All news with #ransomware gang tag

⚖️ A Glendale man, 36-year-old Davit Avalyan, was sentenced to 57 months in federal prison after pleading guilty to one count of conspiracy to distribute narcotics for his role in a darknet trafficking operation that sold cocaine, methamphetamine, MDMA, and ketamine nationwide. Prosecutors say Avalyan and three co-conspirators operated multiple vendor storefronts — including JoyInc, PlanetHollywood, and LaFarmacia — from 2018 to 2025, shipping parcels via the U.S. Postal Service and accepting cryptocurrency. The FBI's JCODE task force led the investigation with support from USPS inspectors, the DEA, IRS-CI, and LAPD.

🛡️ Polish police have detained a 47-year-old suspect alleged to have ties to the Phobos ransomware group and seized computers and mobile phones containing credentials, credit card numbers, and server access data. The arrest in Małopolska was carried out by the Central Bureau of Cybercrime Control as part of Operation Aether, an international Europol-coordinated disruption. Authorities say the suspect used encrypted messaging to communicate with Phobos and now faces charges under Article 269b of Poland’s Criminal Code.

💸 Chainalysis reports that cryptocurrency inflows linked to human trafficking surged 85% year-on-year, generating hundreds of millions in revenue. The analysis identifies four crypto-driven trafficking types—international escort services, labor placement agents, prostitution networks and CSAM vendors—often coordinated via Telegram and Chinese-language money laundering (CMLN) networks. Key indicators include large stablecoin conversions, cross-border transfers and concentrated fund flows to trafficking hubs.

⚖️ A Taiwanese operator, Rui-Siang Lin (alias Pharaoh), ran the Incognito Market from October 2020 to March 2024, facilitating more than $105 million in illicit drug sales through a Tor-accessible marketplace that hosted over 1,800 vendors and served over 400,000 customers. Despite using an in-site crypto payment system called Incognito Bank, Lin made a critical OPSEC error by registering the domain with his real name, phone number and address. After a fentanyl-laced pill sold on the site was linked to a fatal 2022 overdose and Lin abruptly shut the market while stealing user deposits and attempting extortion, he was arrested at JFK in May 2024, pleaded guilty, and has been sentenced to 30 years in federal prison with forfeiture of roughly $105 million.

🔍 Group-IB researchers have linked dozens of servers to the ShadowSyndicate cybercrime cluster through reused OpenSSH fingerprints and recurring access keys, exposing a larger, consistently managed malicious infrastructure. The cluster, first documented in 2023, continues to deploy and transfer servers between internal clusters while retaining overlapping keys that enable attribution. Analysts identified at least 20 command-and-control nodes supporting commercial red-team frameworks and open-source post-exploitation tools and observed ties to multiple ransomware affiliates. Group-IB recommends ingesting indicators of compromise, monitoring repeated MFA failures and unusual login activity, and tracking activity in frequently used autonomous systems.

🗂️ Iron Mountain says a recent incident claimed by the Everest extortion group was limited primarily to marketing materials. Attackers used a compromised credential to access a single public-facing file-sharing folder containing vendor marketing files; no customer confidential data or other systems were affected. The company confirmed no ransomware or malware was deployed and the compromised credential has been deactivated.

🔒 Security researchers have identified a new ransomware-as-a-service operation named Vect that began recruiting affiliates in December 2025. According to Halcyon, Vect uses C++-built malware with ChaCha20-Poly1305 AEAD and intermittent (block) encryption to speed disruption, and advertises cross-platform targeting for Windows, Linux and VMware ESXi. Red Piranha notes strong OPSEC including Monero payments, TOX communications and TOR-only infrastructure.

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.

🔒 Have I Been Pwned reports that a January 2026 data breach at Panera Bread exposed roughly 5.1 million unique email addresses and associated contact information, rather than 14 million distinct customers as initially claimed. The files, totaling about 760 MB, were published by the ShinyHunters extortion group after an alleged failed ransom attempt. ShinyHunters says it gained access via a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO providers. Panera has confirmed the incident to authorities and said the data is contact information.

🔒Match Group confirmed a security incident after the ShinyHunters group leaked 1.7 GB of compressed files allegedly containing about 10 million records from Hinge, Match, and OkCupid, along with internal documents. The company says it terminated unauthorized access, is working with external experts, and believes a limited amount of user data was exposed with no indication that login credentials, financial information, or private communications were accessed. Match Group is notifying affected individuals as appropriate and continuing its investigation.

🚨The FBI has seized the dark‑web forum RAMP, replacing its clear‑ and dark‑web sites with law‑enforcement seizure banners and redirecting domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The banner, attributed to the FBI, DOJ and the US Attorney’s Office for the Southern District of Florida, mocked the forum’s “ransomware allowed” stance. Forum administrator “Stallman” confirmed the takedown and said he will not rebuild. Analysts say the action disrupts low‑tier actors, may yield valuable intelligence and will have limited impact on top‑tier groups.

🔐 ReliaQuest analysis shows ransomware data leaks rose sharply in Q4 2025, with posts on leak sites up 50% quarter-on-quarter and 40% year-on-year. The researchers found fewer active ransomware groups overall, but top-tier RaaS operators increased their output and speed of execution. Qilin, Akira and Sinobi were the most prolific, with Qilin claiming 450+ victims. ReliaQuest urges stronger controls such as MFA and improved data-exfiltration monitoring to reduce impact.

🔐 Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.

🔒 The FBI has seized the RAMP cybercrime forum, replacing both its Tor and clearnet sites with an official seizure notice and switching DNS to FBI-controlled name servers. The action potentially grants investigators access to forum records — email addresses, IP logs, private messages and other data — that could identify and lead to arrests of negligent threat actors. RAMP, launched in July 2021 by the actor known as Orange, became a prominent hub for ransomware groups to advertise operations, recruit affiliates, and trade network access.

🔒 Cybercriminals now operate like businesses—highly specialized, service-oriented, and ROI-driven—using models such as RaaS and initial access brokers to scale attacks. This industrialization, amplified by AI and automation, forces a shift from reactive detection to proactive prevention and identity-first controls. CISOs must prioritize governance, supply-chain resilience, defensive automation, and strategic partnerships to manage risk amid talent and budget shortfalls.

🛑 Elliptic reports that Tudou Guarantee, a major marketplace in the Southeast Asia scam economy, is shutting down its Telegram groups after US and UK sanctions tied to the Prince Group. Launched in 2023, the platform is linked to roughly $12bn in crypto transactions and absorbed merchants migrating from Huione Guarantee. While gambling and other non-fraud arms appear to continue, Elliptic notes a sharp drop in central wallet activity after the January 2026 arrest of Prince Group chairman Chen Zhi, and warns displaced actors will likely disperse across other marketplaces.

🔎 Ukrainian and German law enforcement raided residences in Lviv and Ivano‑Frankivsk on 15 January, seizing digital storage devices and cryptocurrency assets linked to two suspected members of the Black Basta ransomware group. Investigators say the men acted as 'hash crackers,' extracting passwords to escalate access, steal data and deploy ransomware across corporate networks. The operation involved the Ukrainian National Police and Germany's BKA and formed part of a wider international probe coordinated by Europol. Authorities also identified alleged founder Oleg Evgenievich Nefedov, who has been placed on Europol’s EU Most Wanted and Interpol Red Notice lists.

🔎 German federal and Frankfurt internet-crime authorities have issued an arrest warrant for the alleged leader of the Black Basta ransomware group after searching residences in Ukraine and seizing evidence. The gang is accused of compromising networks, stealing sensitive data, encrypting systems and extorting payments from over 100 German victims between March 2022 and February 2025. Authorities say the group obtained more than €20 million in Germany and targeted companies, hospitals and public bodies.

🚨 Ukrainian and German authorities have identified two Ukrainians allegedly working for the Russia-linked ransomware-as-a-service group Black Basta, while the group's suspected leader, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to the EU Most Wanted and INTERPOL Red Notice lists. Investigators say the suspects acted as "hash crackers," extracting credentials used to breach corporate networks and deploy ransomware. Searches in Ivano-Frankivsk and Lviv yielded digital storage devices and cryptocurrency assets. Black Basta emerged in April 2022 and is linked to attacks on more than 500 organizations and hundreds of millions in illicit cryptocurrency profits.

🚨 German and Ukrainian authorities have identified Oleg Evgenievich Nefedov as the leader of the Black Basta ransomware group and added him to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Raids in the Ivano-Frankivsk and Lviv regions targeted two alleged members who specialized in initial access, hash cracking and privilege escalation, and yielded seized digital storage and cryptocurrency assets. Black Basta, linked to the defunct Conti syndicate, has been tied to more than 600 incidents worldwide affecting major organizations.