Federal authorities seized 127,271 Bitcoin, valued at approximately $15 billion, from Chen Zhi, the alleged leader of a sprawling cybercrime network based in Cambodia, the Justice Department said Tuesday. Officials said it’s the largest financial seizure on record.

“Today’s action represents one of the most significant strikes ever against the global scourge of human trafficking and cyber-enabled financial fraud,” Attorney General Pamela Bondi said in a statement.

Officials said Chen, a 38-year-old United Kingdom and Cambodian national who has renounced his Chinese citizenship, built a business empire under the Prince Group umbrella headquartered in Phnom Penh, Cambodia, that constructs, operates and manages scam compounds that rely on human trafficking and modern-day slavery. 

A criminal indictment against Chen was also unsealed in the U.S. District Court for the Eastern District of New York. He remains at large and the FBI is seeking information about his whereabouts. Chen faces up to 40 years in prison for his alleged crimes.

Chen is accused of founding and running Prince Group since 2015, resulting in a global expansion that has brought the cybercrime network’s operations to dozens of entities spanning more than 30 countries. 

Officials said Chen was directly involved in managing the scam compounds and committed violence against people in the forced labor camps where schemes targeted victims around the world, including in the United States. One network based in Brooklyn, New York, scammed more than 250 people in New York and across the country out of millions of dollars, according to the indictment.

Authorities in the U.S. and U.K also imposed coordinated sanctions against the Prince Group’s cybercrime networks in Southeast Asia accused of long-running investment scams and money laundering operations. 

Officials said the sanctions against people and organizations involved with the Prince Group transnational criminal organization and its severing of Huione Group from the U.S. financial system mark the most extensive action taken against cybercrime operations in the region to date.

“The rapid rise of transnational fraud has cost American citizens billions of dollars, with life savings wiped out in minutes,” Treasury Secretary Scott Bessent said in a statement. 

The agency’s Office of Foreign Assets Control imposed sanctions on 146 people and organizations participating in Prince Group TCO, while the Financial Crimes Enforcement Network issued a rule under the USA PATRIOT Act to sever Cambodia-based financial services conglomerate Huione Group from the U.S. financial system.

OFAC also sanctioned a network of 117 illegitimate businesses affiliated with Prince Group. The agency published a complete list of people and entities sanctioned as part of the sweeping action.

Authorities said Prince Group is prolific and remains a dominant player in Cambodia’s scam economy, responsible for billions of dollars in illicit financial transactions. U.S. government officials estimate Americans lost more than $10 billion to Southeast Asia-based scam operations last year, noting that U.S. online investment scams surpass $16.6 billion.

Huione Group has allegedly laundered proceeds from cyberattacks initiated by North Korea and transnational criminal organizations in Southeast Asia responsible for virtual currency investment scams, authorities said. The organization laundered more than $4 billion in illicit proceeds between August 2021 and January 2025, the Treasury Department said. 

The U.K.’s Foreign, Commonwealth, and Development Office also participated in the crackdown by imposing sanctions on Prince Holding Group, its alleged leader Chen and key associates. 

“Today, the FBI and partners executed one of the largest financial fraud takedowns in history,” FBI Director Kash Patel said in a statement.

The post Officials crack down on Southeast Asia cybercrime networks, seize $15B appeared first on CyberScoop.

North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders. 

Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.

Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said. 

North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.

While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis. 

Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.

Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries. 

“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.

Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers. 

CrowdStrike, in August, said it observed a 220% year-over-year increase in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have seized cryptocurrency, issued indictments and sanctioned people and entities allegedly involved in the yearslong scheme.

Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles. 

Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.

Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said. 

“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”

The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop.

Federal authorities on Monday imposed sanctions on 19 people and organizations allegedly involved in major cyberscam hubs in Burma and Cambodia.

“Criminal actors across Southeast Asia have increasingly exploited the vulnerabilities of Americans online,” Secretary of State Marco Rubio said in a statement. “In 2024, Americans lost at least $10 billion to scam operations in Southeast Asia, according to a U.S. government estimate.” That’s a 66% increase from the prior year, officials said. 

People who staff these scam centers are often victimized as well. Criminal organizations in Southeast Asia recruit workers under false pretenses and use debt bondage, violence, and threats of forced prostitution to coerce them to scam strangers online via messaging apps or text messages, authorities said.

The Treasury Department’s Office of Foreign Assets Control levied sanctions against nine targets operating in Shwe Kokko, Burma, which it described as a “notorious hub for virtual currency investment scams under the protection of the OFAC-designated Karen National Army.” KNA was sanctioned as a transnational criminal organization in May. 

Tin Win, Saw Min Min Oo, Chit Linn Myaing Co., Chit Linn Myaing Toyota Co., Chit Linn Myaing Mining & Industry Co., Shwe Myint Thaung Yinn Industry and Manufacturing Co., She Zhijang, Yatai International Holdings Group and Myanmar Yatai International Holding Group Co. were all sanctioned for their alleged involvement in these scam centers near Burma’s border with Thailand.

She Shijiang and Saw Chit Thu, the leader of the KNA who was previously sanctioned in May, are accused of transforming a small village in Shwe Kokko into a city built for gambling, drug trafficking, prostitution and a compound of scam centers. Tin Win and Saw Min Min Oo allegedly control property that hosts the scam centers and personally run organizations that support the operations.

“Southeast Asia’s cyber scam industry not only threatens the well-being and financial security of Americans, but also subjects thousands of people to modern slavery,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement.

The Treasury Department also sanctioned four people and six organizations for their alleged involvement in forced labor compounds in Cambodia that operate virtual currency investment scams targeting victims in the United States, Europe, China and elsewhere. 

T C Capital Co., K B Hotel Co., K B X Investment Co., M D S Heng He Investment Co., Heng He Bavet Property Co., HH Bank Cambodia, Dong Lecheng, Xu Aimin, Chen Al Len and Su Liangsheng were all sanctioned for their alleged involvement in scam centers in Cambodia. 

“These sanctions protect Americans from the pervasive threat of online scam operations by disrupting the ability of criminal networks to perpetuate industrial-scale fraud, forced labor, physical and sexual abuse, and theft of Americans’ hard-earned savings,” Rubio said.

The post Treasury Department targets Southeast Asia scam hubs with sanctions appeared first on CyberScoop.

The Treasury Department on Wednesday expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions. 

Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government. 

Officials accuse the regime of hatching and maintaining an expansive operation that funnels money to its weapons and missiles programs by placing teams of specialized workers in IT jobs in the United States and elsewhere using fraudulent documents, stolen identities and false personas to hide their North Korean nationality.

“The North Korean regime continues to target American businesses through fraud schemes involving its overseas IT workers, who steal data and demand ransom,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a written statement.

As the sanctions-evading scheme has grown, so too has the U.S. government’s response. Officials continue to target people and organizations involved, and Wednesday’s action follows the Justice Department’s seizure of $7.74 million from North Korean nationals who allegedly attempted to launder cryptocurrency obtained by IT workers who gained illegal employment as part of the scheme. 

Andreyev, a 44-year-old Russian national, allegedly facilitates payments to Chinyong Information Technology Cooperation Co., an outfit associated with North Korea’s Ministry of Defense that was targeted in the cryptocurrency seizure and previously sanctioned, according to the Treasury Department. Chinyong employs teams of IT workers in Russia and Laos, according to officials.

“Since at least December 2024, Andreyev has worked with Kim Ung Sun, a Russia-based Democratic People’s Republic of Korea economic and trade consular official, to facilitate multiple financial transfers worth a total of nearly $600,000, by converting cryptocurrency to cash in U.S. dollars,” the Treasury Department said in the sanctions announcement.

Officials said Shenyang Geumpungri is a Chinese front company for Chingyong, which manages a group of North Korean IT workers that have earned more than $1 million in profits for Chinyong and Sinjin, an affiliate of the regime’s General Political Bureau.

The Treasury Department earlier this summer imposed another set of sanctions on people and organizations allegedly involved in the North Korea IT worker scheme. In late July, the State Department announced a reward up to $15 million for information leading to the arrest of seven North Korean nationals accused of multiple crimes, including cryptocurrency theft, fraudulent remote IT work and tobacco smuggling.

The post Treasury sanctions North Korea IT worker scheme facilitators and front organizations appeared first on CyberScoop.

U.S. officials imposed sanctions Thursday on Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates, while also targeting its leaders for arrest with financial rewards. These measures are part of intensified efforts to halt the flow of ransomware proceeds facilitated by the platforms.

The Treasury Department’s Office of Foreign Assets Control re-designated Garantex for sanctions, accusing its operators of processing more than $100 million in illicit transactions since 2019. The State Department announced financial rewards totaling up to $6 million for information leading to the arrest or conviction of Garantex’s leaders, including up to $5 million for Russian national Aleksandr Mira Serda, the exchange’s co-founder and chief commercial officer.

Authorities expanded their targeting of Garantex, its leaders and associated companies following a sweeping international law enforcement operation in March when officials seized three domains linked to the exchange, confiscated servers, froze more than $26 million in cryptocurrency and indicted its leaders. 

One of those leaders, Aleksej Besciokov, was arrested in March while on vacation in India shortly after the Justice Department unsealed indictments against him and Mira Serda, officials said. OFAC also imposed sanctions on Sergey Mendelev, co-founder of Garantex, and Pavel Karavatsky, co-owner and regional director of Garantex.

“According to the U.S. Secret Service and FBI, Garantex received hundreds of millions in criminal proceeds and was used to facilitate various crimes, including hacking, ransomware, terrorism, and drug trafficking, often with substantial harm to U.S. victims,” Tammy Bruce, spokesperson for the State Department, said in a statement Thursday. “Between April 2019 and March 2025, Garantex processed at least $96 billion in cryptocurrency transactions.” 

Before Garantex moved its operations and funds to Grinex following the globally coordinated law enforcement disruption, the exchange received millions of dollars in cryptocurrency from Russia-linked ransomware affiliates. Officials traced those transactions to Conti, Black Basta, LockBit, Ryuk, NetWalker and Phoenix Cryptolocker. 

Grinex, which was created to avoid the sanctions placed on Garantex, has since facilitated the transfer of billions of dollars in cryptocurrency transactions, the Treasury Department said. The Treasury Department’s OFAC initially sanctioned Garatex in April 2022.

OFAC sanctioned six additional organizations Thursday, including A7, A7 Agent, Old Vector, InDeFi Bank and Exved for their alleged involvement with and material support of Garantex and Grinex.

“Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security, but also tarnishes the reputations of legitimate virtual asset service providers,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement. “By exposing these malicious actors, Treasury remains committed to and supportive of the digital asset industry’s integrity.”

The post US widens sanctions on Russian crypto exchange Garantex, its successor and affiliate firms appeared first on CyberScoop.

BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.

The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 

U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 

A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation. 

German officials said the takedown prevented the spread of malware and disrupted BlackSuit’s servers and communication. BlackSuit’s data leak site contained more than 150 entries before the takedown, Bitdefender said in a blog post. 

The majority of BlackSuit’s victims were based in the U.S. and the industries most impacted by the ransomware group’s attacks included manufacturing, education, health care and construction, according to Bitdefender. The company did not respond to a request for comment.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

BlackSuit associates were already dispersed prior to the global law enforcement action on the group’s operations. 

The impact from the takedown will be limited because members already abandoned the BlackSuit brand early this year, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

BlackSuit’s reputation plummeted as victims learned of the group’s Russian cybercrime lineage and declined to pay extortion demands out of fear that any financial support would evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control, he said.

As part of that pivot, former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year. 

“It’s not that they were concisely preparing for the takedown. Instead, they just felt brand fatigue,” Boguslavskiy said. “They are very prone to rebranding often. It was two years without a rebrand, so the one was coming, and in the meantime, they were using INC as a newer name without baggage.”

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The empowerment of INC is the “most important development in the Russian-speaking ransomware landscape, and the fact that now BlackSuit will double down on using their infrastructure is very concerning,” Boguslavskiy said. 

The ransomware syndicate is composed of about 40 people, led by “Stern,” who has established a massive system of alliances, forming a decentralized collective with links to other ransomware groups, including Akira, ALPHV, REvil, Hive and LockBit, according to Boguslaviskiy. 

INC is currently the second largest Russian-speaking ransomware collective behind DragonForce, he said. 

BlackSuit was prolific, claiming more than 180 victims on its dedicated leak site dating back to May 2023, according to researchers at Sophos Counter Threat Unit. 

The ransomware group’s main members have demonstrated their ability to rebrand and relaunch operations with ease. “It is likely that this latest takedown will have minimal impact on the ability of the individuals behind it to reorganize under a new banner,” Sophos CTU said in a research note.

Former members of BlackSuit emerged under a new ransomware group, Chaos, as early as February, Cisco Talos Incident Response researchers said in a blog post released the same day BlackSuit’s technical infrastructure was seized. Chaos targets appear to be opportunistic and victims are primarily based in the U.S., according to Talos.

The FBI seized cryptocurrency allegedly controlled by a member of the Chaos ransomware group in April, the Justice Department said in a civil complaint seeking the forfeiture of the cryptocurrency last month. Officials said the seized cryptocurrency was valued at more than $1.7 million when it was seized in mid-April.

The post Details emerge on BlackSuit ransomware takedown appeared first on CyberScoop.

The State Department announced Thursday it will pay up to $15 million for information leading to the arrest of seven North Korean nationals accused of operating criminal schemes that generate revenue for Pyongyang’s weapons programs, marking the latest effort to disrupt financing networks that have funneled money around sanctions.

The coordinated action that also involved the Justice and Treasury departments targets what officials describe as an extensive network involving cryptocurrency theft, fraudulent remote IT work, tobacco smuggling and other illicit activities that primarily target U.S. companies and citizens.

The largest reward, $7 million, is offered for Sim Hyon-sop, who prosecutors say led tobacco smuggling operations designed to generate U.S. dollars for North Korea. Six co-conspirators carry bounties ranging from $500,000 to $3 million each.

The announcement comes as U.S. officials increasingly focus on North Korea’s ability to circumvent international sanctions through criminal enterprises that have grown more sophisticated in recent years. Intelligence assessments indicate revenue from these schemes directly funds North Korea’s nuclear weapons and ballistic missile programs, which have expanded significantly under Kim Jong Un’s leadership.

One of the most lucrative schemes involves dispatching thousands of North Korean IT workers abroad, primarily to Russia and China, where they assume false identities to secure remote positions with U.S. companies. These workers often target high-paying technology jobs, with earnings sent back to North Korea to support government programs. 

In a related case, a U.S. citizen, Christina Marie Chapman, was sentenced to more than eight years in prison Thursday for facilitating a scheme that defrauded more than 300 U.S. companies, by helping North Korean IT workers obtain remote positions under false pretenses.

The Treasury Department simultaneously sanctioned Korea Sobaeksu Trading Company, which officials say has deployed IT workers to Vietnam, along with three additional North Korean nationals involved in similar schemes.

Research has indicated these operations generate hundreds of millions of dollars annually, providing North Korea with hard currency needed to purchase materials and technology for weapons development.

The use of criminal revenue to fund state weapons programs represents what analysts describe as a hybrid model where traditional organized crime intersects with state-sponsored activities to achieve strategic objectives.

The post US offers $15 million reward for info on North Korean nationals involved in global criminal network appeared first on CyberScoop.