The TrickBot botnet and other malware droppers have been targeted by international law enforcement in Operation Endgame.

The post TrickBot and Other Malware Droppers Disrupted by Law Enforcement appeared first on SecurityWeek.

The US announced that the 911 S5 (Cloud Router) botnet, likely the world’s largest, has been dismantled and its administrator arrested.

The post Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested appeared first on SecurityWeek.

In a joint international law enforcement action dubbed “Operation Endgame,” the agencies and judicial authorities dismantled major botnet infrastructure, targeting notorious malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and TrickBot. In a Thursday announcement Europol said that between May 27 and 29, Operation Endgame led to four arrests and the takedown of over 100 servers worldwide.

“This is the largest ever operation against botnets, which play a major role in the deployment of ransomware,” Europol said.

Botnets are used for different types of cybercrime including ransomware, identity theft, credit card scams, and several other financial crimes. “The dismantled botnets consisted of millions of infected computer systems,” a joint press statement from the Operation Endgame team said. Led by France, Germany, and the Netherlands, and supported by Eurojust, the operation involved countries including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Operation Endgame resulted in:

• 4 arrests - 1 in Armenia and 3 in Ukraine.
• 16 location searches - 1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine.
• Over 100 servers dismantled or disrupted in countries such as Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine.
• Over 2,000 domains seized and brought under law enforcement control.
• 8 summons were also served against other suspects.

Targeting the Cybercrime Infrastructure

Operation Endgame focused on high-value targets, their criminal infrastructure behind various malware and the freezing of illicit proceeds. “The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software,” according to Europol. One primary suspect, the Europol said, earned at least €69 million in cryptocurrency by renting out sites for ransomware deployment. Authorities are closely monitoring these transactions and have secured permissions to seize the assets. The infrastructure and financial seizures had a global impact on the dropper ecosystem, the authorities believe.

Key Dropper Malware Dismantled in Operation Endgame

- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers. - Bumblebee: Delivered via phishing campaigns or compromised websites, enabling further payload execution. - Smokeloader: Used primarily to download and install additional malicious software. - IcedID (BokBot): Evolved from a banking trojan to a multi-purpose tool for various cybercrimes. - Pikabot: Enabled ransomware deployment, remote takeovers, and data theft through initial system access.

“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said.

[caption id="attachment_72953" align="aligncenter" width="1920"] Operation Endgame seizure notice (Credit: Europol)[/caption]

The Role of Dropper Malware in Cyberattacks

Droppers are essential tools in cyberattacks, acting as the initial vector to bypass security and install harmful software such as ransomware and spyware. They facilitate further malicious activities by enabling the deployment of additional malware on compromised systems.

How Droppers Operate

1. Infiltration: Enter systems through email attachments, compromised websites, or bundled with legitimate software.
2. Execution: Install additional malware on the victim's computer without the user's knowledge.
3. Evasion: Avoid detection by security software through methods like code obfuscation and running in memory.
4. Payload Delivery: Deploy additional malware, potentially becoming inactive or removing itself to evade detection.

The success of the operation was bolstered by private partners such as Bitdefender, Sekoia, Shadowserver, Proofpoint, and Fox-IT, among others. Their support was crucial in disrupting the criminal networks and infrastructure, the authorities said.

Wait for Operation Endgame Season 2

Operation Endgame signifies a major victory, but this is not really the end of it. Taking cue from the Marvel cinematic movie ‘Avengers – Endgame,’ the law enforcement is set to to release a part two of this operation in a few hours from now as they said their efforts continue.

“This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the authorities said.

“Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.” Future actions will be announced on the Operation Endgame website, possibly targeting suspects and users, and ensuring accountability. The news of this massive botnet takedown operation comes a day after the announcement of the dismantling of “likely the world’s largest botnet ever” – the 911 S5 botnet. The botnet’s alleged administrator Yunhe Wang, was arrested last week and a subsequent seizure of infrastructure and assets was announced by the FBI. The recent law enforcement actions represent a historic milestone in combating cybercrime, dealing a significant blow to the dropper malware ecosystem that supports ransomware and other malicious activities. The operation's success underscores the importance of international cooperation and the need for robust cybersecurity measures to tackle evolving threats.

The US government has announced sanctions against three Chinese nationals accused of creating and operating the 911 S5 proxy botnet.

The post US Sanctions Three Chinese Men for Operating 911 S5 Botnet appeared first on SecurityWeek.

The U.S. law enforcement has arrested an alleged operator of "Incognito Market," a major online dark web narcotics marketplace that facilitated more than $100 million in illegal narcotics sales globally. Rui-Siang Lin, a 23-year-old from Taiwan, was arrested at John F. Kennedy Airport on May 18 for allegedly operating the Incognito Market using the pseudonym "Pharoah." Lin oversaw all aspects of the site, including managing employees, vendors and customers, revealed an unsealed indictment filed with the federal court at the U.S. Southern District of New York. Since its inception in October 2020 until its closure in March, Incognito Market sold vast quantities of illegal narcotics, including hundreds of kilograms of cocaine and methamphetamines, globally via the dark web site that could be reached through Tor web browser. The underground marketplace facilitated an overall sale of more than $100 million of narcotics in its 41 months of operation. The popularity of this marketplace can be gauged from the fact that by June 2023 it was generating sales of $5 million per month. [caption id="attachment_69369" align="aligncenter" width="2560"] Credit: Justice Department[/caption]

Features and Transactions of Incognito Market

Incognito Market mimicked legitimate e-commerce sites with features like branding, advertising and customer service. Users could search listings for various narcotics after logging in with unique credentials. [caption id="attachment_69367" align="aligncenter" width="624"] Credit: Justice Department[/caption] The site offered illegal narcotics and misbranded prescription drugs, including heroin, cocaine, LSD, MDMA, oxycodone, methamphetamines, ketamine, and alprazolam. [caption id="attachment_69368" align="aligncenter" width="624"] Credit: Justice Department[/caption] “For example, in November 2023, an undercover law enforcement agent received several tablets that purported to be oxycodone, which were purchased on Incognito Market. Testing on those tablets revealed that they were not authentic oxycodone at all and were, in fact, fentanyl pills,” the Justice Department said. Vendors paid a non-refundable admission fee of $750 and a 5% commission on each sale to Incognito Market, according to the indictment. This fee funded market operations, including salaries and server costs. Incognito Market also operated its own “bank,” to facilitate the illicit transactions. This bank allowed users to deposit cryptocurrency, which facilitated anonymous transactions between buyers and sellers while deducting the site’s commission, again of 5%. [caption id="attachment_69376" align="aligncenter" width="398"] Credit: Justice Department[/caption] This banking service obscured the locations and identities of vendors and customers from each other and from law enforcement. It kept the financial information of vendors and buyers separate, making it more difficult for any one actor on the marketplace to learn any other actor’s true identity, a complaint filed against Lin said. The bank also offered an “escrow” service enabling both buyers and customers to have additional security concerning their narcotics transactions. The escrow service was set in such a way that a buyer’s money would be released to a seller only after specified actions, for example, the shipment of narcotics is made. “With the escrow service, sellers know they will be paid for their illegal narcotics and buyers know their payments will be released to sellers after specified events occur,” the complaint said.

The Exit Scam

As Lin suddenly shuttered the Incognito Market in March 2024, he tried pulling an exit scam stealing the users’ funds stored in its escrow system and also tried to ransom the market’s drug vendors. Lin demanded ransom in the range of $100 to $2,000 from them in exchange of not turning their data over to the law enforcement.

Lin’s Technical Prowess

Lin seems like a knowledgeable person in the field of security and cryptocurrency, as per social media accounts listed in the complaint against him. Lin’s GitHub account describes him as a “Backend and Blockchain Engineer, Monero Enthusiast.” This GitHub account has approximately 35 publicly available software coding projects. “Collectively, these coding projects indicate that LIN has significant technical computing knowledge, including knowledge necessary to administer a site like (“Incognito Marketplace”),” the complaint said. The coding projects include operation of cryptocurrency servers and web applications like PoW Shield, a tool to mitigate DDoS attacks; Monero Merchant, a software tool that allows online merchants to accept XMR for payment; and Koa-typescript-framework, a webframe software program used as a foundation for web applications. Lin also did a YouTube interview explaining how his anti-DDoS tool “PoW Shield” worked for Pentester Academy TV in October 2021, displaying his technical prowess. The final evidence that law enforcement found linking Lin to the administrator “Pharoah” of Incognito Market was a “simple” hand-drawn workflow diagram of a darknet marketplace that was mailed from Lin’s personal email address. [caption id="attachment_69380" align="aligncenter" width="1690"] Workflow of Darknet Marketplace sent from Lin's personal email account. Credit: Justice Department[/caption] “This diagram appears to be a plan for a darknet market. Notably, the diagram indicated “vendor,” “listing,” “pgp key,” and “admin review,” all of which are features of (Incognito Market),” the complaint said.

Charges and Potential Sentences

Lin faces the following potential sentencing, if convicted:

• Continuing Criminal Enterprise: Mandatory minimum penalty of life in prison.
• Narcotics Conspiracy: Maximum penalty of life in prison.
• Money Laundering: Maximum penalty of 20 years in prison.
• Conspiracy to Sell Adulterated and Misbranded Medication: Maximum penalty of five years in prison.

A federal district court judge will determine Lin's sentence after reviewing the U.S. Sentencing Guidelines and other statutory factors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme that generates revenue for North Korea.

The post Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms appeared first on SecurityWeek.

The hacking forum BreachForums is displaying a notice claiming that the website is under the control of the FBI.

The post BreachForums Shut Down in Apparent Law Enforcement Operation appeared first on SecurityWeek.

The notorious BreachForums seized for the second time in a year. The U.S. law enforcement today seized the clear web domain of the second version of BreachForums - popularly known as a Breached hacking forum in the underground market - that helped sell stolen data and credentials. Hosted at BreachForums[.]st, the domain now shows a seizure banner saying the website was taken down by the FBI and the U.S. Department of Justice with assistance from international partners. Other law enforcement authorities worldwide were also part of this action, including the Australian Federal Police, the U.K. National Crime Agency, New Zealand Police, police department of the canton of Zürich in Switzerland and Icelandic Police, among others. As is common with domain seizure messages, law enforcement displayed the logo for the site. It however took an unconventional approach by also featuring two avatar's - likely of BreachForums' administrators "Baphomet" and "ShinyHunters" - behind bars in the seizure banner.

BreachForums Seized

The message on the banner reads: "We are reviewing this site's backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us." The law enforcement has also shared a link to a form hosted on the Internet Crime Complaint Center. The FBI has put out a questionnaire for victims or individuals that have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums. A summary of the takedown of BreachForums on this portal says, "The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. "From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services." Earlier a separate version of BreachForums hosted at breached.vc/.to/.co and run by pompompurin between March 2022 to 2023 was seized by the U.S. law enforcement in June 2023. Raidforums, hosted at raidforums.com and run by an admin under the moniker "Omnipotent" was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022. *The Telegram channel of "Baphomet," one of the administrators behind the BreachForums, has also been seized, according to a pinned message from the law enforcement on his channel. [caption id="attachment_68571" align="aligncenter" width="446"] Credit: Dark Web Intelligence[/caption]

ShinyHunters Confirms Baphomets Arrest

*Shiny Hunters, one of the administrators of the BreachForums, allegedly confirmed on a Telegram channel called "BF Announcements" the arrest of Baphomet and said that the law enforcement did not get to anyone from the ShinyHunters gang. [caption id="attachment_68843" align="aligncenter" width="300"] Message on BF Announcements Telegram channel[/caption] Later in the same channel the administrator claimed that the domain was recovered back from the law enforcement's control, as was the case during the BreachForums v1 takedown where the cat and mouse game went on for a while between the two. The Cyber Express tried to verify this claim and saw that the domain is now redirecting to a Telegram chat group called "Jacuzzi 2.0" The FBI and Justice Department spokespersons were not immediately available for comment when contacted by The Cyber Express for details on the latest claims. This is a developing story. The article will be updated with the latest information as it becomes available. Update 1*: Added Telegram account seizure details along with screenshot. Update 2* May 16 - 9:40 AM (UTC) : Added details from Shiny Hunters' BF Announcements Telegram channel that allegedly confirmed details of one of the administrators of BreachForums - Baphomets - arrest. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Apple and Google have rolled out a new mobile feature that warns users of unwanted trackers moving with them.

The post Unwanted Tracking Alerts Rolling Out to iOS, Android appeared first on SecurityWeek.

The recent crackdown on the crypto mixer money laundering, Samourai, has unveiled a sophisticated operation allegedly involved in facilitating illegal transactions and laundering criminal proceeds. The cryptocurrency community was shocked by the sudden Samourai Wallet shutdown. The U.S Department of Justice (DoJ) revealed the arrest of two co-founders, shedding light on the intricacies of their […]

The post Crypto Mixer Money Laundering: Samourai Founders Arrested appeared first on TuxCare.

The post Crypto Mixer Money Laundering: Samourai Founders Arrested appeared first on Security Boulevard.

A coordinated multi-nation law enforcement action has led to a takedown of an Austria-based crypto scam where half a dozen suspects were arrested and assets worth hundreds of thousands of Euros were seized. This followed a separate investigation in the United Kingdom, which led to the sentencing of two Brits involved in an international crypto scam worth millions.

Takedown of Austria-based Crypto Scam

The law enforcement agencies from Austria, Cyprus and Czechia have arrested six Austrians responsible for an online cryptocurrency scam that was launched in December 2017. Between 2017 and February 2018, the scammers assured and convinced its victims of having set up a legitimate online trading company that had launched a new cryptocurrency coin. The scammers offered an initial coin offering of 10 million tokens or respective rights to the new currency for sale. Considering the returns on investment from Bitcoin at the time, which was up nearly 39% in Dec. 2017, investors likely saw the opportunity in the new crypto coin and paid them in regular crypto values such as Bitcoin and Ethereum. To gain investors’ confidence and credibility, the Austrian fraudsters also claimed of having developed their own software and algorithm for the sale of the tokens.

“Traditionally, an ICO will build upon transparency and communicate clearly about each team member responsible for it. In this instance, there was a lack of transparency regarding both the team members involved and the algorithm underpinning the cryptocurrency,” said Europol, who coordinated the multi-nation operation.

Two months into the scheme, the perpetrators in February 2018 shuttered all their social media accounts and took offline the fake company’s homepage. Following this, it became obvious to the investors that they were defrauded in an exit scam. Not all victims of this crypto scam have been identified yet, but it is estimated that they lost around EUR 6 million, in totality. The law enforcement agencies raided six houses and seized over EUR 500,000 (approximately $537,120) in cryptocurrencies, EUR 250,000 (approximately $268,560) in fiat currency and froze dozens of bank accounts linked to the perpetrators and their fraudulent crypto scams. Two cars and a luxury property worth EUR 1.4 million was also seized.

Two Brits Jailed for International Crypto Scam

Law enforcement in Europe is further tightening screws against crypto scammers as is evident in another instance where two men who stole more than 5.7 million pounds (approximately $7.1 million) worth of cryptocurrency from victims worldwide were sentenced following an investigation of the South West Regional Organized Crime Unit (SWROCU). [caption id="attachment_67275" align="aligncenter" width="243"] James Heppel (credit: SWROCU)[/caption]   Jake Lee, aged 38, and James Heppel, aged 42, admitted guilt to three counts of conspiracy to commit fraud. Bristol Crown Court sentenced Lee to four years and Heppel to 15 months on May 3. [caption id="attachment_67274" align="aligncenter" width="227"] Jake Lee (Credit: SWROCU)[/caption]   The duo conducted the fraud by spoofing the domain of the online cryptocurrency exchange Blockchain[.]com to pilfer victims’ Bitcoin wallets, stealing their money and login credentials. They together targeted 55 victims across 26 countries, amassing £835,000 in cash, including £551,000 handed over by Lee in January, along with £64,000 in cryptocurrency, a Banksy print valued at £60,000 and three vehicles. [caption id="attachment_67271" align="aligncenter" width="1024"] £551k in cash voluntarily handed over by Lee (Credit: SWROCU)[/caption] A confiscation order of nearly £1 million was issued against Lee to compensate the victims. DS Matt Brain from SWROCU’s Regional Cyber Crime Unit stated, “Our investigation started back in 2018 after colleagues at Avon and Somerset Police arrested Lee on suspicion of money laundering.” “Officers from the force seized digital devices and three laminated Bitcoin wallet recovery seeds. At the same time, our unit had started an investigation into a cryptocurrency scam reported by a Wiltshire victim who had £11k worth of Bitcoin from his Blockchain wallet.”

“We took on the investigation into Lee and when we analyzed his devices, we established he was a central figure involved in a sophisticated domain spoofing fraud and worked to identify numerous victims.”

Brain added that the fact they both pleaded guilty to all counts also showed the strength of evidence that the police secured against them.” Pamela Jain, a prosecutor with the Crown Prosecution Service, noted, “Jake Lee and James Heppel defrauded people in 26 countries, including 11 victims in the UK, by diverting Bitcoin into wallets over which they had control. This was a complex and time-consuming prosecution which involved enquiries with numerous victims and prosecuting authorities all over the world.” Lee has already been served a confiscation order but “confiscation proceedings against James Heppel are ongoing,” Jain said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Charges and sanctions announced against Dimitry Yuryevich Khoroshev, the alleged developer and operator of LockBit ransomware.

The post LockBit Ransomware Mastermind Unmasked, Charged appeared first on SecurityWeek.

In February 2023, French police arrested well-known Finnish hacker Aleksanteri Kivimäki, who was living under a false identity near Paris. He was deported to Finland. His trial ended last month.

The post Finnish Hacker Gets Prison for Accessing Thousands of Psychotherapy Records and Demanding Ransoms appeared first on SecurityWeek.