Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the Phobos ransomware-as-a-service ecosystem as part of Europol-coordinated Operation Aether, seizing materials such as stolen credentials and access information; and Operation Red Card 2.0 (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams.
Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an FBI warning about a surge in ATM jackpotting losses and reporting on Operation Red Card 2.0. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed Lotus Blossom espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Security Affairs roundup highlights KEV additions and active threat activity
A February 22, 2026 Security Affairs newsletter summarized multiple newly highlighted KEV entries, active exploitation cases, enforcement actions, and data exposure incidents. It served as a roundup rather than a single new incident, consolidating developments already reported elsewhere.
Researchers detail infostealer attacks against OpenClaw AI assistant
Researchers observed infostealer malware exfiltrating sensitive configuration and memory files from a locally running OpenClaw agentic AI assistant. The findings showed attackers could potentially hijack the assistant's capabilities without exploiting a vulnerability in OpenClaw itself.
Researchers disclose CRESCENTHARVEST espionage campaign
Security researchers reported a new campaign dubbed CRESCENTHARVEST targeting Farsi-speaking supporters of Iran's anti-government protests. The operation used protest-themed lures and a multi-stage Windows infection chain to deploy an undocumented RAT and infostealer.
INTERPOL reports 651 arrests from Operation Red Card 2.0
INTERPOL announced that Operation Red Card 2.0 resulted in 651 arrests and substantial seizures tied to investment fraud and mobile money and loan scams. The results were reported in February 2026 and reflected a large multinational enforcement action.
Polish authorities detain suspect tied to Phobos ransomware
As part of Europol-coordinated Operation Aether, Polish authorities detained a suspect linked to the Phobos ransomware ecosystem. The arrest was reported in February 2026 as a significant disruption of ransomware-related activity.
Dutch police arrest suspect in extortion over misdirected documents
Authorities in the Netherlands arrested a man accused of extorting officials after he received confidential documents that had been sent to him by mistake. The case was cited as a notable law-enforcement action in February 2026 cybersecurity reporting.
Google patches first exploited Chrome zero-day of 2026
Google released a fix for CVE-2026-2441, described as the first actively exploited Chrome zero-day of 2026. The patch was noted in February 2026 roundup coverage of major security developments.
FBI warns ATM jackpotting caused $20 million in losses in 2025
The FBI issued a warning about increased ATM jackpotting activity, stating that losses reached $20 million during 2025. The alert underscored growing criminal use of malware and physical access techniques against cash machines.
INTERPOL launches Operation Red Card 2.0 across 16 African countries
INTERPOL, through its African Joint Operation against Cybercrime (AFJOC), coordinated Operation Red Card 2.0 across 16 countries to target cyber-enabled financial crime, including investment fraud and mobile money and loan scams. The operation ultimately led to hundreds of arrests and major seizures.
China-linked APT began exploiting Dell RecoverPoint zero-day
A China-linked advanced persistent threat reportedly started weaponizing a zero-day in Dell RecoverPoint in 2024. The activity was later highlighted in February 2026 reporting as part of broader vulnerability and exploitation coverage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Apr 12, 2026
Year-End Cybersecurity Review: Major Law Enforcement Actions and Notable Incidents
Law enforcement agencies worldwide achieved significant victories against cybercriminals in 2025, including the takedown of Ukrainian call centers defrauding Europeans of €10 million, the seizure of servers from the E-Note crypto exchange laundering $70 million, and the arrest of individuals aiding state-backed hacking groups. Authorities also dismantled infrastructure supporting ransomware and account takeover operations, with notable convictions such as the prison sentence for the "evil twin" WiFi hacker and the seizure of the Cryptomixer crypto mixer, which laundered €1.3 billion since 2016. These actions reflect a growing trend of international cooperation, combining legal, operational, and financial measures to disrupt cybercrime and hold perpetrators accountable. In addition to law enforcement successes, 2025 saw a range of high-profile cyber incidents and campaigns. Notable events included a massive cyberattack on Venezuela’s oil and gas infrastructure, suspected to be linked to U.S. operations, and targeted phishing campaigns against Russian military personnel using malicious Excel files. Iranian hackers exploited known vulnerabilities to breach Israeli institutions outside the country’s critical infrastructure sector, exposing gaps in cybersecurity mandates for hospitals, universities, and government ministries. These incidents underscore the evolving tactics of both state and non-state actors and the persistent vulnerabilities in global cyber defenses.
Mar 21, 2026
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Mar 21, 2026