Year-End Cybersecurity Review: Major Law Enforcement Actions and Notable Incidents
Law enforcement agencies worldwide achieved significant victories against cybercriminals in 2025, including the takedown of Ukrainian call centers defrauding Europeans of €10 million, the seizure of servers from the E-Note crypto exchange laundering $70 million, and the arrest of individuals aiding state-backed hacking groups. Authorities also dismantled infrastructure supporting ransomware and account takeover operations, with notable convictions such as the prison sentence for the "evil twin" WiFi hacker and the seizure of the Cryptomixer crypto mixer, which laundered €1.3 billion since 2016. These actions reflect a growing trend of international cooperation, combining legal, operational, and financial measures to disrupt cybercrime and hold perpetrators accountable.
In addition to law enforcement successes, 2025 saw a range of high-profile cyber incidents and campaigns. Notable events included a massive cyberattack on Venezuela’s oil and gas infrastructure, suspected to be linked to U.S. operations, and targeted phishing campaigns against Russian military personnel using malicious Excel files. Iranian hackers exploited known vulnerabilities to breach Israeli institutions outside the country’s critical infrastructure sector, exposing gaps in cybersecurity mandates for hospitals, universities, and government ministries. These incidents underscore the evolving tactics of both state and non-state actors and the persistent vulnerabilities in global cyber defenses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Kuaishou breach hits China's tech sector
China's technology sector was affected by a major breach at Kuaishou. The incident was reported during the week of December 22-26, 2025.
Iranian hackers breach Israeli institutions via known vulnerabilities
Iranian hackers exploited known vulnerabilities to compromise Israeli institutions outside the country's critical infrastructure. The intrusions were reported during the week of December 22-26, 2025.
Russian military personnel targeted with fake concert invite phishing
A phishing campaign used fake New Year concert invitations to target Russian military personnel. The activity was reported during the week of December 22-26, 2025.
Venezuela's oil and gas infrastructure hit by major cyberattack
Venezuela's oil and gas infrastructure was struck by a massive cyberattack that experts suspected may have been a U.S. operation. The incident was described as a possible escalation in geopolitical cyber conflict during the week of December 22-26, 2025.
FBI expands its global biometrics reach
The FBI expanded its global biometrics capabilities or access, according to policy and security developments reported that week. The move was noted during the week of December 22-26, 2025.
South Korea passes controversial 'fake news' bill
South Korea enacted a controversial 'fake news' bill amid broader cyber and information security policy changes. The development was reported during the week of December 22-26, 2025.
Japan adopts active cyber defense law
Japan passed or adopted an active cyber defense law as part of cybersecurity policy developments reported that week. The measure was highlighted during the week of December 22-26, 2025.
Pakistan Consulate in the U.S. warns of visa phishing scam
The Pakistan Consulate in the United States issued a warning about a critical phishing scam targeting visa applicants. The warning was reported during the week of December 22-26, 2025.
Shinsegae Group discloses employee and subcontractor data breach
South Korea's Shinsegae Group experienced a data breach affecting about 80,000 employees and subcontractors. The breach was reported during the week of December 22-26, 2025.
France's La Poste disrupted by cyberattack claimed by Noname057(16)
France's postal service suffered operational disruption from a cyberattack that was claimed by the pro-Russian hacktivist group Noname057(16). The incident was reported during the week of December 22-26, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Mar 21, 2026
Global Law Enforcement Crackdowns on Cybercrime Networks and Operations
Law enforcement agencies worldwide have intensified efforts to disrupt cybercrime networks, targeting both large-scale organized groups and individual offenders. In 2025, major international operations led to the seizure of approximately $15 billion in Bitcoin from the Prince Group, a syndicate accused of running forced-labor scam centers and crypto fraud schemes. Authorities in Southeast Asia and Africa conducted coordinated raids, arresting thousands of suspects, dismantling malicious infrastructure, and recovering millions in illicit funds. These actions were supported by intelligence sharing and technical assistance from private companies, reflecting a growing trend of cross-border collaboration to combat cyber threats such as ransomware, business email compromise, and online scams. In South Korea, police arrested four individuals accused of compromising over 120,000 IP cameras, with the intent to create and sell sexually exploitative videos. The suspects exploited weak or default passwords to gain access to cameras in sensitive locations, including medical offices. Law enforcement responded by notifying affected owners and emphasizing the seriousness of such privacy violations. These arrests are part of a broader global crackdown on cybercrime, which also included operations in Australia and the UK targeting Wi-Fi-based attacks and dark web marketplaces. Authorities continue to stress the importance of active investigation and international cooperation to address the evolving landscape of cyber-enabled crime.
Mar 21, 2026
Major International Law Enforcement Actions Against Cybercrime and Financial Fraud Networks
Law enforcement agencies across multiple countries have conducted significant operations targeting cybercriminal groups responsible for large-scale financial fraud, data breaches, and cryptocurrency theft. In Spain, police arrested a 19-year-old hacker accused of stealing and attempting to sell 64 million personal data records from nine companies, while Ukrainian authorities apprehended a separate data broker who used custom malware to compromise accounts and sell access on hacker forums. In California, a member of the so-called "Social Engineering Enterprise" pleaded guilty to laundering millions in cryptocurrency stolen through sophisticated social engineering attacks, with the group responsible for a $263 million heist and extravagant spending of the proceeds. Meanwhile, Russian police dismantled a gang that used NFCGate-based malware to steal millions from bank customers by tricking victims into installing fake banking apps and harvesting card credentials for remote theft. A major international operation led by Europol and Eurojust dismantled a €700 million cryptocurrency scam network in Europe that used deepfake videos and aggressive marketing to lure victims into fake investment schemes. The network operated numerous fraudulent platforms, laundered funds through complex channels, and was taken down in coordinated raids across several countries, resulting in arrests and the seizure of cash, cryptocurrencies, and luxury items. These actions highlight the growing sophistication of cyber-enabled financial crime and the increasing collaboration between law enforcement agencies to disrupt such operations on a global scale.
Mar 21, 2026