Polish law enforcement authorities have arrested four suspected members of an organized cybercrime group accused of orchestrating intricate SIM-swapping attacks that allegedly enabled the theft of millions of dollars in cryptocurrency from victims. The coordinated operation was led by Poland's Central Bureau for Combating Cybercrime (CBZC) with operational assistance from the U.S. Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI), highlighting the cross-border nature of the investigation.
According to investigators, the group combined technical intrusions with social engineering techniques to compromise organizations working alongside telecommunications providers. By infiltrating partner infrastructure and gaining unauthorized access to employee email accounts, the suspects allegedly obtained sensitive information that enabled them to perform fraudulent SIM-swapping attacks.
A SIM-swap attack involves transferring a victim's mobile phone number to a SIM card controlled by an attacker. Once the transfer is completed, the attacker can intercept SMS messages, one-time verification codes, password reset requests, and other communications that rely on the victim's phone number for authentication.
Authorities allege that after taking control of victims' mobile numbers, the cybercriminals intercepted SMS-based authentication messages and email communications before using that access to seize control of cryptocurrency exchange accounts. The attackers then transferred digital assets from compromised accounts before attempting to conceal the proceeds through an extensive laundering operation.
Investigators estimate that the criminal scheme generated millions of U.S. dollars in stolen cryptocurrency. The illicit proceeds were allegedly moved through a distributed financial network consisting of multiple domestic and international bank accounts, international payment platforms, and multi-currency digital wallets in an effort to obscure the origin of the funds. Polish authorities estimate that the total amount laundered exceeded tens of millions of Polish złoty, equivalent to at least approximately US$5 million based on current exchange rates.
In a statement describing the operation, CBZC said the suspects relied on specialized software together with social engineering techniques to gain unauthorized access to infrastructure belonging to organizations cooperating with telecommunications operators, as well as employee email accounts. Investigators said the information obtained during those compromises enabled the illegal cloning and takeover of victims' phone numbers through SIM-swapping attacks.
Authorities further stated that the suspects allegedly treated the criminal enterprise as a continuous source of income, repeatedly moving stolen assets across numerous financial accounts and cryptocurrency wallets located in multiple jurisdictions to complicate financial tracing efforts.
All four suspects have been placed in pre-trial detention. They face allegations including participation in an organized criminal organization, unauthorized access to information systems to facilitate theft, and money laundering. If convicted, the offenses carry penalties of up to 25 years' imprisonment under Polish law.
While Polish authorities have not publicly identified the individuals arrested because of the ongoing international investigation, blockchain investigator ZachXBT claimed that one of the detainees is Wojtek Kulisz, also known online by the alias "Merry." The identification was reportedly based on items visible in official footage released during the police operation. Authorities have not independently confirmed that claim.
Investigators have also declined to disclose which cryptocurrency exchanges were affected or identify the victims, citing the continuing international investigation. Law enforcement agencies say efforts to identify additional victims, trace stolen assets, and pursue further investigative leads remain ongoing.
The case stresses the urgency of the risks associated with SMS-based authentication. Security professionals have long advised cryptocurrency investors and organizations to replace SMS-based two-factor authentication with authenticator applications or hardware security keys whenever possible, as SIM-swapping attacks remain an effective method for bypassing text message verification when attackers successfully compromise telecommunications systems or manipulate carrier processes.
Ransomware operators continue to generate substantial profits, with new research from Rapid7 indicating that several cybercrime groups are recording revenue growth that outpaces many publicly traded businesses.
According to the cybersecurity firm's analysis, ransomware groups collectively received an estimated $529.2 million during the first quarter of 2026. That figure represents a 39% increase compared with the same period a year earlier. Rapid7 noted that none of the companies within the FTSE 350 index reported year-over-year revenue growth exceeding 30% during that quarter, placing ransomware operators among the fastest-growing entities examined in the study.
Several well-established ransomware operations appear to be benefiting from this trend. Rapid7 estimates that the Qilin ransomware group generated approximately $193 million between July 2025 and March 2026. During the same period, the Gentleman group is estimated to have collected roughly $52 million in ransom payments.
Rapid7 researchers argue that modern ransomware operations bear little resemblance to the stereotype of small groups of hackers working independently. Instead, many function through interconnected networks of specialists who focus on specific stages of an attack. Some actors gain access to victim networks, others develop malware, while separate teams handle extortion demands and payment negotiations.
A major factor behind this growth is the emergence of Initial Access Brokers, or IABs. These actors specialize in obtaining access to corporate networks and then selling that access to other criminals. As a result, launching a ransomware attack no longer requires extensive technical expertise. Access to compromised systems, attack tools, and even managed cybercrime services can now be purchased through underground marketplaces.
Researchers say this division of labor has created a more structured criminal economy. Different groups contribute individual services, allowing ransomware campaigns to operate through networks that resemble commercial supply chains rather than isolated criminal crews.
The study also highlights the resilience of these operations. Infrastructure used by ransomware groups, including servers, data leak platforms, and victim negotiation portals, can often be restored quickly after disruptions. Law enforcement agencies, meanwhile, frequently require lengthy investigations and international coordination before conducting enforcement actions. This difference in speed allows many criminal networks to continue operating even when portions of their infrastructure are removed.
Rapid7 CTO EMEA Thom Langford said ransomware groups have demonstrated an ability to continue generating revenue despite disruptions because their operations are designed to function even when individual components are taken offline. In many cases, the removal of a single server or criminal group does not significantly affect the broader ecosystem supporting ransomware activity.
The findings come amid continued financial losses linked to cybercrime. According to the FBI's Internet Crime Complaint Center, organizations and individuals reported more than $16 billion in cybercrime losses during 2024, reflecting the growing economic impact of digital fraud, extortion, and network intrusions.
To reduce ransomware risk, Rapid7 recommends that organizations continuously review their exposed systems and identify weaknesses that could provide attackers with an entry point. Particular attention should be given to misconfigured services, overlooked assets, and internet-facing systems, which are frequently targeted by Initial Access Brokers seeking access to corporate environments.
The company also advises security teams to make greater use of threat intelligence to understand how attackers operate, including the infrastructure, tools, and access methods commonly used during intrusions. Researchers further recommend strengthening identity security through tighter access controls, least-privilege policies, and monitoring for signs that employee credentials have been stolen, resold, or abused.
According to Rapid7, disrupting ransomware attacks before attackers establish access remains one of the most effective defensive strategies. By identifying weaknesses early and restricting opportunities for credential theft, organizations may be able to prevent ransomware incidents before they progress to the extortion stage.
For years, Bitcoin was widely associated with cryptocurrency-related crime. New industry data suggests that picture has changed astronomically, with stablecoins now accounting for the vast majority of identified illicit cryptocurrency activity.
The change of terms was accentuated by Bitcoin-focused financial services company River, which cited blockchain intelligence findings showing that Bitcoin's role in unlawful crypto transactions has declined sharply over the past several years. According to data attributed to Chainalysis, Bitcoin represented roughly 70% of illicit cryptocurrency transaction volume in 2020. By 2025, that figure had fallen to approximately 7%, while stablecoins had grown to account for around 84% of identified illicit transaction volume.
The numbers point to a drastic transformation in how cybercriminals, fraud operators, sanctioned entities, and money-laundering networks move digital funds across borders.
Why Stablecoins Are Becoming More Attractive to Criminal Networks
Unlike Bitcoin and many other cryptocurrencies, stablecoins are designed to maintain a relatively fixed value, typically by being linked to a traditional currency such as the U.S. dollar.
This stability removes one of the major risks associated with cryptocurrency transactions. A criminal group holding $1 million in Bitcoin today could see the value fluctuate significantly within days. Stablecoins largely eliminate that uncertainty, allowing illicit actors to move, store, and transfer funds without being exposed to major price swings.
Researchers say this makes stablecoins particularly useful in fraud schemes, investment scams, money-laundering operations, and cross-border transfers where predictable value is important.
The spike in acceptance of stablecoins across exchanges, payment services, and over-the-counter trading networks has also contributed to their increased use. Many stablecoins can be transferred globally within minutes while maintaining a value closely tied to fiat currency, making them practical for both legitimate and illegitimate financial activity.
Bitcoin Still Appears in Certain Criminal Operations
Despite its declining share, Bitcoin has not disappeared from the cybercrime infrastructure. It is still part of the overall pipeline in digital currency exchange.
Blockchain investigators continue to observe Bitcoin being used in ransomware attacks, darknet marketplaces, and extortion schemes. In these environments, long-established infrastructure, existing payment workflows, and familiarity among threat actors continue to support Bitcoin's use.
However, analysts note that criminal organizations are increasingly treating Bitcoin as only one option within a much larger digital financial ecosystem rather than the default cryptocurrency for illicit transactions.
Illicit Crypto Activity Continues to Soar
The change in asset preference comes as blockchain intelligence firms report increases in the overall value of illicit cryptocurrency activity.
TRM Labs recently estimated that illicit cryptocurrency flows reached approximately $158 billion in 2025, representing the highest level recorded by the company. The firm reported a sharp increase from the previous year, attributing much of the growth to sanctions-related activity, sophisticated money-laundering operations, underground financial networks, and expanded use of cryptocurrency by state-linked actors.
A large portion of these transactions involved stablecoins in the grand scheme of carrying out cyber criminal activities.
Researchers also observed that sanctions-evasion networks increasingly rely on stablecoins because of their liquidity, accessibility, and ability to move large sums through multiple jurisdictions with relative speed.
Compliance and Regulatory Pressure Expected to become more stringent
The developing concentration of illicit activity within stablecoin ecosystems is likely to intensify scrutiny from regulators and law-enforcement agencies.
Unlike decentralized cryptocurrencies, many major stablecoins are issued by identifiable companies that maintain reserve assets and have the technical ability to freeze certain wallets when required by legal authorities.
As a result, policymakers are increasingly examining how stablecoin issuers monitor suspicious transactions, respond to sanctions violations, and cooperate with criminal investigations.
Several stablecoin providers have already expanded collaboration with law enforcement agencies. Tether, the issuer of USDT, has publicly reported freezing wallets connected to suspected criminal activity, while blockchain analytics companies continue to develop tracking tools designed to identify suspicious transaction patterns across networks.
Criminal Use Remains a Small Portion of Overall Activity
Although illicit cryptocurrency volumes have risen in absolute terms, researchers caution against interpreting the data as evidence that most cryptocurrency activity is criminal.
Industry reports consistently show that unlawful transactions represent only a small fraction of total blockchain activity. Stablecoins process trillions of dollars in annual transaction volume, meaning the overwhelming majority of transactions are associated with legitimate uses such as payments, trading, remittances, and settlement activities.
Nevertheless, the latest findings draw a clearer picture into how criminal groups adapt quickly to changing financial technologies. While Bitcoin once dominated illicit cryptocurrency transactions, blockchain intelligence data now suggests that stablecoins have become the preferred vehicle for many forms of crypto-enabled financial crime due to their price stability, global accessibility, and ease of transfer.
The trend is expected to remain a driving focus for regulators, compliance teams, cryptocurrency exchanges, and law-enforcement agencies as governments continue developing rules for the rapidly expanding stablecoin sector.
Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.
Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.
While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches.
The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"
Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack.
The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection.
A cyber operation believed to be linked to Iranian threat actors has been identified targeting Microsoft 365 environments, with a primary focus on organizations in Israel and the United Arab Emirates. The activity comes amid ongoing tensions in the Middle East and is still considered active.
According to research from Check Point, the campaign was carried out in three separate waves on March 3, March 13, and March 23, 2026. More than 300 organizations in Israel and over 25 in the U.A.E. were affected. Investigators also observed limited targeting in Europe, the United States, the United Kingdom, and Saudi Arabia.
The attackers focused on cloud-based systems used across a wide range of sectors, including government bodies, municipalities, transportation services, energy infrastructure, technology firms, and private companies. This broad targeting indicates an effort to access both public-sector systems and critical commercial operations.
The primary method used in the campaign is known as password spraying. In this technique, attackers attempt a small number of commonly used passwords across many accounts instead of repeatedly targeting a single account. This approach increases the chances of finding weak credentials while avoiding detection systems such as account lockouts or rate-limiting controls.
Security researchers noted that similar techniques have previously been associated with Iranian groups such as Peach Sandstorm and Gray Sandstorm. The current activity appears to follow a structured sequence. It begins with large-scale scanning and password attempts routed through Tor exit nodes to conceal the origin of the traffic. This is followed by login attempts, and in successful cases, the extraction of sensitive data, including email content from compromised accounts.
Analysis of Microsoft 365 logs revealed patterns consistent with earlier operations attributed to Gray Sandstorm. Investigators observed the use of red-team style tools and infrastructure, as well as commercial VPN services linked to hosting providers previously associated with Iran-linked cyber activity in the region.
To reduce risk, organizations are advised to monitor sign-in activity for unusual patterns, restrict authentication based on geographic conditions, enforce multi-factor authentication for all users, and enable detailed audit logs to support investigation in the event of a breach.
Renewed Activity from Pay2Key Ransomware Operation
In a related development, a U.S.-based healthcare organization was targeted in late February 2026 by Pay2Key, an Iran-linked ransomware group with connections to a broader threat cluster known by multiple aliases. The group operates under a ransomware-as-a-service model and was first identified in 2020.
The version used in this attack represents an upgrade from campaigns observed in July 2025, incorporating improved techniques for evasion, execution, and anti-forensic activity. Reports from Beazley Security and Halcyon indicate that no data was exfiltrated in this instance, marking a shift away from the group’s earlier double-extortion strategy.
The intrusion is believed to have begun through an unknown access point. Attackers then used legitimate remote access software such as TeamViewer to establish a foothold. From there, they harvested credentials to move laterally across the network, disabled Microsoft Defender Antivirus by falsely indicating that another antivirus solution was active, and interfered with system recovery processes. The attackers then deployed ransomware, issued a ransom note, and cleared logs to conceal their activity.
Notably, logs were deleted at the end of the attack rather than at the beginning, ensuring that even the ransomware’s own actions were removed, making forensic analysis more difficult.
The group has also adjusted its affiliate model, offering up to 80 percent of ransom payments, compared to 70 percent previously, particularly for attacks aligned with geopolitical objectives. In addition, a Linux variant of the ransomware has been identified in the wild. This version is configuration-driven, requires root-level access to execute, and is designed to navigate file systems, classify storage mounts, and encrypt data using the ChaCha20 encryption algorithm in either full or partial modes.
Before encryption begins, the malware weakens system defenses by stopping services, terminating processes, disabling security frameworks such as SELinux and AppArmor, and setting up a scheduled task to execute after system reboot. These steps allow the ransomware to run more efficiently and persist even after restarts.
Further developments point to coordination among pro-Iranian cyber actors. In March 2026, operators associated with another ransomware strain encouraged affiliates to adopt an alternative tool known as Baqiyat 313 Locker, also referred to as BQTLock, due to a surge in participation requests. This ransomware, which operates with pro-Palestinian motives, has been used in attacks targeting the U.A.E., the United States, and Israel since July 2025.
Cybersecurity experts note that Iran has a long history of using cyber operations as a response to political tensions. Increasingly, ransomware is being integrated into these efforts, blurring the line between financially motivated cybercrime and state-aligned cyber activity. Organizations need to adopt continuous monitoring, strong authentication measures, and proactive defense strategies to counter emerging threats.
A cybercriminal group previously associated with a supply chain compromise involving the Trivy vulnerability scanner has launched another attack, this time targeting developers through manipulated Telnyx packages on the Python Package Index (PyPI).
According to findings from Ox Security, the group known as TeamPCP has re-emerged after its earlier involvement in distributing malicious versions of the LiteLLM package. That earlier campaign followed a breach affecting Trivy, an open-source vulnerability scanning tool, and resulted in compromised packages being made available to developers.
In the latest incident, the attackers appear to have interfered with the PyPI distribution of Telnyx’s Python software development kit. Telnyx, which provides voice-over-IP services and artificial intelligence-based voice solutions, had legitimate package versions replaced with altered releases containing a multi-stage information-stealing malware along with mechanisms designed to maintain long-term access on infected systems.
Researchers noted that while the malicious logic resembles what was previously observed in the LiteLLM case, the delivery technique differs. Instead of directly embedding harmful code into the package, the Telnyx versions retrieve a secondary payload disguised as a .wav audio file. This file is later decoded and executed on the victim’s machine, representing a more indirect and stealth-oriented infection method.
Telnyx acknowledged the issue and stated that it has since been resolved. The company clarified that the incident was limited strictly to its Python package and did not affect its infrastructure, network environment, APIs, or core services. However, it warned that any system where the affected package versions were installed should be considered compromised.
Users have been specifically advised to check whether they installed versions 4.87.1 or 4.87.2. If so, the recommendation is to treat the affected environment as breached and immediately rotate any credentials that may have been exposed.
The potential scale of exposure is notable. Ox Security reported that Telnyx packages receive more than 34,000 downloads per week on PyPI, suggesting that a considerable number of developers and services may have unknowingly installed the malicious versions before they were removed.
RedLine Infostealer Case Leads to Extradition
In a separate law enforcement development, a suspected individual connected to the RedLine infostealer operation has been extradited to the United States. Hambardzum Minasyan, an Armenian national, recently appeared in federal court in Austin, Texas.
He faces charges that include conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to engage in money laundering. According to court documents, his alleged role involved setting up virtual private servers and domains used to host RedLine infrastructure, maintaining repositories used to distribute the malware to affiliates, and registering cryptocurrency accounts used to collect payments.
If convicted on all counts, Minasyan could face a maximum sentence of 30 years in prison.
Authorities had previously identified another alleged key figure, Maxim Rudometov, in 2024, describing him as a central developer and operator of the RedLine malware. The U.S. government later announced a reward of $10 million for information related to Rudometov and his associates. It remains unclear whether any reward was issued in connection with Minasyan’s arrest.
EU Examines Snapchat and Adult Platforms Under Digital Services Act
Regulators in the European Union have also taken action against several online platforms over concerns related to child safety and compliance with the Digital Services Act.
Adult content platforms including Pornhub, Stripchat, XNXX, and XVideos have been provisionally found to be in violation of the law. The European Commission stated that these platforms rely on basic self-declaration systems requiring users to confirm they are over 18, without implementing robust age-verification mechanisms.
As these findings are preliminary, the companies have been given an opportunity to respond before any enforcement measures are finalized.
Snapchat is also under scrutiny, though at an earlier stage of investigation. The European Commission has indicated that the platform may face similar issues, particularly in relying on self-declared age verification. Regulators have raised concerns that such measures may not adequately protect minors from harmful interactions, including risks related to exploitation or recruitment into criminal activity.
A detailed investigation into Snapchat’s practices is now underway to determine whether further regulatory action is required.
LAPSUS$ Claims Data Leak from AstraZeneca
Meanwhile, the threat group LAPSUS$ has released a dataset totaling 2.66 GB, claiming it was stolen from pharmaceutical company AstraZeneca. If confirmed, the incident could become one of the more significant healthcare-related cybersecurity events of the year.
Analysis from SOCRadar suggests that the exposed data may include internal code repositories, authentication-related information, cloud infrastructure references, and employee records. Researchers indicated that the nature of the data points to a deeper operational compromise rather than a limited credential leak.
Such information could potentially be used to carry out further attacks, including targeted phishing campaigns or supply chain intrusions affecting AstraZeneca’s partners. The full dataset was reportedly released publicly over the weekend.
US Researchers Develop Large-Scale AI Vulnerability Detection System
In another development, researchers at Oak Ridge National Laboratory have introduced an advanced system designed to identify and exploit vulnerabilities in artificial intelligence models at scale.
The system, named Photon, operates at exascale computing levels and is capable of continuously probing AI systems for weaknesses. It begins by applying known attack techniques to a target model and then refines those methods based on observed responses. At the same time, it searches for previously unknown vulnerabilities and incorporates them into its testing cycle.
According to the research team, Photon was able to maintain approximately 95 percent computational efficiency while running across 1,920 GPUs on the Frontier supercomputer. It also reduced many of the operational bottlenecks typically associated with large-scale AI red-team testing.
Researchers describe Photon as a defining shift in AI security practices, enabling automated and continuous vulnerability discovery. However, they also noted that such capabilities are currently limited to highly resourced environments, meaning that widespread misuse by threat actors is unlikely in the near future.