All news with #ransomware gang tag

🚨 The UK has imposed sanctions on the China-based cryptocurrency marketplace Xinbi, accusing it of enabling large-scale scam operations across Southeast Asia and facilitating crypto laundering. Authorities say Xinbi, which reportedly handled over $19.7 billion of inflows, sold victim data and traded satellite internet equipment used to contact targets. The action targets Xinbi and related firms and individuals linked to the Prince Group and #8 Park, and includes plans to freeze London properties.

🔒Bearlyfy, a pro-Ukrainian group also tracked as Labubu, has been linked to more than 70 attacks on Russian companies and began deploying a proprietary Windows ransomware called GenieLocker in March 2026. The group combines extortion and sabotage, often gaining initial access via vulnerable external services and deploying remote tools like MeshAgent. According to vendor F6, about one in five victims pay ransoms, and demand amounts have grown substantially.

🔍 The North America threat landscape hardened in 2025, with incidents becoming more concentrated, repeated and driven by persistent adversaries. Publicly recorded incidents were dominated by the United States, which accounted for roughly 93% of cases. The report highlights three dynamics shaping risk, including a stable, competitive extortion economy, recurring attack patterns, and predictable windows of opportunity. Organizations should expect pressure over surprise into 2026 and adjust defenses accordingly.

🔒 A Russian national, 26-year-old Aleksey Olegovich Volkov (aliases "chubaka.kor" and "nets"), was sentenced to 81 months in U.S. federal prison after pleading guilty to acting as an initial access broker for the Yanluowang ransomware operation. Between July 2021 and November 2022 he sold corporate network access to at least eight U.S. companies, enabling affiliates to deploy ransomware and demand payments. The FBI recovered chat logs, stolen data, victim credentials, and evidence of ransom negotiations after seizing a server tied to the gang, and traced Volkov through Apple iCloud, cryptocurrency exchange records, and social media. He was arrested in Italy in January 2024, extradited to the U.S., and ordered to pay over $9.16 million in restitution and forfeit equipment used in the crimes.

🔒 Aleksei Volkov, a Russian initial access broker tied to dozens of ransomware incidents that produced more than $9m in documented victim losses, has been sentenced to 81 months in a US federal prison. He pleaded guilty to offenses including trafficking in access information, access device fraud and aggravated identity theft. Volkov was linked to Yanluowang and other cybercrime groups, and has agreed to pay at least $9.2m in restitution.

🔒 The U.S. Department of Justice has charged Angelo Martino, a former DigitalMint ransomware negotiator, with one count of conspiracy to interfere with interstate commerce by extortion after he surrendered on March 10. Unsealed court documents allege Martino shared confidential negotiation details with BlackCat operators and, between April 2023 and April 2025, participated in attacks alongside former colleagues Kevin Tyler Martin and Ryan Goldberg. Prosecutors say the group acted as BlackCat affiliates, paying administrators a 20% cut and extorting at least five U.S. organizations, including a Tampa medical device manufacturer that paid $1.27 million. DigitalMint said it terminated the employees and has cooperated with law enforcement.

🐛 A dormant self‑propagating JavaScript worm that hadn't been active since 2024 was accidentally reawakened by a Wikipedia security engineer, briefly vandalising pages with giant woodpecker images. In a separate case, a contractor entrusted with US Marshals' seized cryptocurrency is accused of stealing about $46 million and allegedly boasted on a recorded Telegram call. Host Graham Cluley and guest Tricia Howard discuss these incidents alongside wider cybercrime takedowns and industry security lessons.

🔒 A Ghanaian national, Derrick Van Yeboah, has pleaded guilty to conspiracy in a global fraud ring blamed for over $100 million in victim losses. Prosecutors say Van Yeboah impersonated romantic partners and corporate leaders to induce victims and orchestrated laundering of stolen funds, accounting for roughly 10% of the operation's take. He faces up to 20 years in prison and agreed to $10.1m in restitution and forfeiture; his plea follows extradition and indictment last year.

🔐 A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy for administering the Phobos ransomware operation that victimized hundreds worldwide. Extradited from South Korea in November 2024, prosecutors say the RaaS campaign — linked to the Crysis family — collected over $39 million from more than 1,000 victims and accounted for roughly 11% of ID Ransomware submissions in mid‑2024. Affiliates paid about $300 per deployment for decryption keys; Ptitsyn faces up to 20 years and is scheduled for sentencing on July 15. International law enforcement actions, including Operation Aether, have disrupted parts of the gang and warned over 400 companies.

🔒 Chainalysis reports that total ransomware cryptocurrency payments fell 8% year-on-year to $820m in 2025, even as the number of victims surged 50% to make 2025 the most active year on record. Payment rates dropped from 63% in 2024 to 29% in 2025, while the median ransom rose 368% to $59,556. The firm attributes these shifts to improved incident response, global disruption of infrastructure and laundering networks, cryptographic flaws in strains like VolkLocker, and fragmentation of ransomware-as-a-service into numerous smaller groups.

🧭 Europol's Project Compass has targeted The Com, a transnational online collective linked to extortion, ransomware and violent abuse. Over the past 12 months the operation resulted in 30 arrests and the full or partial identification of 179 alleged members, while several victims were identified and safeguarded. The initiative spans EU states, Norway, Switzerland and all Five Eyes partners and focuses on disrupting recruitment and account-takeover tactics such as phishing, vishing and SIM swapping, as well as the group's links to extremist and Russian cyber-criminal networks.

🔒 A Moscow resident has been accused of attempting to extort the notorious ransomware group Conti by impersonating an officer of Russia's Federal Security Service (FSB). Russian reports say Ruslan Satuchin contacted a Conti member in September 2022, demanding payment in exchange for influencing law-enforcement actions. Satuchin denies the allegations and is in pre-trial detention amid concerns about witness intimidation; if convicted he faces up to ten years and a fine of one million rubles. The case follows the 2022 leak that dismantled much of Conti and scattered its operators to other ransomware families.

🔒 Wynn Resorts confirmed an employee data breach after being listed on the ShinyHunters extortion group's leak site and said it activated incident response procedures. The company engaged external cybersecurity experts to investigate and reported that an unauthorized third party acquired certain employee data. Attackers claimed the stolen data had been deleted; Wynn said it has seen no evidence of publication or misuse to date and that guest operations remain unaffected. The company is offering complimentary credit monitoring and identity protection services to employees.

🛡️ Operation Red Card 2.0, led by INTERPOL and law enforcement from 16 African nations between December 8, 2025 and January 30, 2026, targeted infrastructure and actors behind high-yield investment scams, mobile money fraud, and fraudulent loan apps. Authorities arrested 651 suspects, recovered over $4.3 million, confiscated 2,341 devices and disrupted 1,442 malicious IPs, domains and servers. The operation linked scams to more than $45 million in losses and identified 1,247 victims, underscoring the value of multinational cooperation against transnational cybercrime.

⚖️ A Glendale man, 36-year-old Davit Avalyan, was sentenced to 57 months in federal prison after pleading guilty to one count of conspiracy to distribute narcotics for his role in a darknet trafficking operation that sold cocaine, methamphetamine, MDMA, and ketamine nationwide. Prosecutors say Avalyan and three co-conspirators operated multiple vendor storefronts — including JoyInc, PlanetHollywood, and LaFarmacia — from 2018 to 2025, shipping parcels via the U.S. Postal Service and accepting cryptocurrency. The FBI's JCODE task force led the investigation with support from USPS inspectors, the DEA, IRS-CI, and LAPD.

🛡️ Polish police have detained a 47-year-old suspect alleged to have ties to the Phobos ransomware group and seized computers and mobile phones containing credentials, credit card numbers, and server access data. The arrest in Małopolska was carried out by the Central Bureau of Cybercrime Control as part of Operation Aether, an international Europol-coordinated disruption. Authorities say the suspect used encrypted messaging to communicate with Phobos and now faces charges under Article 269b of Poland’s Criminal Code.

💸 Chainalysis reports that cryptocurrency inflows linked to human trafficking surged 85% year-on-year, generating hundreds of millions in revenue. The analysis identifies four crypto-driven trafficking types—international escort services, labor placement agents, prostitution networks and CSAM vendors—often coordinated via Telegram and Chinese-language money laundering (CMLN) networks. Key indicators include large stablecoin conversions, cross-border transfers and concentrated fund flows to trafficking hubs.

⚖️ A Taiwanese operator, Rui-Siang Lin (alias Pharaoh), ran the Incognito Market from October 2020 to March 2024, facilitating more than $105 million in illicit drug sales through a Tor-accessible marketplace that hosted over 1,800 vendors and served over 400,000 customers. Despite using an in-site crypto payment system called Incognito Bank, Lin made a critical OPSEC error by registering the domain with his real name, phone number and address. After a fentanyl-laced pill sold on the site was linked to a fatal 2022 overdose and Lin abruptly shut the market while stealing user deposits and attempting extortion, he was arrested at JFK in May 2024, pleaded guilty, and has been sentenced to 30 years in federal prison with forfeiture of roughly $105 million.

🔍 Group-IB researchers have linked dozens of servers to the ShadowSyndicate cybercrime cluster through reused OpenSSH fingerprints and recurring access keys, exposing a larger, consistently managed malicious infrastructure. The cluster, first documented in 2023, continues to deploy and transfer servers between internal clusters while retaining overlapping keys that enable attribution. Analysts identified at least 20 command-and-control nodes supporting commercial red-team frameworks and open-source post-exploitation tools and observed ties to multiple ransomware affiliates. Group-IB recommends ingesting indicators of compromise, monitoring repeated MFA failures and unusual login activity, and tracking activity in frequently used autonomous systems.

🗂️ Iron Mountain says a recent incident claimed by the Everest extortion group was limited primarily to marketing materials. Attackers used a compromised credential to access a single public-facing file-sharing folder containing vendor marketing files; no customer confidential data or other systems were affected. The company confirmed no ransomware or malware was deployed and the compromised credential has been deactivated.