Criminal Sentencings for Cyber-Enabled Theft and Attacks
Recent court actions highlighted multiple cyber-enabled crimes resulting in prison sentences and follow-on legal measures. In the US, federal authorities announced sentencing and impending deportation of two Venezuelan nationals tied to a multi-state ATM jackpotting scheme that used Ploutus malware to force cash-out from legacy ATMs, with theft totaling hundreds of thousands of dollars and investigations linking activity to a broader network associated with Tren de Aragua. Separately in France, a Romanian national was sentenced in Paris to a five-year term with one year suspended (effectively four years to serve) for involvement in ransomware attacks using the “Umbrella” ransomware, with reported damages nearing €1 million and related cases spanning multiple European countries.
In a separate, unrelated case, Ilya Lichtenstein—convicted for stealing 120,000 bitcoins—publicly sought a “second chance” and a cybersecurity job after serving a 60-month sentence and being moved to home confinement, citing efforts to rehabilitate and cooperate. Collectively, the reporting underscores ongoing law-enforcement focus on financially motivated cybercrime ranging from malware-assisted physical compromise of financial infrastructure to enterprise-targeting ransomware, alongside continued public attention on high-profile cryptocurrency theft prosecutions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Nebraska case results in indictments of 54 alleged network members
Authorities said the broader federal case in Nebraska led to indictments against 54 individuals linked to the larger criminal network associated with Tren de Aragua. The indictments marked a major law enforcement escalation in the ATM jackpotting investigation.
US announces sentencing and deportation of two ATM malware operators
In January 2026, U.S. federal authorities announced the sentencing and impending deportation of Venezuelan nationals Luz Granados and Johan Gonzalez-Jimenez for their roles in the multi-state ATM jackpotting scheme. The case involved installing Ploutus malware on ATMs to empty bank cash reserves.
French court sentences Romanian man over ransomware attacks
A Romanian national was sentenced in France to four years in prison for ransomware cyberattacks that caused nearly 1 million euros in damages. The sentencing was reported on the reference publication date, with no earlier event date provided in the source.
ATM jackpotting activity continues through late 2025
The reported jackpotting activity spanned through December 2025, showing the campaign persisted for nearly two years against vulnerable legacy ATM infrastructure. The attacks stole hundreds of thousands of dollars in the South Carolina-linked case and were part of a much larger cash-out operation.
Federal investigation ties jackpotting scheme to wider criminal network
During the multi-state investigation, U.S. authorities including the Secret Service and South Carolina Law Enforcement Division connected the South Carolina-linked ATM attacks to a broader federal case in Nebraska. The wider case ultimately identified a larger network allegedly responsible for more than $40 million in thefts.
ATM jackpotting campaign begins in southeastern US
A broader ATM jackpotting operation linked to a criminal network associated with Tren de Aragua was active by February 2024, targeting older-model ATMs in the southeastern United States. Attackers physically accessed machines and used Ploutus malware on legacy systems, including Windows XP-based ATMs, to force cash dispensing.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
ATM Jackpotting Attack: Tren de Aragua Gang Exploits Ploutus Malware on Legacy Windows XP ATMs in US, Leading to Multi-State Indictments and Deportations
rescana.com
Open sourceA Romanian has been sentenced in France to 4 years in prison for ransomware cyberattacks, with damages amounting to nearly 1 million euros.
informat.ro
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cybercrime Prosecutions: ATM Jackpotting Deportations and Ransomware Guilty Plea
U.S. authorities reported multiple enforcement actions against financially motivated cybercrime. In South Carolina, two Venezuelan nationals convicted in an **ATM jackpotting** scheme will be deported after serving their sentences; prosecutors said they physically accessed older ATM models, connected a laptop, and installed malware that bypassed security controls to force cash-out until the machines were emptied. The activity impacted banks across several southeastern states, with court-ordered restitution of **$285,100** and **$126,340** respectively, and investigators said evidence from the case contributed to a broader Nebraska indictment of dozens of individuals tied to a larger ATM-theft conspiracy. Separately, a Russian national, **Ianis Aleksandrovich Antropenko**, pleaded guilty in federal court to **conspiracy to commit money laundering** and **conspiracy to commit computer fraud and abuse** for leading a ransomware operation that targeted at least 50 victims over a four-year period ending in August 2022; he faces up to **25 years** in prison, financial penalties, restitution, and forfeiture, and the plea acknowledges potential immigration consequences. A third item describes convicted Bitcoin thief **Ilya Lichtenstein** seeking post-release work in cybersecurity, but it is not tied to the ATM jackpotting or Antropenko ransomware case and does not add incident-specific threat intelligence.
Mar 21, 2026
European and U.S. Law Enforcement Actions Against Cyber-Enabled Crime
Multiple law-enforcement actions were reported across Europe and the U.S. targeting **cyber-enabled criminal activity**, including online intimidation, financial malware operations, and crypto/NFT theft. In Hungary, police working with Romanian authorities detained four young suspects accused of **swatting** and **doxing** tied to disputes initiated via *Discord*, including false bomb and violence threats that triggered significant emergency response deployments. Separately, U.S. authorities convicted two Venezuelan nationals for a multi-state **ATM jackpotting** operation in which they physically accessed older ATMs, connected a laptop, and deployed **malware** to force cash dispensing, resulting in hundreds of thousands of dollars in losses and restitution orders. In Romania, two suspects were investigated at the request of UK authorities over an alleged **hitman-for-hire** marketplace designed to conceal identities and payments via **cryptocurrency escrow**, with police seizing storage devices, crypto valued around **$650,000**, and significant cash. In the Netherlands, Zeeland police arrested four suspects linked to the theft of **169 NFTs** valued at roughly **€1.4 million**, seizing data carriers, cash, vehicles, and a house during raids as the investigation continued.
Mar 21, 2026
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Mar 21, 2026