The UK’s National Crime Agency (NCA) announced the arrest of four individuals in connection with the notorious Scattered Spider cybercrime group. While the NCA did not publicly release the names, it confirmed that those detained include two 19-year-old males, a 17-year-old male, and a 20-year-old female. Scattered Spider, also known as UNC3944, is an English-speaking hacking group known for using social engineering tactics to gain access to corporate networks.

Cybersecurity blog KrebsOnSecurity reported that one of the arrested is Owen David Flowers, a UK national believed to be a mastermind behind the 2023 ransomware attack on American gaming and entertainment company MGM Resorts. Flowers is alleged to have operated under the aliases “bo764,” “Holy,” and “Nazi.” Sources say he was also the anonymous figure who gave interviews to the press in the aftermath of the MGM breach. The 20-year-old woman arrested is believed to be or to have recently been in a relationship with Flowers.

Also among arrested individuals is 19-year-old Thalha Jubair, known online as “Earth2Star” and “Operator.” Jubair is accused of founding the now-defunct Telegram group Star Fraud Chat, linked to SIM-swapping activity that allegedly targeted T-Mobile over 100 times in late 2022. He is also suspected of being a core member of LAPSUS$, the cyber extortion group responsible for high-profile breaches at Microsoft, Nvidia, Rockstar Games, and other tech giants.

Jubair reportedly administered Doxbin, an online forum used for publishing personal information, until mid-2024. In May of that year, he drew widespread mockery in cybercrime circles after allegedly faking his own kidnapping in an attempt to mislead law enforcement.

Last November, US authorities charged five other individuals tied to Scattered Spider. The group is known to recruit minors from gaming communities such as Roblox and Minecraft, training them in social engineering and digital intrusion techniques.

NoName057(16) hacktivist group dismantled in a major crackdown

The notorious pro-Russian hacktivist group NoName057(16) responsible for a series of cyber-attacks on critical infrastructure across Europe, has been targeted in a major crackdown involving twelve countries.

Authorities disabled the group’s botnet infrastructure and executed searches in eight countries, including Germany, Spain, Italy, and Poland. The crackdown led to seven international arrest warrants, with two alleged ringleaders believed to be residing in Russia.

NoName057(16) gained notoriety for launching large-scale distributed denial-of-service (DDoS) attacks against public utilities, arms manufacturers, and government agencies, motivated by anti-NATO sentiment. In Germany alone, the group carried out 14 attacks affecting 230 organizations, some of which lasted for days. The targets also included major political events such as the 2024 Peace Summit for Ukraine in Switzerland and the NATO Summit in the Netherlands.

Authorities seized over 100 servers and formally warned 1,100 identified supporters and 17 administrators of their criminal liability. The group had recruited some 4,000 global sympathizers through encrypted messaging platforms, many of whom were duped into installing malware that turned their devices into botnet nodes.

In a separate action, Italian and Romanian law enforcement dismantled the Diskstation ransomware gang that encrypted hundreds of systems in Italy and beyond. Dubbed “Operation Elicius,” the investigation focused on ransomware variants “DiskStation Security” and “Umbrella Security,” which targeted Synology NAS devices worldwide since 2021.

The ransomware group exploited unsecured internet-connected storage devices, demanding ransoms ranging from $10,000 to several hundred thousand dollars in cryptocurrency. Victims included creative industries, civil society organizations, and event firms. A 44-year-old Romanian man, believed to be the primary operator of the ransomware group, was arrested and is now in pre-trial detention on charges of unauthorized system access and extortion.

13 arrested in a major UK tax scam bust

Romanian authorities, in coordination with British officials, have arrested 13 individuals suspected of orchestrating a large-scale and complex tax fraud scheme that targeted the United Kingdom.

The suspects, aged between 23 and 53, were apprehended during a series of coordinated police raids across Romania, which involved more than 100 officers. Additionally, a 38-year-old man was arrested in Preston, in northern England, in connection with the same investigation.

According to the UK’s tax authority, HM Revenue and Customs (HMRC), the criminal network allegedly conducted sophisticated phishing campaigns to steal sensitive personal data from UK citizens. The stolen data was then used to file fraudulent claims for tax refunds under the Pay As You Earn (PAYE) system, value-added tax (VAT) refunds, and child benefit payments. The fraud operation is believed to have generated millions of pounds in illicit gains for the group.

During the raids, authorities seized high-value assets, including luxury vehicles, expensive jewelry, and substantial amounts of cash. The arrests come as part of a broader investigation into cross-border tax fraud and follow an earlier incident in Bucharest last November, where two men aged 27 and 36 were detained as part of a related probe.

Ukraine cyberpolice disrupt several major cybercrime ops

Ukrainian cyber police, in cooperation with law enforcement agencies from France and the US, have dismantled a large-scale cybercrime operation that had been operating from within Ukraine since 2022. The illegal enterprise operated as an unauthorized internet service provider run by a 33-year-old French national. The company’s servers were used to host a range of criminal activities, including the distribution of CSAM, illegal drug sales, trafficking of stolen data, malware deployment, and money laundering. One of the world’s most notorious illegal online marketplaces was also hosted on the servers. It’s currently unclear, what marketplace has been dismantled.

Ukrainian cyber police also took down a domestic cybercriminal group responsible for stealing millions of hryvnias from major industrial enterprises. The criminals used malware to access accounting systems and transfer company funds to individual entrepreneurs’ accounts under the guise of service payments, later withdrawing the money in cash.

In a separate operation, police have dismantled a criminal gang that was stealing money from citizens' bank accounts. The perpetrators called victims’ financial phone numbers and tricked them into transferring their mobile numbers to another SIM card. As a result, the victims’ original SIM cards were deactivated, and their phone numbers were transferred to SIM cards controlled by the criminals.

Authorities have also announced the completion of a major probe into a criminal network targeting EU citizens through phishing schemes. Fourteen suspects now face trial after allegedly stealing money from bank accounts across the Czech Republic, Poland, and other EU countries. Victims were tricked via fake payment links sent through local online marketplaces, with stolen data used to siphon funds into controlled bank cards and cryptocurrencies.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

Armenian national extradited to US to face charges in Ryuk ransomware scheme

Karen Vardanyan, an Armenian national, has been extradited from Ukraine to the US to face federal charges for his role in the Ryuk ransomware operation that targeted companies across the US. Vardanyan faces charges of conspiracy, computer fraud, and extortion.

According to court documents, between March 2019 and September 2020, Vardanyan and his co-conspirators allegedly infiltrated corporate networks, infecting hundreds of systems and demanding payment to restore access. A seven-day jury trial is scheduled to begin on August 26, 2025. If convicted, Vardanyan faces up to five years in prison, three years of supervised release, and a fine of up to $250,000 per count.

In an unrelated case, a former US Army soldier pleaded guilty to participating in a cyber extortion ring targeting telecommunications companies. Cameron John Wagenius, aka “kiberphant0m,” and his associates used a hacking tool called ‘SSH Brute’ and shared stolen credentials via Telegram.

The stolen data was used for blackmail, fraud, and SIM-swapping schemes. Prosecutors say the group attempted to extort at least $1 million from victims and profited by selling data on Dark Web forums, including BreachForums and XSS.