Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Crime. Show all posts
Virtual Kidnapping
Cyber Crime FBI Hacking Scammers Sensitive Information Virtual Kidnapping

FBI Alerts Public about Scammers Using Altered Online Photos to Stage Fake Kidnappings

 



The Federal Bureau of Investigation has issued a new advisory warning people about a growing extortion tactic in which criminals take photos posted online, manipulate them, and present the edited images as supposed evidence during fake kidnapping attempts. The agency reports that these incidents, often described as virtual kidnappings, are designed to panic the target into paying quickly before verifying the claims.


How the scam begins

The operation usually starts when criminals search social media accounts or any platform where people share personal photos publicly. They collect pictures of individuals, including children, teenagers, and adults, and then edit those images to make it appear as though the person is being held against their will. Scammers may change facial expressions, blur backgrounds, add shadows, or alter body positions to create a sense of danger.

Once they prepare these altered images, they contact a relative or friend of the person in the photo. In most cases, they send a sudden text or place a call claiming a loved one has been kidnapped. The message is crafted to create immediate panic and often includes threats of harm if payment is not made right away.


The role of fake “proof of life”

One recurring tactic is the use of emotionally charged photos or short video clips that appear to show the victim in distress. These materials are presented as proof that the kidnapping is real. However, investigators have observed that the content often contains mistakes that reveal it has been edited. The inconsistencies can range from missing tattoos or scars to unnatural lighting, distorted facial proportions, or visual elements that do not match known photos of the person.

Criminals also try to limit the victim’s ability to examine the images closely. Some use disappearing messages or apps that make screenshots difficult. Others send messages in rapid succession to prevent the victim from taking a moment to reach out to the supposed abducted individual.


Why these scams escalate quickly

Scammers depend on speed and emotional intensity. They frequently insist that any delay will lead to harm, which pressures victims to make decisions without checking whether their loved one is actually safe. In some situations, criminals exploit posts about missing persons by inserting themselves into ongoing searches and providing false updates.

The FBI urges people to be mindful of the information they share online, especially when it involves personal photos, travel details, or locations. The agency recommends that families set up a private code word that can be used during emergencies to confirm identity. Individuals should avoid sharing personal information with unknown callers or strangers while traveling.

If someone receives a threatening call or message, the FBI advises them to stay calm and attempt to contact the alleged victim directly through verified communication channels. People should record or capture any messages, screenshots, phone numbers, images, or audio clips connected to the incident. These materials can help law enforcement determine whether the event is a hoax.

Anyone who believes they have been targeted by a virtual kidnapping attempt is encouraged to submit a report to the FBI’s Internet Crime Complaint Center at IC3.gov. The agency requests detailed information, including phone numbers used by the scammer, payment instructions, message transcripts, and any photos or videos that were provided as supposed evidence.





Read more »
violence-as-a-service
Cyber Crime Europol arrests OTF GRIMM operation teen crime recruitment violence-as-a-service

Europol’s OTF GRIMM Arrests Nearly 200 in Crackdown on “Violence-as-a-Service” Crime Networks

 

Nearly 200 people — including several minors linked to murder attempts — have been taken into custody over the past six months under Europol’s Operational Taskforce (OTF) GRIMM. The initiative focuses on dismantling what authorities describe as “violence-as-a-service” networks, where criminal groups lure young people online to execute contract killings and other violent attacks.

According to Europol, "These individuals are groomed or coerced into committing a range of violent crimes, from acts of intimidation and torture to murder," the agency said on Monday.

Launched in April, OTF GRIMM brings together specialists from Belgium, Denmark, Finland, France, Germany, Iceland, the Netherlands, Norway, Spain, Sweden, the UK, and Europol, alongside several online platforms.

In its first half-year, the taskforce reported arresting 63 suspects accused of planning or committing violent offenses, 40 individuals believed to be “enablers” of violence-for-hire operations, 84 recruiters, and six alleged “instigators.” Five of these instigators have been identified by investigators as “high-value targets.” Among those apprehended were three individuals in Sweden and Germany suspected of fatally shooting three victims on March 28 in Oosterhout, the Netherlands.

Authorities also detained two more suspects, aged 26 and 27, in the Netherlands in October for allegedly attempting a murder in Tamm, Germany, on May 12.

On July 1, Spanish police arrested six people — one of them a minor — who were allegedly plotting a murder. Firearms and ammunition were recovered, and investigators believe the operation prevented a “potential tragedy.”

In Denmark, seven individuals aged between 14 and 26 were either arrested or voluntarily surrendered in June. They are accused of using encrypted messaging platforms to recruit teenagers for contract killings.

These cases arise amid what cybersecurity experts describe as a significant rise in Europe-based cybercrime operations that spill into real-world violence. One of the most notable examples occurred in January, when Ledger co-founder David Balland and his wife, Amandine, were kidnapped in Vierzon, France. During the ordeal, their captors severed Balland’s finger while demanding ransom from another Ledger co-founder; the details of the ransom request have not been publicly disclosed.

Many suspects involved in violence-for-hire schemes have been linked to The Com — an informal group of English-speaking hackers, SIM swappers, and extortionists operating across several overlapping criminal networks. The organization’s influence has expanded internationally, prompting the FBI to issue a recent warning.

According to the bureau, a faction known as In Real Life (IRL) Com poses an increasing danger to young people in the U.S. The FBI’s alert highlighted IRL Com groups offering swatting services — incidents in which criminals file fake reports of shootings or bomb threats to provoke armed police responses at victims’ homes.
Read more »
Portugal
Cyber Crime CyberCrime cybercrime law Portugal

Portugal Updates Cybercrime Law To Protect Good-Faith Security Researchers

 

Portugal has updated its cybercrime law to offer legal protection to security researchers who probe systems in good faith and report vulnerabilities responsibly. The change creates a legal safe harbor for ethical hacking, turning what was previously classified as illegal access or data interception into a non-punishable act when strict conditions are met. The new provision appears in Article 8.o-A under the title "Acts not punishable due to public interest in cybersecurity." 

It states that hacking activities aimed at finding vulnerabilities and improving cybersecurity will not lead to criminal charges if several requirements are followed. To qualify for legal protection, researchers must act only to identify weaknesses that they did not introduce and must not seek financial reward beyond normal professional compensation. They must report the issue immediately to the system owner, any relevant data controller and the Portuguese cybersecurity authority CNCS. 

The law also requires that actions remain limited to what is necessary for detection. Researchers cannot disrupt services, modify data, steal information or cause damage. Personal data protected under GDPR must not be processed illegally, and banned techniques such as DDoS attacks, phishing, malware deployment and social engineering are not allowed. 

Any sensitive data accessed during testing must be kept confidential and deleted within 10 days after the vulnerability is fixed. Acts carried out with the explicit consent of the system owner are also exempt from punishment, but vulnerabilities discovered during the process must still be reported to the CNCS. Cybersecurity professionals view the change as an important step toward separating responsible research from criminal activity. 

The law provides clarity on what is allowed while giving ethical hackers the legal protection they have long requested. Portugal joins a growing number of countries adapting cybercrime laws to support good-faith research. Germany proposed similar protections in late 2024, and in 2022 the United States Department of Justice revised its prosecution guidelines under the Computer Fraud and Abuse Act (CFAA) to exempt responsible security testing. 

These legal reforms reflect an increasing recognition that ethical hackers play a key role in helping organizations find and fix security flaws before real criminals take advantage of them. Supporters say the new rules will encourage more vulnerability reporting and strengthen global cybersecurity.
Read more »
North Korea Cyber Operations
APT Cyber Crime cyber espionage Cyber Security Financial crime Financial Cybersecurity North Korea North Korea Cyber Operations

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime

 

Security analysts have identified a new escalation in cyber operations linked to North Korea, as two of the country’s most well-known threat actors—Kimsuky and Lazarus—have begun coordinating attacks with unprecedented precision. A recent report from Trend Micro reveals that the collaboration merges Kimsuky’s extensive espionage methods with Lazarus’s advanced financial intrusion capabilities, creating a two-part operation designed to steal intelligence, exploit vulnerabilities, and extract funds at scale. 

Rather than operating independently, the two groups are now functioning as a complementary system. Kimsuky reportedly initiates most campaigns by collecting intelligence and identifying high-value victims through sophisticated phishing schemes. One notable 2024 campaign involved fraudulent invitations to a fake “Blockchain Security Symposium.” Attached to the email was a malicious Hangul Word Processor document embedded with FPSpy malware, which stealthily installed a keylogger called KLogEXE. This allowed operators to record keystrokes, steal credentials, and map internal systems for later exploitation. 

Once reconnaissance was complete, data collected by Kimsuky was funneled to Lazarus, which then executed the second phase of attacks. Investigators found Lazarus leveraged an unpatched Windows zero-day vulnerability, identified as CVE-2024-38193, to obtain full system privileges. The group distributed infected Node.js repositories posing as legitimate open-source tools to compromise server environments. With this access, the InvisibleFerret backdoor was deployed to extract cryptocurrency wallet contents and transactional logs. Advanced anti-analysis techniques, including Fudmodule, helped the malware avoid detection by enterprise security tools. Researchers estimate that within a 48-hour window, more than $30 million in digital assets were quietly stolen. 

Further digital forensic evidence reveals that both groups operated using shared command-and-control servers and identical infrastructure patterns previously observed in earlier North Korean cyberattacks, including the 2014 breach of a South Korean nuclear operator. This shared ecosystem suggests a formalized, state-aligned operational structure rather than ad-hoc collaboration.  

Threat activity has also expanded beyond finance and government entities. In early 2025, European energy providers received a series of targeted phishing attempts aimed at collecting operational power grid intelligence, signaling a concerning pivot toward critical infrastructure sectors. Experts believe this shift aligns with broader strategic motivations: bypassing sanctions, funding state programs, and positioning the regime to disrupt sensitive systems if geopolitical tensions escalate. 

Cybersecurity specialists advise organizations to strengthen resilience through aggressive patch management, multi-layered email security, secure cryptocurrency storage practices, and active monitoring for indicators of compromise such as unexpected execution of winlogon.exe or unauthorized access to blockchain-related directories. 

Researchers warn that the coordinated activity between Lazarus and Kimsuky marks a new phase in North Korea’s cyber posture—one blending intelligence gathering with highly organized financial theft, creating a sustained and evolving global threat.
Read more »
Ransomware
Akira Cyber Crime Data Theft it services Ransomware

Virtual Machines on Nutanix AHV now in Akira’s Crosshairs; Enterprises must Close Gaps

 



Security agencies have issued a new warning about the Akira ransomware group after investigators confirmed that the operators have added Nutanix AHV virtual machines to their list of targets. This represents a significant expansion of the group’s capabilities, which had already included attacks on VMware ESXi and Microsoft Hyper-V environments. The update signals that Akira is no longer limiting itself to conventional endpoints or common hypervisors and is now actively pursuing a wider range of virtual infrastructure used in large organisations.

Although Akira was first known for intrusions affecting small and medium businesses across North America, Europe and Australia, the pattern of attacks has changed noticeably over the last year. Incident reports now show that the group is striking much larger companies, particularly those involved in manufacturing, IT services, healthcare operations, banking and financial services, and food-related industries. This shift suggests a strategic move toward high-value victims where disruptions can cause substantial operational impact and increase the pressure to pay ransom demands.

Analysts observing the group’s behaviour note that Akira has not simply created a few new variants. Instead, it has invested considerable effort into developing ransomware that functions across multiple operating systems, including Windows and Linux, and across several virtualisation platforms. Building such wide-reaching capability requires long-term planning, and researchers interpret this as evidence that the group aims to remain active for an extended period.


How attackers get into networks 

Investigations into real-world intrusions show that Akira typically begins by taking advantage of weak points in remote access systems and devices connected to the internet. Many victims used VPN systems that lacked multifactor authentication, making them vulnerable to attackers trying common password combinations or using previously leaked credentials. The group has also exploited publicly known vulnerabilities in networking products from major vendors and in backup platforms that had not been updated with security patches.

In addition to these weaknesses, Akira has used targeted phishing emails, misconfigured Remote Desktop Protocol portals, and exposed SSH interfaces on network routers. In some breaches, compromising a router allowed attackers to tunnel deeper into internal networks and reach critical servers, especially outdated backup systems that had not been maintained.

Once inside, the attackers survey the entire environment. They run commands designed to identify domain controllers and trust relationships between systems, giving them a map of how the network is structured. To avoid being detected, they often use remote-access tools that are normally employed by IT administrators, making their activity harder to differentiate from legitimate work. They also disable security software, create administrator-level user accounts for long-term access, and deploy tools capable of running commands on multiple machines at once.


Data theft and encryption techniques 

Akira uses a double-extortion method. The attackers first locate and collect sensitive corporate information, which they compress and transfer out of the network using well-known tools such as FileZilla, WinRAR, WinSCP or RClone. Some investigations show that this data extraction process can be completed in just a few hours. Once the information has been removed, they launch the ransomware encryptor, which uses modern encryption algorithms that are designed to work quickly and efficiently. Over time, the group has changed the file extensions that appear after encryption and has modified the names and placement of ransom notes. The ransomware also removes Windows shadow copies to block easy recovery options.


Why the threat continues to succeed 

Cybersecurity experts point out that Akira benefits from long-standing issues that many organisations fail to address. Network appliances, remote access devices, and backup servers often remain unpatched for months, giving attackers opportunities to exploit vulnerabilities that should have been resolved. These overlooked systems create gaps that remain unnoticed until an intrusion is already underway.


How organisations can strengthen defences 

While applying patches, enabling multifactor authentication, and keeping offline backups remain essential, the recent wave of incidents shows that more comprehensive measures are necessary. Specialists recommend dividing networks into smaller segments to limit lateral movement, monitoring administrator-level activity closely, and extending security controls to backup systems and virtualisation consoles. Organisations should also conduct complete ransomware readiness exercises that include not only technical recovery procedures but also legal considerations, communication strategies, and preparations for potential data leaks.

Security researchers emphasise that companies must approach defence with the same mindset attackers use to find vulnerabilities. Identifying weaknesses before adversaries exploit them can make the difference between a minor disruption and a large-scale crisis.



Read more »
Waymo
Cyber Crime Footage Robotaxi San Francisco Shooting surveillance Waymo

Waymo Robotaxi Films Deadly San Francisco Shooting

 

A Waymo autonomous vehicle may have captured video footage of a fatal shooting incident in San Francisco's Mission neighborhood over the weekend, highlighting the emerging role of self-driving cars as potential witnesses in criminal investigations. The incident resulted in one man's death and left another person critically injured.

The incident and arrest

According to 9-1-1 dispatcher calls cited by the San Francisco Standard, a Waymo robotaxi was parked near the crime scene during the shooting. Police have identified the suspect as 23-year-old Larry Hudgson Jr., who was subsequently arrested without incident in a nearby neighborhood and booked into county jail. It remains unclear whether law enforcement has formally requested footage from the autonomous vehicle.

Privacy concerns

Waymo vehicles are equipped with extensive surveillance technology, featuring at least 29 cameras on their interiors and exteriors that continuously monitor their surroundings. This comprehensive camera coverage has drawn criticism from privacy advocates who describe the vehicles as "little mobile narcs" capable of widespread surveillance. The company maintains it does not routinely share data with law enforcement without proper legal requests.

Company policy on law enforcement access

Waymo co-CEO Tekedra Mawakana explained the company's approach during an interview with the New York Times podcast Hard Fork, emphasizing transparency in their privacy policy. The company follows legal processes when responding to footage requests and narrows the scope as necessary. Waymo representatives have stated they actively challenge data requests lacking valid legal basis or those considered overbroad.

This incident exemplifies how smart devices increasingly contribute to the surveillance economy and criminal investigations. Similar cases include Amazon being ordered to provide Echo device data for a 2017 New Hampshire murder investigation, Tesla cameras assisting in hate crime arrests in 2021, and Uber Eats delivery bot footage used in an abduction case. As autonomous vehicles become more prevalent in American cities, their role as digital witnesses in criminal cases appears inevitable.
Read more »
USA
Bulletproof hosting Cyber Crime media land Ransomware Russia USA

Governments sanction Russian “bulletproof” host for aiding ransomware networks

 



Authorities in the United States, the United Kingdom, and Australia have jointly imposed sanctions on a Russian bulletproof hosting provider accused of giving safe and long-term technical support to ransomware operators and other criminal groups. Officials say the newly sanctioned entities have played a central role in keeping several high-impact cybercrime operations online.

A bulletproof hosting service is a type of internet infrastructure provider that knowingly allows harmful activity on its servers. These companies rent out digital space and refuse to take down malicious websites, even when they receive complaints from victims or requests from law enforcement. Such services help threat actors conduct phishing campaigns, distribute malware, run command and control systems for their attacks, and host illegal content without fear of quick removal. This resistance to oversight makes it harder for investigators to disrupt cybercriminal networks.


Media Land and its linked companies named as key targets

The United States Treasury’s Office of Foreign Assets Control announced that Media Land, a Russia-based provider, has been added to the sanctions list along with three related firms: Media Land Technology, Data Center Kirishi, and ML Cloud. According to officials, Media Land’s infrastructure has been connected to well-known ransomware groups. It has also been tied to distributed denial-of-service attacks that targeted American companies, including systems categorized as critical infrastructure such as parts of the telecommunications sector.


Officials name individuals connected to the operation

Sanctions also extend to three people associated with Media Land. Aleksandr Volosovik has been identified as someone who promoted the company’s services on underground cybercriminal forums under the username Yalishanda. Another individual, Kirill Zatolokin, is accused of handling customer payments. A third person, Yulia Pankova, is said to have assisted with legal matters and financial management. The United Kingdom additionally stated that Volosovik has interacted with multiple cybercrime groups in the past.


Other companies involved in supporting the infrastructure

The sanctions package further includes Aeza Group LLC, another bulletproof hosting operator that had already been sanctioned earlier this year. Authorities say Aeza attempted to continue operating by using a UK-based company named Hypercore Ltd as a front. Additional entities in Serbia and Uzbekistan that provided technical assistance to the network have also been designated.


Government agencies issue defensive guidance

Along with the sanctions, cybersecurity agencies across the Five Eyes alliance released technical recommendations to help defenders identify and block activity linked to bulletproof hosting services. They suggest creating high-confidence lists of harmful internet resources based on verified threat intelligence, performing continuous monitoring of network traffic, and applying filtering rules at network boundaries while examining how those rules might affect legitimate users. The guidance also encourages service providers to maintain stronger onboarding checks for new customers since criminal operators often hide behind temporary email accounts or phone numbers.


Implications of the sanctions

All assets connected to the named individuals and companies within the United States, the United Kingdom, and Australia will now be frozen. Any organisation or person that continues to conduct transactions with them may face secondary sanctions or other enforcement actions. This step builds on earlier actions taken in February, when the three nations sanctioned ZServers, another Russian hosting operation, while Dutch authorities seized more than one hundred of its servers.

The coordinated announcement signals a growing international effort to dismantle the online infrastructure that ransomware groups depend on. It also reinforces the need for organisations to maintain strong cybersecurity practices, rely on reputable service providers, and monitor threat intelligence to reduce exposure to criminal activity.

Read more »
Scam
AI Deepfakes Bengaluru Cyber Crime deep fake videos Financial Scam links Scam

Deepfake of Finance Minister Lures Bengaluru Homemaker into ₹43.4 Lakh Trading Scam




A deceptive social media video that appeared to feature Union Finance Minister Nirmala Sitharaman has cost a Bengaluru woman her life’s savings. The 57-year-old homemaker from East Bengaluru lost ₹43.4 lakh after being persuaded by an artificial intelligence-generated deepfake that falsely claimed the minister was recommending an online trading platform promising high profits.

Investigators say the video, which circulated on Instagram in August, directed viewers to an external link where users were encouraged to sign up for investment opportunities. Believing the message to be authentic, the woman followed the link and entered her personal information, which was later used to contact her directly.

The next day, a man identifying himself as Aarav Gupta reached out to her through WhatsApp, claiming to represent the company shown in the video. He invited her to a large WhatsApp group titled “Aastha Trade 238”, which appeared to host over a hundred participants discussing stock trades. Another contact, who introduced herself as Meena Joshi, soon joined the conversation, offering to help the victim learn how to use the firm’s trading tools.

Acting on their guidance, the homemaker downloaded an application called ACSTRADE and created an account. Meena walked her through the steps of linking her bank details, assuring her that the platform was reliable. The first transfer of ₹5,000 was made soon after, and to her surprise, the app began displaying what looked like real profits.

Encouraged by what appeared to be rapid returns, she made larger investments. The application showed her initial ₹1 lakh growing into ₹2 lakh, and a later ₹5 lakh transfer seemingly yielding ₹8 lakh. The visual proof of profit strengthened her trust, and she kept transferring higher amounts.

In September, problems surfaced. While exploring an “IPO feature” on the app, she tried to exit but was unable to do so due to recurring technical errors. When she sought help, Meena advised her to continue investing to prevent losses. The woman followed this advice, transferring a total of ₹23 lakh in hopes of recovering her funds.

Once her savings were exhausted, the scammers proposed a loan option within the same app, claiming it would help her maintain her trading record. When she attempted to withdraw money, the platform denied the request, displaying a message stating her loan account was still active. Believing the issue could be resolved with more funds, she pawned her gold jewellery at a bank and a finance company, wiring additional money to the fraudsters.

By late October, her total transfers had reached ₹43.4 lakh across 13 separate transactions between September 24 and October 27. The deception came to light only when her bank froze her account on November 1, alerting her that unusual activity had been detected.

The East Cybercrime Police Station has since registered a case under the Information Technology Act and Section 318 of the Bharatiya Nyaya Sanhita, which addresses cheating. Officers confirmed that the fraudulent video used sophisticated AI tools to mimic the minister’s voice and gestures convincingly, making it difficult for untrained viewers to identify as fake.

Police officials have urged the public to remain alert to deepfake-driven scams that exploit public trust in well-known personalities. They advise verifying any financial offer through official government portals or trusted news sources, and to avoid clicking unfamiliar links on social media.

Experts warn that such crimes surface a new wave of cyber fraud, where manipulated media is used to build false credibility. Citizens are advised never to disclose personal or banking information through unverified links, and to immediately report suspicious investment schemes to their banks or local cybercrime authorities.



Read more »
GuidePoint Security
Akira Ransomware Cyber Crime Cyber Security Ransomware Attacks cybercrime group cybercrime group attack cybersecurity threat actors GuidePoint Security

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge

 

The number of active ransomware groups has reached an unprecedented high, marking a new phase in the global cyber threat landscape. According to GuidePoint Security’s latest Ransomware & Cyber Threat Report, the total number of active groups surged 57%, climbing from 49 in the third quarter of 2024 to an all-time peak of 77. Despite this sharp rise, the number of victims has remained consistent, averaging between 1,500 and 1,600 per quarter since late last year. 

The United States continues to bear the brunt of these attacks, accounting for 56% of all reported victims. Germany and the United Kingdom followed distantly at 5% and 4%, respectively. Manufacturing, technology, and the legal sectors were among the hardest hit, with the manufacturing industry alone reporting 252 publicly claimed attacks in the second quarter—a 26% increase from the previous quarter. 

GuidePoint’s senior threat intelligence analyst, Nick Hyatt, noted that while the overall ransomware volume has stabilized, the number of distinct groups is soaring. He explained that this growth reflects both the consolidation of experienced threat actors under major ransomware-as-a-service (RaaS) platforms and the influx of newer, less skilled operators trying to gain traction in the ecosystem. 

Among the most active groups, Qilin led with a dramatic 318% year-over-year surge, claiming 234 victims this quarter. Akira followed with 130 victims, while IncRansom—first detected in August 2023—emerged as the third most active group after a sharp increase in attacks. Another rising player, SafePay, has steadily expanded its operations since its appearance in late 2024, now linked to 258 victims across 29 industries and 30 countries in 2025 alone. 

GuidePoint’s researchers also observed a growing number of unclaimed or unattributed ransomware attacks, suggesting that many threat actors are either newly formed or deliberately avoiding public identification. This trend points to an increasingly fragmented and unpredictable ransomware environment. 

While the stabilization in overall attack numbers might appear reassuring, experts warn against complacency. The rapid diversification of ransomware groups and the proliferation of smaller, anonymous actors underline the evolving sophistication of cybercrime. As Hyatt emphasized, this “new normal” reflects a sustained, adaptive threat landscape that demands continuous vigilance, proactive defense strategies, and cross-industry collaboration to mitigate future risks.
Read more »
Online Scam
China cross border fraud Cyber Crime Gambling Myanmar Online Scam

China Sentences 11 Individuals to Death Over Massive Cross-Border Scam Network

 



A Chinese court has handed down death sentences to 11 individuals involved in a vast, family-run criminal network that operated online scam and gambling schemes across the China-Myanmar border. The Wenzhou Intermediate People’s Court in Zhejiang Province announced the verdict on Monday, stating that the group was responsible for large-scale fraud, human trafficking, and the deaths of workers who attempted to flee the scam compounds.

According to official reports, the syndicate was managed by a family known locally as the Ming group, which had gained significant influence in the Kokang region of northern Myanmar — a semi-autonomous territory along China’s border. The group allegedly established multiple compounds, including a major base called “Crouching Tiger Villa,” where thousands of trafficked individuals were forced to participate in online scams and illegal gambling activities.

Investigations revealed that at the height of their operations, nearly 10,000 workers were involved in conducting cyber fraud schemes under the family’s control. The compounds were heavily guarded, and individuals who resisted orders or tried to escape faced violent punishment. The court cited several incidents of brutality, including a shooting in October 2023, where armed members opened fire on people attempting to flee one of the scam sites, resulting in four deaths.

The criminal organization’s activities reflected the broader challenge of cross-border cybercrime in Southeast Asia, where corruption and ongoing conflicts have allowed criminal groups to thrive. The Ming family and their associates reportedly leveraged their local political and military connections to protect their network and expand operations into drug trafficking, illegal casinos, and organized prostitution.

China intensified its crackdown on such scam networks in 2023 following mounting public pressure from families of trafficked victims and growing media attention. In November that year, Chinese authorities issued warrants for members of the Ming family, offering rewards ranging from $14,000 to $70,000 for information leading to their arrest. The group’s leader, who had reportedly served as a member of a regional parliament in Myanmar, took his own life while in custody, according to Chinese state media.

The court also sentenced five additional defendants to death with a two-year reprieve and imposed prison terms ranging from five to twenty-four years on twelve others. Chinese authorities stated that the group’s crimes led to at least ten deaths.

Beijing’s actions form part of a broader regional effort to dismantle cybercrime rings that target Chinese citizens. Authorities have reported that over 53,000 suspects and victims have been repatriated from scam compounds in northern Myanmar since the crackdown began.

Despite recent enforcement measures, experts note that Southeast Asia’s online scam networks remain highly adaptive. Many criminal groups are turning to cryptocurrencies and artificial intelligence to expand operations and conceal financial flows. Analysts warn that while the convictions mark a strong legal response, eradicating cross-border fraud will require deeper cooperation between governments, stricter financial monitoring, and ongoing protection for victims of trafficking.



Read more »
Telecom cybercrime news
Cyber Crime cybersecurity news Fake SIM Card Fraud Telecom cybercrime news

Fake SIM Cards Fuel Cybercrime Surge as Eastern Uttar Pradesh Emerges Under Scrutiny

 

A quiet digital crisis is spreading across India. In the past three months, the Department of Telecommunications (DoT) has disconnected more than 6.1 million mobile numbers after uncovering large-scale fraudulent registrations. 

Investigators say eastern Uttar Pradesh has become a major centre for this growing network of fake SIM cards. The findings reveal how fake mobile connections are being used to power phishing calls, financial scams, and other forms of cybercrime. Government data shows that around 3.2 million fake SIM cards were traced to western Uttar Pradesh, while 1.6 million originated from the eastern region. These connections, officials say, often serve as digital weapons for organized criminal groups operating across India. 

To counter this threat, the government has launched the Sanchar Saathi portal (sancharsaathi.gov.in) and a companion mobile app. Through this platform, users can check all mobile numbers issued in their name using the “Know My Mobile Connections” feature. 

It allows them to identify unfamiliar numbers and report them for immediate action. Officials believe this initiative will help citizens monitor their telecom identities and reduce the misuse of personal data. By creating transparency between users and service providers, the government hopes to build stronger digital accountability. 

The Issue of Multiple SIM Cards 

During the nationwide verification exercise, authorities discovered that thousands of individuals possessed more than nine SIM cards. 

The DoT has now ordered these connections to be re-verified, warning that any unverified numbers will be blocked. Investigators say such cases often involve forged identity documents used by fraud networks to acquire SIM cards in bulk for illegal use. 

Experts Warn of a Larger Security Risk 

Cybercrime experts caution that fake SIM cards are not a minor irregularity but part of a much larger problem. They form the base of several online frauds, from financial theft to digital impersonation. 

Professor Triveni Singh, a well-known cybercrime expert and former IPS officer, explains, “SIM card fraud is not merely a local problem. It is a threat that cuts across personal financial safety and national security alike. Unless identity verification systems are made foolproof and strictly enforced, the risk will continue to grow.” 

His statement reflects the growing anxiety among cybersecurity professionals who see telecom identity fraud as a weak link that can be exploited by criminal networks and even foreign actors. 

A Call for Vigilance 

For ordinary citizens, the government’s findings serve as a reminder that their digital identities can be misused without their knowledge. 

A SIM card registered under someone’s name could be used to commit crimes, leading to serious legal and financial consequences. 

To prevent such misuse, officials are urging citizens to visit the Sanchar Saathi portal, verify their mobile numbers, and flag any they do not recognize. 

The process involves entering the mobile number, verifying with an OTP, and reviewing all active connections under the user’s name. Suspicious or unused numbers can be reported for deactivation. 

Looking Ahead 
 
The situation in Uttar Pradesh highlights a deeper issue within India’s telecom ecosystem. While the government’s new verification system marks a step forward, experts say its success depends on public awareness and regular participation. 

As digital fraud becomes more sophisticated, even one fake SIM card can be enough to compromise a person’s safety or reputation. Strengthening telecom verification and encouraging citizens to take responsibility for their digital presence are now crucial steps in protecting India’s connected future.
Read more »
NCRB
Bengaluru Cyber Crime Cyberattacks cybersecurity concerns Cybersecurity Crisis Digital Fraud Frauds karnataka NCRB

Karnataka Tops Cybercrime Cases in India with Bengaluru Emerging as the Epicenter

 

Karnataka has earned the unfortunate distinction of being the cybercrime capital of India, accounting for more than a quarter of all reported cases in the country. According to the latest data released by the National Crime Records Bureau (NCRB), the State registered 21,889 cybercrime incidents in 2023, representing 25.57% of the national tally. This figure placed Karnataka well ahead of Telangana, which reported 18,236 cases and ranked second. 

At the core of this rise is Bengaluru, the State’s technology hub and India’s leading IT city. The city alone recorded 17,631 cybercrime cases in 2023, making it the highest in the country. Among metropolitan cities, Bengaluru accounted for more than half—51.92%—of all cases across the 19 metros. Hyderabad followed at a distant second with 4,855 cases. The scale of the issue in Bengaluru is striking, with its cybercrime rate standing at 207.4 cases per lakh population, a figure more than seven times higher than the national average. 

The upward trend is evident in recent years. From 6,423 cases in 2021 to 9,940 in 2022, Bengaluru witnessed a sharp escalation, crossing 17,600 cases in 2023. Data indicates that fraud and sexual exploitation remain the primary motives behind the crimes. Although Karnataka logged a marginal increase to 22,468 cybercrime cases in 2024, the trajectory in 2025 has shown a slight decline, with 7,293 cases reported halfway through the year. Police officials, however, caution that while case numbers may be lower, the sophistication of scams and the financial impact on victims continue to intensify. 

Despite the surge in reporting, conviction rates remain alarmingly low. In 2023, Karnataka recorded only 44 convictions, including cases from previous years, alongside 60 acquittals. In Bengaluru, less than 0.3% of cases resulted in conviction, raising concerns about deterrence and enforcement effectiveness. Experts argue that the shortage of skilled cybercrime investigators is one of the key reasons behind the poor conviction rates.  

Senior police officers attribute the State’s high numbers to multiple factors: poor cyber hygiene, inadequate awareness, and a constantly evolving modus operandi by fraudsters. Bengaluru’s status as an IT hub also contributes, with a mixed population engaging heavily in investment platforms, e-commerce, and online trading. This has led to an increase in scams such as investment fraud and courier-related cons, often targeting educated individuals seeking higher returns. 

Cybersecurity experts warn that insufficient awareness programs and the lack of inter-State collaboration in investigations allow fraudsters to escape accountability. They emphasize that Karnataka’s newly developed Cyber Command Unit (CCU) could become a game-changer in strengthening the State’s response, particularly following the High Court’s directive to enhance its capabilities.  

Karnataka’s experience underscores a larger national challenge—while cybercrime continues to escalate, enforcement, awareness, and conviction efforts must evolve to keep pace with increasingly sophisticated digital frauds.
Read more »
Social Engineering
Cyber Crime Ransom Payment Ransomware Scattered Spider Social Engineering

Teens Arrested Over Scattered Spider’s $115M Hacking Spree

 

Law enforcement authorities in the United States and United Kingdom have arrested two teenagers connected to the notorious Scattered Spider hacking collective, charging them with executing an extensive cybercrime operation that netted over $115 million in ransom payments.

The UK's National Crime Agency arrested 19-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall, West Midlands, at their homes on Tuesday. Both suspects appeared in London court on Thursday to face charges related to their alleged involvement in a cyberattack against Transport for London (TfL) in August 2024 .

Scale of criminal activity

The US Justice Department has charged Jubair with participating in at least 120 computer network intrusions and extortion attempts targeting 47 US organizations from May 2022 to September 2025. Federal authorities allege these attacks caused victims to pay more than $115 million in ransom payments, with the malicious activities causing significant disruptions to US enterprises, critical infrastructure, and the federal judicial system.

Timeline of offenses

Investigators believe Jubair began his cybercriminal activities at age 14, with the hacking spree spanning from 2022 until last month. Flowers was initially arrested in September 2024 for the TfL attack but was released on bail before being rearrested l. Both suspects had previously been detained in July for data theft incidents targeting UK retailers including Marks & Spencer, Harrods, and Co-op Group.

Scattered Spider distinguishes itself from other cybercriminal organizations through the notably young age of its members and their English-speaking proficiency. The group employs sophisticated social engineering tactics, frequently impersonating IT support personnel to deceive employees into revealing passwords or installing remote access software. Their attacks have disrupted major organizations including MGM Resorts and Caesars Entertainment in Las Vegas during 2023.

Legal consequences 

Jubair faces multiple charges related to computer fraud and money laundering, with prosecutors indicating he could receive a maximum sentence of 95 years in prison if convicted. Investigators linked the breaches to Jubair through evidence showing he managed servers hosting cryptocurrency wallets used for receiving ransom payments. 

Flowers faces additional charges for conspiring to infiltrate and damage networks of US healthcare companies SSM Health Care Corporation and Sutter Health.
Read more »
U.S. Court
BreachForums CSAM Cyber Crime Federal Prison U.S. Court

BreachForums Founder Resentenced to Three Years After Appeal

 

In a significant legal outcome for the cybersecurity landscape, Conor Fitzpatrick, the founder of the notorious BreachForums underground hacking site, has been resentenced to three years in federal prison after appeals overturned his previous lenient sentence. 

Fitzpatrick, who operated under the alias Pompompurin, was originally arrested in March 2023 for running the forum and faced multiple charges: access device conspiracy, access device solicitation, and possession of child sexual abuse material (CSAM). He pleaded guilty to all counts in January 2024 and was initially handed 17 days in jail and 20 years of supervised release, a punishment prosecutors sharply criticized as dramatically insufficient given the gravity of his crimes. 

Appeals and resentencing 

The U.S. Court of Appeals for the Fourth Circuit agreed with prosecutors, declaring the original sentence “substantively unreasonable” for failing to serve proper sentencing purposes. This led to Fitzpatrick’s resentencing and a harsher three-year prison term.

BreachForums, which emerged in March 2022 as a successor to the dismantled RaidForums, became one of the most active online marketplaces for stolen data and compromised credentials. At its peak, it hosted more than 14 billion individual records and counted 330,000 members among its user base. U.S. authorities emphasized that Fitzpatrick “personally profited from the sale of vast quantities of stolen information,” ranging from private personal details to sensitive commercial data. 

Despite repeated law enforcement takedown attempts, BreachForums managed to resurface multiple times, illustrating the resilience of such underground communities. The arrest of Baphomet, the admin who took over after Fitzpatrick was detained, did little to slow the forum; it slipped into the hands of ShinyHunters, a cybercriminal group linked to several high-profile data breaches. 

As of mid-September 2025, BreachForums is offline, with its maintainers announcing a decision to “go dark”—a phrase that suggests not just temporary shutdown, but a possible strategic retreat rather than a permanent closure. This mirrors the recent moves of other infamous cybercrime collectives like Lapsus$ and Scattered Spider, who have also vanished from the digital underground, at least for now. 

Context and implications 

The case of Conor Fitzpatrick and BreachForums highlights the challenges of prosecuting transnational cybercrime and the difficulties law enforcement faces in permanently dismantling underground hacking forums. Despite impressive numbers—14 billion records, hundreds of thousands of members—the legal outcome for operators is often uncertain, with initial sentences sometimes appearing disproportionately light compared to the scale of the harm caused.

The resentencing of Fitzpatrick marks a tightening stance by the U.S. Department of Justice, signaling that courts are now more willing to impose harsher penalties on those who profit from stolen data and operate platforms that enable large-scale cybercrime. Yet, even as high-profile forums like BreachForums disappear, the enduring cycle of takedown, migration, and reemergence of similar platforms suggests that the broader threat will persist as long as demand for stolen data remains high.
Read more »
Sim Cloning
Aadhaar Scam Amroha Cyber Crime Data Theft Sim Cloning

SIM Cloning and Aadhaar Data Theft Expose Massive Cyber Heist in Amroha

 

A sophisticated cyber heist in Amroha, Uttar Pradesh, has exposed critical vulnerabilities in India's Aadhaar biometric identification system, where cybercriminals successfully cloned SIM cards and stole biometric data from over 1,500 citizens across 12 states. This elaborate fraud network, operating primarily from Badaun and Amroha districts, represents one of the most significant identity theft operations uncovered in recent years.

The criminal enterprise was masterminded by Ashish Kumar, a BTech dropout, who developed sophisticated counterfeit websites that closely resembled official Aadhaar and Passport Seva portals. These fake platforms enabled the gang to input fraudulent data and generate forged documents, including passports, with access sold to a network of 200 to 300 agents spread across multiple states.

The cybercriminals employed advanced technical methods to bypass UIDAI security systems, including cloning credentials of authorized Aadhaar operators and copying sensitive biometrics like iris scans. They utilized specialized software to overcome geo-fencing restrictions that normally prevent remote access to Aadhaar portals, allowing them to upload tampered biometric data from unauthorized locations. 

A key component of their operation involved manipulating fingerprint scanners to accept silicone-molded fingerprints created from impressions collected from legitimate operators and vulnerable individuals, many from underprivileged backgrounds. These altered scanners successfully fooled the system's biometric authentication, bypassing Aadhaar's real-time security locks. 

The fraud network charged clients between ₹2,000 and ₹5,000 for illegally updating personal details such as names, birth dates, addresses, or mobile numbers on Aadhaar cards. The operation extended beyond Aadhaar manipulation to include creating fake birth certificates and ration cards to support fraudulent identity changes. 

Following stricter verification protocols introduced in December 2024, the gang adapted their tactics, using forged documents on third-party platforms to create over 20 fake passports, several of which were successfully uploaded into the UIDAI system. Investigators recovered at least 400 forged supporting documents during the investigation.

The joint cyber team, supervised by SP Sambhal Krishna Kumar Bishnoi and ASP Anukriti Sharma, arrested four key players: Ashish Kumar, Dharmender Singh, and Raunak Pal from Badaun, and Kasim Hussain from Amroha. All accused face charges under the Aadhaar Act, Information Technology Act, and Passport Act for identity theft, cheating, and unauthorized access to protected systems. 

This case highlights significant security gaps in India's digital identity infrastructure and the sophisticated methods employed by cybercriminals to exploit biometric authentication systems.
Read more »
US treasury
Cyber Crime Financial Fraud Investment fraud OFAC Scams US treasury

U.S. Sanctions Cybercrime Networks Behind $10 Billion in Fraud

 




The United States Treasury has announced sweeping sanctions against criminal groups accused of running large-scale online scams that cost Americans more than $10 billion last year. The targeted networks, mainly operating out of Myanmar and Cambodia, are accused not only of financial fraud but also of serious human rights abuses.


How the scams work

Authorities say the groups rely on a mix of fraudulent tactics to trick people into sending money. Common schemes include romance scams, in which criminals build fake online relationships to extract funds, and investment frauds that present convincing but false opportunities. Victims often believe they are dealing with legitimate businesses or partners, only to later discover that their savings have vanished.

Investigators also mentioned disturbing practices inside these scam compounds. Many operations reportedly force people, often trafficked across borders into working long hours under threats of violence. Survivors describe conditions that amount to modern-day slavery, with physical abuse used to maintain control.


Why sanctions were imposed

To disrupt these activities, the Treasury’s Office of Foreign Assets Control (OFAC) blacklisted nearly two dozen individuals and entities. Those sanctioned include property owners who rent out space for scam centers, energy suppliers that keep the compounds running, holding companies tied to armed groups in Myanmar, and organizers of money-laundering networks.

Once placed on the OFAC list, people and organizations lose access to any assets that fall under U.S. jurisdiction. They are also cut off from the American banking system and cannot transact in U.S. dollars. U.S. citizens and businesses are prohibited from dealing with them, and even non-U.S. companies typically avoid contact to prevent secondary penalties.


Scale of the problem

The Treasury noted that reported losses linked to Southeast Asian scams rose 66 percent in a single year, reflecting how quickly these operations are expanding. The scams have become highly sophisticated, with call centers staffed by English-speaking workers, slick websites, and carefully scripted methods for gaining trust. This combination makes them harder for individuals to detect and easier for the criminals to scale globally.


Implications for victims and prevention

Officials stress that the financial impact is only part of the damage. Beyond the billions stolen from households, thousands of people are trapped in the scam compounds themselves, unable to leave. The sanctions are designed to cut off the networks’ financial lifelines, but enforcement alone cannot stop every fraudulent attempt.

Experts urge the public to remain watchful. Requests for money from strangers met online, or platforms promising unusually high returns, should raise red flags. Before investing or transferring funds, individuals should verify companies through independent and official sources. Suspected fraud should be reported to authorities, both to protect oneself and to aid broader crackdowns on these networks.


Read more »
Ransomware
AI Anthropic Cyber Crime Extortion Ransomware

Cybercriminals Weaponize AI for Large-Scale Extortion and Ransomware Attacks

 

AI company Anthropic has uncovered alarming evidence that cybercriminals are weaponizing artificial intelligence tools for sophisticated criminal operations. The company's recent investigation revealed three particularly concerning applications of its Claude AI: large-scale extortion campaigns, fraudulent recruitment schemes linked to North Korea, and AI-generated ransomware development. 

Criminal AI applications emerge 

In what Anthropic describes as an "unprecedented" case, hackers utilized Claude to conduct comprehensive reconnaissance across 17 different organizations, systematically gathering usernames and passwords to infiltrate targeted networks.

The AI tool autonomously executed multiple malicious functions, including determining valuable data for exfiltration, calculating ransom demands based on victims' financial capabilities, and crafting threatening language to coerce compliance from targeted companies. 

The investigation also uncovered North Korean operatives employing Claude to create convincing fake personas capable of passing technical coding evaluations during job interviews with major U.S. technology firms. Once successfully hired, these operatives leveraged the AI to fulfill various technical responsibilities on their behalf, potentially gaining access to sensitive corporate systems and information. 

Additionally, Anthropic discovered that individuals with limited technical expertise were using Claude to develop complete ransomware packages, which were subsequently marketed online to other cybercriminals for prices reaching $1,200 per package. 

Defensive AI measures 

Recognizing AI's potential for both offense and defense, ethical security researchers and companies are racing to develop protective applications. XBOW, a prominent player in AI-driven vulnerability discovery, has demonstrated significant success using artificial intelligence to identify software flaws. The company's integration of OpenAI's GPT-5 model resulted in substantial performance improvements, enabling the discovery of "vastly more exploits" than previous methods.

Earlier this year, XBOW's AI-powered systems topped HackerOne's leaderboard for vulnerability identification, highlighting the technology's potential for legitimate security applications. Multiple organizations focused on offensive and defensive strategies are now exploring AI agents to infiltrate corporate networks for defense and intelligence purposes, assisting IT departments in identifying vulnerabilities before malicious actors can exploit them. 

Emerging cybersecurity arms race 

The simultaneous adoption of AI technologies by both cybersecurity defenders and criminal actors has initiated what experts characterize as a new arms race in digital security. This development represents a fundamental shift where AI systems are pitted against each other in an escalating battle between protection and exploitation. 

The race's outcome remains uncertain, but security experts emphasize the critical importance of equipping legitimate defenders with advanced AI tools before they fall into criminal hands. Success in this endeavor could prove instrumental in thwarting the emerging wave of AI-fueled cyberattacks that are becoming increasingly sophisticated and autonomous. 

This evolution marks a significant milestone in cybersecurity, as artificial intelligence transitions from merely advising on attack strategies to actively executing complex criminal operations independently.
Read more »
Ransomwares
AI Chatbots AI Models AI Techniques Cyber Crime Cyber Extortion Cyber Hackers Data Extortion international cybercrime operation Ransomwares

Hacker Exploits AI Chatbot Claude in Unprecedented Cybercrime Operation

 

A hacker has carried out one of the most advanced AI-driven cybercrime operations ever documented, using Anthropic’s Claude chatbot to identify targets, steal sensitive data, and even draft extortion emails, according to a new report from the company. 

It Anthropic disclosed that the attacker leveraged Claude Code — a version of its AI model designed for generating computer code — to assist in nearly every stage of the operation. The campaign targeted at least 17 organizations across industries including defense, finance, and healthcare, making it the most comprehensive example yet of artificial intelligence being exploited for cyber extortion. 

Cyber extortion typically involves hackers stealing confidential data and demanding payment to prevent its release. AI has already played a role in such crimes, with chatbots being used to write phishing emails. However, Anthropic’s findings mark the first publicly confirmed case in which a mainstream AI model automated nearly the entire lifecycle of a cyberattack. 

The hacker reportedly prompted Claude to scan for vulnerable companies, generate malicious code to infiltrate systems, and extract confidential files. The AI system then organized the stolen data, analyzed which documents carried the highest value, and suggested ransom amounts based on victims’ financial information. It also drafted extortion notes demanding bitcoin payments, which ranged from $75,000 to more than $500,000. 

Jacob Klein, Anthropic’s head of threat intelligence, said the operation was likely conducted by a single actor outside the United States and unfolded over three months. “We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein explained. 

The report revealed that stolen material included Social Security numbers, bank records, medical data, and files tied to sensitive defense projects regulated by the U.S. State Department. Anthropic did not disclose which companies were affected, nor did it confirm whether any ransom payments were made. 

While the company declined to detail exactly how the hacker bypassed safeguards, it emphasized that additional protections have since been introduced. “We expect this model of cybercrime to become more common as AI lowers the barrier to entry for sophisticated operations,” Anthropic warned. 

The case underscores growing concerns about the intersection of AI and cybersecurity. With the AI sector largely self-regulated in the U.S., experts fear similar incidents could accelerate unless stronger oversight and security standards are enforced.
Read more »
Piracy
Cyber Crime Infostealer Pakistani Scammer Piracy

Pakistani Cybercriminals Turn Piracy Against Pirates in $4M Malware Scheme

 

A massive cybercrime operation based in Pakistan has been exposed after running a sophisticated infostealer malware campaign for five years, generating over $4 million by targeting software pirates. 

Operation details

The criminal network, primarily operating from Bahawalpur and Faisalabad, functioned like a multi-level marketing scheme but distributed malicious code instead of legitimate products. According to research, the group used search engine optimisation poisoning and forum posts to advertise pirated software such as Adobe After Effects and Internet Download Manager. 

Victims were redirected to malicious WordPress sites where infostealer malware, including Lumma Stealer, Meta Stealer, and AMOS was hidden within password-protected archives. The operation utilised disposable domains to mask the true source of infections, making detection more difficult. 

Financial infrastructure

The scheme's backbone consisted of two Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia (later rebranded as Installstera). Over 5,200 affiliates operated at least 3,500 sites, earning payments for each successful malware installation or download. Payments were processed primarily through Payoneer and Bitcoin. 

The scale was enormous, with records showing 449 million clicks and more than 1.88 million installations during the documented period. Long-running domains proved most profitable, with a small fraction generating the majority of revenue. 

Downfall and exposure

The operation was accidentally exposed when the attackers themselves became infected by infostealer malware, revealing credentials, communications, and backend access to their own systems. This breach uncovered evidence of family involvement, with recurring surnames and shared accounts throughout the infrastructure. The group evolved their tactics over time, shifting from install-based tracking in 2020 to download-focused metrics in later years, possibly to evade detection or adapt monetisation methods. 

How to stay safe 

  • Avoid cracked or pirated software; rely on official developer sites and reputable distributors to prevent infostealer exposure at the source. 
  • Keep security suites updated and configure firewalls to block outbound C2 communication, reducing post-compromise impact if malware executes. 
  • Enable multi-factor authentication so stolen credentials are insufficient for account takeovers, and monitor accounts for identity-theft signals.
  • Maintain offline or secure cloud backups for recovery, stay alert to suspicious domain activity, and distrust “free” offers for expensive software that often hide hidden risks.
Read more »
Samourai Wallet
Blockchain cryptocurrency Cyber Crime DOJ Money Laundering Samourai Wallet

‘Samourai’ Cryptomixer Founders Admit to Money Laundering Charges

 


Two executives behind a cryptocurrency service called Samourai Wallet have admitted in court that they helped criminals hide more than $200 million.

Keonne Rodriguez, the company’s CEO, and William Lonergan Hill, its chief technology officer, pleaded guilty to conspiracy charges in the United States. Both men admitted they had knowingly operated an unlicensed money-transmitting business that was used to clean illegal funds.

Under the law, Rodriguez and Hill face a maximum prison sentence of five years each, along with financial penalties. They will also have to give up more than $200 million as part of their plea deal.

The U.S. Department of Justice (DOJ) had first arrested the pair in April last year. Prosecutors accused them of two main crimes: running a business without the required license and laundering money, a serious charge that can carry up to 20 years in prison.

Authorities say the two executives built Samourai in 2015 with tools designed to make it harder to track money on the blockchain, which is the public digital record of cryptocurrency transactions.

Samourai’s services worked in two main ways:

• Whirlpool: A mixing feature that bundled together Bitcoin transactions from multiple users. This made it harder to trace where the money originally came from.

• Ricochet: A tool that added extra steps called “hops” between the sending and receiving addresses. This technique was meant to confuse investigators and disguise the money trail.

Prosecutors explained that these tools were heavily used by cybercriminals. They were linked to proceeds from online thefts, drug trafficking, and fraud schemes. According to the DOJ, the scale of activity was massive: between 2017 and 2019, over 80,000 Bitcoin flowed through Samourai’s services. At the time of those transactions, the total value was estimated at more than $2 billion.

While the company portrayed itself as offering privacy, federal investigators say it profited directly from crime. Samourai’s mixing services alone generated more than $6 million in fees for Rodriguez and Hill.

Speaking about the case, U.S. Attorney Nicolas Roos emphasized that when cryptocurrency platforms are abused for crime, it damages public trust and puts pressure on legitimate companies trying to operate within the law.

The case underlines how regulators are cracking down on cryptocurrency “mixers,” services that blend together digital transactions to hide their origins. While privacy is one of cryptocurrency’s appeals, officials warn that these tools often provide cover for large-scale money laundering.

Read more »
Subscribe to: Comments (Atom)