A former cybersecurity negotiator has admitted guilt in connection with the BlackCat/ALPHV ransomware operation. Angelo Martino, who previously worked at incident response firm DigitalMint, was involved in multiple ransomware attacks targeting US companies in 2023, prosecutors said.

Martino was charged alongside fellow negotiators Ryan Clifford Goldberg and Kevin Tyler Martin, who previously worked for Sygnia and DigitalMint cybersecurity companies. The three faced charges, including conspiracy to commit extortion affecting interstate commerce and deliberate damage to protected computer systems. Goldberg and Martin have also pleaded guilty and each could face sentences of up to 20 years in prison.

Prosecutors allege that while acting as a negotiator for five victim organizations, Martino provided BlackCat operators with sensitive information, including negotiation tactics and insurance coverage limits. This allowed the attackers to demand and secure higher ransom payments.

Between April 2023 and April 2025, Martino and his co-defendants are said to have acted as affiliates of the ransomware group, issuing payment demands and threatening to leak stolen data. In return for access to BlackCat’s tools and infrastructure, they allegedly paid the group a 20% share of their earnings.

The attacks affected at least five US organizations. Among them were a financial services company that paid $25.66 million and a nonprofit that paid $26.79 million in ransom. Other victims included law firms, school districts, healthcare providers, and additional financial institutions.

Scattered Spider hacker pleads guilty to an $8M crypto theft scheme

A key member of the Scattered Spider cybercrime group has pleaded guilty in the US for his role in a large hacking and cryptocurrency theft scheme. Tyler Buchanan, a 24-year-old from Dundee, Scotland, admitted to conspiracy to commit wire fraud and aggravated identity theft. Prosecutors say he and his accomplices targeted at least a dozen companies across the US and stole over $8 million.

The group used SMS phishing (“smishing”) between September 2021 and April 2023, sending fake text messages to trick people into clicking malicious links and entering sensitive information like login details. They then used this access to break into company systems and steal data and digital assets.

Authorities say Buchanan helped organize the attacks, which focused on companies in entertainment, telecom, tech, and crypto sectors. Devices found at his home contained victims’ personal data, crypto seed phrases, and account logins.

Buchanan has been in US custody since April 2025 and is set to be sentenced on August 21, 2026. He could face up to 22 years in prison. Buchanan was first charged in November 2023 along with others, including Noah Michael Urban, who was sentenced in August 2025 to 10 years in prison and ordered to pay $13 million in restitution.

In a separate case, Kamerin Stokes, aka “TheMFNPlug,” was sentenced to 30 months in prison for helping hack accounts on a fantasy sports and betting website and selling access to them. He took part in a “credential stuffing” attack, where stolen usernames and passwords from other data breaches were used to break into about 60,000 accounts and steal money.

Stokes bought and resold the hacked accounts through his own online shop, making over $125,000 in listed value. Despite pleading guilty in April 2024, he reopened his shop and continued selling stolen accounts. In addition, Stokes must serve three years of supervised release and pay over $1.4 million in restitution and forfeiture.

Kazakhstani man arrested for ransomware attacks on South Korean orgs

A man from Kazakhstan in his 30s has been arrested in South Korea over a series of ransomware attacks on corporate servers, police said. The suspect, identified as “Mr. A,” is accused of spreading malware and trying to extort money. Police say he led a ransomware operation that broke into company systems, locked sensitive data, and demanded Bitcoin payments to unlock it.

Police believe that from 2022 to July last year, he either carried out the attacks himself or worked with others via foreign messaging apps. The attacks were first reported by companies in September 2022. By analyzing hacked systems, police traced an IP address in Kazakhstan linked to the crimes.

Working with authorities in Kazakhstan, investigators identified the suspect and raided his home in Almaty in July last year. During the raid, several ransomware attacks were still in progress. Police stopped the attacks and took computers and mobile devices as evidence. According to police, the suspect targeted companies with weak security, such as those using default logins or easy passwords. He repeatedly tried commonly used login credentials to breach systems and install ransomware.

International crackdown targets DDoS-for-hire networks in 21-country operation

Police from 21 countries have carried out a joint operation against more than 75,000 people using illegal DDoS-for-hire services, also known as “booter” services.

DDoS-for-hire services are easily accessible platforms that allow people to launch attacks that overload websites or servers, disrupting them.

During the action week, authorities sent over 75,000 warning emails and letters to users, made 4 arrests, carried out 25 search warrants, and shut down 53 websites linked to booter services. Law enforcement also shut down the infrastructure that kept the services running, including servers and databases. Police used data from seized systems to identify over 3 million user accounts involved in criminal activity and support actions around the world.

The US authorities took action against eight DDoS-related websites, including “Vac Stresser” and “Mythical Stress,” and searched backend servers in Alaska. In recent years, more than 100 related domains have been shut down, and several people have been charged in cases linked to illegal services.

In a separate action, Spanish National Police have shut down an illegal online manga distribution platform that had operated since 2014 and attracted millions of users worldwide. The site generated over €4 million in profits through advertising, including pop-up ads featuring adult content. Three suspects were arrested in Almería for alleged ongoing intellectual property crimes linked to running the platform.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

HexDex hacker behind multiple data breaches arrested in France

French police have arrested a 20-year-old suspected hacker believed to be behind a wave of data breaches affecting public institutions, sports federations, and private organizations nationwide.

The suspect, known online as “HexDex,” has been linked to nearly 100 reported website breaches since late 2025. Among the victims were national sports federations, hotel chains, food banks, and the Philharmonie de Paris. Also, he was allegedly behind a breach of the Education Ministry’s “Compas” database, exposing personal data of about 243,000 employees, mostly teachers. Authorities further believe the suspect may have accessed a government weapons information system containing records of firearm owners.

Prosecutors say he admitted using his alias to claim responsibility and share stolen data on cybercrime forums, including BreachForum and Darkforum. Authorities have seized his accounts and equipment for analysis.

Meanwhile, in Australia, a New South Wales Treasury employee has been charged after allegedly downloading more than 5,600 sensitive government documents in a major data breach. The incident was detected when the Treasury detected suspicious data transfers to an external party. Police arrested the 45-year-old following a search of a Homebush West home, seizing electronic devices. The individual has been charged with accessing or modifying restricted data, granted conditional bail, and is scheduled to appear in court on June 3.