Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the Phobos ransomware-as-a-service ecosystem as part of Europol-coordinated Operation Aether, seizing materials such as stolen credentials and access information; and Operation Red Card 2.0 (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams.
Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an FBI warning about a surge in ATM jackpotting losses and reporting on Operation Red Card 2.0. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed Lotus Blossom espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Sources
Related Stories
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
3 months ago
Year-End Cybersecurity Review: Major Law Enforcement Actions and Notable Incidents
Law enforcement agencies worldwide achieved significant victories against cybercriminals in 2025, including the takedown of Ukrainian call centers defrauding Europeans of €10 million, the seizure of servers from the E-Note crypto exchange laundering $70 million, and the arrest of individuals aiding state-backed hacking groups. Authorities also dismantled infrastructure supporting ransomware and account takeover operations, with notable convictions such as the prison sentence for the "evil twin" WiFi hacker and the seizure of the Cryptomixer crypto mixer, which laundered €1.3 billion since 2016. These actions reflect a growing trend of international cooperation, combining legal, operational, and financial measures to disrupt cybercrime and hold perpetrators accountable. In addition to law enforcement successes, 2025 saw a range of high-profile cyber incidents and campaigns. Notable events included a massive cyberattack on Venezuela’s oil and gas infrastructure, suspected to be linked to U.S. operations, and targeted phishing campaigns against Russian military personnel using malicious Excel files. Iranian hackers exploited known vulnerabilities to breach Israeli institutions outside the country’s critical infrastructure sector, exposing gaps in cybersecurity mandates for hospitals, universities, and government ministries. These incidents underscore the evolving tactics of both state and non-state actors and the persistent vulnerabilities in global cyber defenses.
2 months ago
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
1 weeks ago