixer and similar services before it shifted to high-volume attacks, according to TRM Labs. Lazarus Group stole $1.46 billion in Ethereum from Bybit in February and laundered $160 million within two days of the attack. 

“North Korea now appears to prioritize speed and automation over traditional anonymity,” researchers said in the wake of the largest cryptocurrency theft on record.

Officials also referenced the 2023 takedown of ChipMixer, the largest mixing service at that time, as an example of law enforcement agencies’ sustained effort to target cryptocurrency mixing services. ChipMixer was allegedly responsible for more than $3 billion in transactions since it began operations in 2017.

The Cryptomixer shutdown drew support from Europol, Eurojust and multiple law enforcement agencies from Germany and Switzerland.

The post Authorities take down Cryptomixer, seize $28M in Switzerland appeared first on CyberScoop.

Federal cyber authorities shared new details Thursday about the Akira ransomware group’s techniques, the tools it uses and vulnerabilities it exploits for initial access alongside the release of a joint cybersecurity advisory.

Members of the financially motivated group, which initially appeared in March 2023, are associated with other threat groups, including Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara, and may have connections with the disbanded Conti ransomware group, officials said. Akira uses a double-extortion model, encrypting systems after stealing data to amplify pressure on victims.

Akira ransomware has claimed more than $244 million in ransomware proceeds as of late September, the FBI and Cybersecurity and Infrastructure Security agency said in the joint advisory. The group primarily targets small- and medium-sized businesses with many victims impacted in the manufacturing, education, IT, health care, financial and agriculture sectors.

“For the FBI, it is within the top five variants that we investigate,” Brett Leatherman, assistant director at the FBI Cyber Division, said during a media briefing Thursday. “It’s consequential. This group is very consequential that they fall likely within our top five.”

Ransomware is the FBI’s top cybercriminal threat, which is “enormous in terms of the amount of losses, the number of active variants and its disruptive effect,” he said. “The FBI is investigating over 130 ransomware variants targeting U.S. businesses in just about any critical infrastructure sector you can think of.”

The advisory, which was also supported by Europol and cyber authorities in France, Germany and the Netherlands, included six new vulnerabilities Akira is known to exploit, including defects affecting Cisco firewalls and virtual private networks, Windows, VMware ESXi, Veeam Backup and Replication and SonicWall firewalls.

“We know that they are actively looking at the vulnerabilities disclosed in [the joint advisory] in order to monetize their activity,” Leatherman said. 

Researchers previously warned that Akira hit about 40 victims by exploiting CVE-2024-40766, a year-old vulnerability, between mid-July and early August. That burst was followed by another wave of ransomware attacks linked to active exploits of the defect.

The joint advisory, which updates previous guidance around hunting for and defending against Akira, was not in response to any specific attack, said Nick Andersen, executive assistant director for cybersecurity at CISA. 

“It’s more a reflection of the reality that our nation’s ransomware adversaries are continuously evolving their tactics and therefore it’s critical that we improve our defenses as well,” he said. 

Akira operates with quickness, exfiltrating data in just over two hours from initial access in some incidents, according to the advisory. 

The FBI and researchers have observed Akira break into systems using stolen credentials, vulnerabilities, brute-force and password-spraying attacks. Authorities said Akira has abused remote access tools such as AnyDesk and LogMeIn to maintain persistence, created new accounts to establish footholds, and leveraged tools to escalate privileges. 

Some of the indicators of compromise were observed as recently as this month, Leatherman said. 

“Actors are incredibly adaptable and are emphasizing operational security in their actions. Their attacks are increasingly becoming more sophisticated, complex and layered,” he added. “They can be extremely costly for victims, often with remediation costs far outpacing those of the original demand.”

The post FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses appeared first on CyberScoop.

In a sweeping international crackdown coordinated from Europol’s headquarters, law enforcement agencies from the United States and 10 other countries have disrupted three of the world’s most widely used cybercriminal malware operations. Conducted Nov. 10-13, Operation Endgame focused on neutralizing the Rhadamanthys info-stealing malware, the VenomRAT remote access trojan, and the Elysium botnet — tools authorities say enabled hackers to infect hundreds of thousands of computers and steal millions of sensitive credentials across the globe.

The effort involved law enforcement and judicial agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. According to Europol, the operation led to the arrest of the main VenomRAT suspect in Greece on Nov. 3, searches of 11 locations across Europe, and the seizure or disruption of 1,025 servers and 20 internet domains used by criminals. Coordinated support from over 30 private cybersecurity organizations further assisted the investigation, with companies such as Crowdstrike, Proofpoint, Bitdefender, and the Shadowserver Foundation helping to analyze malicious activity and notify affected network operators.

The law enforcement action is the latest phase of Operation Endgame, an ongoing international initiative to curtail ransomware and malware infrastructure. Previous phases of the operation targeted similar cybercrime enablers over the past two years. Officials said the dismantled infrastructure included hundreds of thousands of computers running malware and several million stolen credentials.

The Shadowserver Foundation, which aggregates global malware infection data, said it sent alerts about Rhadamanthys infections between March and November to national security response teams in 175 countries and more than 10,000 network owners. Europol added that the principal suspect behind the infostealer controlled access to over 100,000 cryptocurrency wallets, with potential losses reaching millions of euros. Many victims whose credentials and devices were compromised continued to operate their systems unaware, authorities said.

VenomRAT, which evolved from earlier remote access trojans, was reportedly marketed for around $150 per month and delivered primarily through malicious email attachments. It allowed users to open backdoors on compromised computers, effectively taking over devices remotely and sometimes exfiltrating sensitive data or launching additional attacks.

Authorities also contacted users of compromised criminal services, appealing for information and exposing some users through an operation-dedicated website and Telegram channel. As these offenders increasingly leverage global infrastructure, authorities suggest that coordinated responses are likely to remain a key feature in future takedowns. 

Operation Endgame is ongoing, with officials indicating that additional actions may follow as investigations continue.

The post Operation Endgame targets malware networks in global crackdown appeared first on CyberScoop.