In mid-December 2023, Microsoft took drastic action against a known #cybercrime gang known as #Storm1152. Like so many criminal gangs, this group has commoditized its “offering” to facilitate other criminals in their online efforts to infiltrate and harm companies and individuals globally.
More specifically, Microsoft obtained a court order from the Southern District of New York, allowing it to seize the U.S.-based infrastructure used by the criminal outfit. Microsoft estimates that this infrastructure supported the creation of approximately 750 million fraudulent websites and accounts – enabling in turn, an untold number of ransomware, data theft, extortion, CAPTCHA-avoidance gambits – as well as other generalized scumbag behavior.
This infrastructure seizure is a major victory, as it degrades a significant attack vector faced by countless cyber defenders – the world over. Kudos to the investigative teams at Microsoft. With luck, their referral to #lawenforcement will net some arrests and convictions in the months ahead.
Late last week, Europol confirmed that it had seized and shut down the infrastructure of the notorious #RagnarLocker ransomware group. The agency also confirmed that it had arrested a 35-year-old man in Paris earlier this month, alleged to be the ringleader of the criminal gang.
Equipment and infrastructure was seized in numerous European countries in the coordinated take-down sting. The criminal gang, commonly linked to Russia, has targeted organizations since 2020 – including at least 52 U.S. entities across 10 critical infrastructure sectors, according to reports from the Federal Bureau of Investigation (FBI).
The thieves have attacked and extorted from nearly 170 different companies across Europe and the U.S., demanding between $5-70M per ransom scheme. Kudos to the international #lawenforcement teams that brought this group down – at least temporarily, including the Atlanta Field Office of the FBI.
INTERPOL recently dismantled a Phishing-as-a-Service platform used by over 70,000 individuals. The platform (16shop) came down at the culmination of a global investigation by the international #lawenforcement cooperative.
The take-down is significant for manifold reasons. Not only was this a “user-friendly” platform (allowing malign users to launch a #phishing attack with a few clicks), but it fostered a wide variety of for-hire criminal #hacking tools since late 2017. Interpol estimates that over 150k phishing domains were created via 16shop toolkits.
While the arrests focused on suspects based in Asia, the servers used by the platform were hosted in the U.S. This is a significant victory for the good guys, as the ability to automate cyberattacks of this kind is very dangerous.
The U.S. Department of Justice has announced an unprecedented indictment against an individual committing #fraud by attacking a #smartcontract on a #decentralizedexchange.
Employing many of the traditional tools of #financialcrime investigations and #digitalasset tracing, the #SDNY brought this novel case – in conjunction with international #lawenforcement.
International #lawenforcement have arrested two individuals, believed to be core members of the odious #DoppelPaymer crime gang. For those who can’t keep all of these gangs straight, this is the group that shut down the University Hospital in Düsseldorf, employing the equally odious #emotet #malware.
The DoppelPaymer group victimized dozens of companies over several years. The US-based victims alone were extorted out of nearly €40M.
Kudos to the diligent #digitalforensic and #lawenforcement collaboration required to perform the attribution and tracing efforts that led to these arrests. Among those involved were the German Regional Police, the Ukrainian National Police, Europol, the Dutch Police, and the United States Federal Bureau of Investigation (FBI).
With any luck, the materials seized during these raids will lead to even more arrests!
The U.S. Department of Justice recently extradited the alleged operator of illegal cryptocurrency exchange #BTCe. This extradition is the culmination of over 5 years of litigation, and the 2017 indictment states that the BTC-e exchange ostensibly laundered over $4 billion (USD) in criminal proceeds.
Like other exchanges that have been sanctioned and/or shut down in recent years, BTC-e enabled users to anonymously trade bitcoin, allowing them to cash out proceeds from various #ransomware, #identitytheft, #drugtrafficking, and #taxrefund schemes. Defendant Alexander Vinnik, a Russian national, made his first appearance in federal court last week in San Francisco.
In addition to facing criminal charges, Vinnik also faces Dept of the Treasury/Financial Crimes Enforcement Network civil money penalties for: failing to have an #AML process or program; failing to register as a money services business with the U.S. Department of the Treasury, and failing to have a system for appropriate #KYC verification. The 2017 #FinCEN civil money penalty assessment was for $88.6M USD for BTC-e and $12M USD for Vinnik personally.
If you believe that you are a victim of the Baller Ape Club, EmpiresX, TBIS, and Circle Society schemes, please visit the DOJ website for details on how to submit your “Victim Impact Statement” (and thereby register as a victim).
The U.S. Department of Justice seized assets worth $500k USD from North Korean hackers targeting U.S.-based #healthcare organizations. The seized North Korean assets were either monies directly extorted from companies or monies used in laundering #ransomware payments.
In addition to the general #karma of this action, there was an object lesson about public-private sector collaborations as well. The prompt reporting by one healthcare victim allowed the Federal Bureau of Investigation (FBI) to identify a new strand of North Korean ransomware.
Of course, $500k is a pittance compared against the hundreds of millions of dollars stolen by North Korean cyber actors in recent years. Just the same, it’s important to trumpet the “wins” wherever we can find them.
While the use of the verb “forfeit” in the headline of this story may seem confusing, it’s a GREAT turn of events. Simply put, U.S. Department of Justice, Criminal Division prosecutors in the Southern District of Florida have secured one of the largest #cryptocurrency #forfeiture actions ever filed in this country.
This story really resonates with me, as it represents a rather elegant intersection of #cyber and #crypto. The forfeiture action netted about $34M in cryptocurrency, all tied to the illegal #darkweb activity of a South Florida resident — specifically, the sale of online account credentials.
Of additional interest is the method by which this case was brought. In yet another example of inter-agency collaboration among federal, state, and local #lawenforcement, the investigators “followed the money” through a tortuous path, owing to the target’s use of cryptocurrency “tumblers”, “chain hopping”, and other (failed) #moneylaundering techniques.
A mere 8 months after his (alleged) involvement in the Kaseya #ransomware attacks, a Ukrainian national has been extradited to the United States and been formally indicted in a Dallas courtroom. This is the way…
Forensic Update 