While working as a contractor for the company, 27-year-old Cameron Curry (aka “Loot”) allegedly used his access to the firm’s systems containing sensitive payroll and corporate data to download confidential files. He stole the data after learning that his six-month contract would not be renewed.

According to the case, just one day after Curry’s contract ended on December 10, he sent over 60 threatening emails to the victim company’s employees using an Outlook account. He demanded $2.5 million in exchange for not releasing stolen data, which included employee names, birth dates, home addresses, and salary information.

In one message, he threatened to publicly release salary details and report the company to the US Securities and Exchange Commission for failing to disclose the breach. He also claimed there were financial inconsistencies within the company that could cause internal disruption.

Despite the threats, his former employer paid only $7,540 in Bitcoin, later traced to a cryptocurrency wallet controlled by Curry. The company reported the incident to the FBI, which searched his home on January 24, 2024, and seized devices containing evidence. Curry was arrested and later released on bond. He now faces up to 12 years in prison after being found guilty on six counts of interstate communications with intent to extort.

An international police op dismantles Aisuru, KimWolf, JackSkid, and Mossad IoT botnets

Authorities in the United States, Canada and Germany have disrupted four large-scale IoT botnets responsible for widespread cyber-attacks across the globe.

The botnets, known as Aisuru, KimWolf, JackSkid, and Mossad, had collectively infected over three million devices, including routers, web cameras, and digital video recorders. The compromised devices were used to launch massive distributed denial-of-service (DDoS) attacks, including several instances where the attacks exceeded 30 terabits per second.

The operators behind the botnets ran a “cybercrime-as-a-service” model, selling access to the hijacked devices to other criminals. The customers then used the networks to carry out attacks and extortion schemes, often demanding payments from victims in exchange for stopping the attacks.

Authorities seized multiple internet domains, virtual servers, and other infrastructure allegedly involved in cybercriminal activity. Officials didn’t mention any arrests in connection with the case.

Police shut down over 370K fake Dark Web sites promoting bogus SCAM and CaaS

German authorities in collaboration with Europol shut down more than 370,000 fake Dark Web sites that were advertising child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings.

The international investigation, dubbed “Operation Alice,” began in mid-2021 and focused on a platform known as “Alice with Violence CP.” Authorities believe the network was run by a 35-year-old suspect based in China, who is now wanted under an international arrest warrant.

Officials say the sites were part of a widespread scam promoting bogus CSAM “packages” along with other illegal services, including stolen credit card data and access to hacked systems. Victims were enticed with previews and descriptions of illicit material, then asked to provide email addresses and pay fees ranging from €17 to €250 in Bitcoin. In reality, no illegal content was ever delivered.

Authorities estimate that about 10,000 users were tricked into making payments, generating nearly $400,000 for the operator. It also should be noted that attempting to purchase such material is a criminal offense in many jurisdictions, regardless of whether the content is real. So far, 440 users in 23 countries have been identified, with around 100 currently under investigation.

The operation used over 280 servers, including 105 in Germany. All of the servers have now been seized as part of the crackdown.

IAB and phishing botnet operators get prison time for helping ransomware actors

Aleksei Volkov, a 26-year-old Russian national, was sentenced to 81 months in a US prison for his involvement with major cybercrime groups, including the Yanluowang ransomware operation. Acting as an initial access broker, he breached corporate networks and sold that access to other hackers, enabling dozens of ransomware attacks in the US that caused over $9 million in losses.

Volkov was arrested in Rome and later extradited to the US. He pleaded guilty in November 2025 to multiple cybercrime-related charges. He has been ordered to pay at least $9.17 million in restitution and forfeit equipment used in the crimes.

Another Russian national, Ilya Angelov (aka “milan” and “okart”), has been sentenced to two years in a US prison after pleading guilty to his role in a major cybercrime operation. Angelov co-managed a phishing botnet that was used to distribute malware and facilitate BitPaymer ransomware attacks against 72 US companies.

Angelov was one of the leaders of a cybercriminal group tracked by the FBI as “Mario Kart” and tracked by cybersecurity experts as TA551, Shathak, and GOLD CABIN. Together with another partner he oversaw the group, recruited members, and managed their activities. Different members had specific roles, such as creating malware, sending phishing emails, and implementing evasion techniques.

From 2017 to 2021, the group used a botnet to infect computers via phishing campaigns. It then sold access to the infected systems to other criminals, including ransomware groups. Some of the attacks were linked to the BitPaymer ransomware between 2018 and 2019.

Furthermore, Angelov and his associates provided the IcedID cybercrime gang with access to the botnet, earning around $1 million. Angelov pleaded guilty in February 2022, following the arrest of his associate, Vyacheslav Penchukov (aka Tank), in Switzerland that same year. In July 2024, Penchukov was sentenced in the US to 9 years behind bars.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

An alleged developer of the RedLine info-stealer extradited to the US

An Armenian man, Hambardzum Minasyan, appeared in a US federal court after being extradited for his alleged role in operating the RedLine infostealer malware. Prosecutors say he helped develop and run the malware designed for stealing sensitive data from victims’ computers.

The indictment claims Minasyan and his co-conspirators managed servers, domains, and payment systems to support the malware’s distribution to affiliates, who paid to use it. They also allegedly handled user support, stole financial information, and laundered proceeds through cryptocurrency.

Authorities say Minasyan helped host infrastructure, distribute the malware, and collect payments. He faces multiple conspiracy charges and could receive up to 20 years in prison if convicted.

In the meantime, Russian authorities arrested a man in the city of Taganrog for allegedly running the LeakBase cybercrime forum, which was recently dismantled by the FBI and Europol. Authorities say he operated the site since 2021, enabling the trade of stolen personal and corporate data. The platform had over 147,000 users and hosted hundreds of millions of compromised records. Police also seized technical equipment during a search of his home.