Ianis Aleksandrovich Antropenko, a Russian national living in the United States, has pleaded guilty to leading a ransomware conspiracy that targeted dozens of victims over a four-year period, causing at least $1.5 million in losses.

Antropenko admitted to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in prison and fines of up to $750,000. He has also been ordered to pay restitution and forfeit property.

According to court records, Antropenko engaged in ransomware attacks before moving to the United States and continued his activities while living in Florida and California. Despite the serious charges, he was granted bail at the time of his arrest in 2024. His sentencing date has not yet been scheduled.

Federal investigators traced Antropenko’s activities through accounts linked to Proton Mail, PayPal, Bank of America, Binance, and Apple. Authorities also identified his ex-wife, Valeriia Bednarchik, as an alleged co-conspirator involved in laundering ransomware proceeds, although she has yet to be charged.

Antropenko used multiple ransomware variants, including Zeppelin and GlobeImposter, and admitted to working with several co-conspirators, some of whom were based outside the United States. In August 2025, the US authorities seized more than $2.8 million in cryptocurrency linked to Antropenko.

Google disrupts the IPIDEA proxy network

Google, in collaboration with industry partners, has disrupted what it describes as one of the largest residential proxy networks in the world, known as ‘IPIDEA.’ The company said it took legal action to take down domains used to control compromised devices and route proxy traffic through them.

Residential proxy networks sell access to IP addresses assigned by internet service providers (ISPs) to real residential and small business customers. While some are marketed as legitimate services, such networks are frequently abused by cybercriminals. By routing traffic through thousands of consumer devices worldwide, attackers can hide the origin of malicious activity and evade detection.

According to Google, IPIDEA has become notorious for enabling large-scale botnet operations. Its software development kits were used to infect and to ensnare devices into botnets, while its proxy infrastructure allowed threat actors to manage and monetize them. IPIDEA has been linked to multiple botnets, including BadBox 2.0, as well as the more recent Aisuru and Kimwolf botnets.

Google’s Threat Intelligence Group (GTIG) also observed IPIDEA being widely used by espionage, cybercrime, and information operations actors, including threat actors associated with China, North Korea, Iran, and Russia, with operations ranging from accessing victim SaaS environments and on-premises infrastructure to conducting large-scale password spray attacks.

In an unrelated action, US law enforcement has seized both the Dark Web and clearnet domains of the well-known RAMP (Russian Anonymous Marketplace) cybercrime forum. The platform was used by ransomware-as-a-service groups, extortionists, and initial access brokers. DNS records show federal authorities now control the domains. The takedown was also confirmed by an alleged RAMP operator known as “Stallman,” who said in a post on the XSS hacking forum that law enforcement had taken over the site.

Hungarian and Romanian police arrest 4 men linked to suspected swatting ring

Hungarian police, in cooperation with Romanian authorities, have taken action against four hackers suspected of making false and intimidating phone calls.

The investigation began in mid-July last year after police units received a series of reports about alleged serious crimes. Callers threatened bomb attacks on schools, religious institutions, and residential buildings, as well as killings and attacks on police units. The incidents involved so-called swatting (false reports intended to trigger emergency responses) and doxing, in which personal data is exposed online to intimidate victims.

Police found that the suspects contacted victims via the Discord platform. After obtaining personal data and phone numbers, the perpetrators allegedly used the information to file false reports with authorities.

Police arrested a 17-year-old Romanian citizen from Bihor County, a 16-year-old boy from Kisvárda, an 18-year-old man from Nyíregyháza, and a 20-year-old man from Budapest.

During the raids in Hungary and Romania, the authorities have seized electronic devices and data storage equipment. The 16-year-old suspect in Kisvárda has been charged with making threats endangering public safety. The Romanian suspect faces charges including terrorism, making threats, false accusation, and misuse of personal data. Both suspects are currently remain free. The legal status of the remaining two men has yet to be clarified as investigators continue to analyze seized data.

Over 30 suspects charged in connection to the Ploutus ATM jackpotting scheme

The US Department of Justice announced federal charges against 31 additional people accused of participating in a large-scale ATM jackpotting scheme that allegedly netted millions of dollars using the Ploutus malware.

Prosecutors say that between February 2024 and December 2025, the group stole at least $5.4 million from a minimum of 63 ATMs, most of them operated by credit unions. The unsealed indictment follows charges brought last month against 56 other alleged perpetrators in the scheme.

According to the DoJ, the operation involved careful surveillance of target ATMs. Gang members would open ATM cabinets to test whether alarms or law enforcement responses were triggered. If no response occurred, they allegedly removed the machines’ hard drives and replaced them with malware-infected versions or connected thumb drives to deploy Ploutus.

Once installed, the malware allowed attackers to bypass ATM security systems and remotely command the machines to dispense cash. Federal officials said some of the defendants are undocumented immigrants with alleged ties to the Venezuelan gang Tren de Aragua (TdA). Charges include conspiracy to commit bank fraud and bank burglary, computer fraud, damage to protected computers, and related offenses.

Ploutus is a well-known ATM malware family that cybersecurity experts and US agencies have warned about for nearly a decade. The first major Ploutus-based jackpotting attacks were reported in Mexico in 2013.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

Administrator of Kingdom the Market marketplace pleads guilty

A 33-year-old Slovakian man has admitted his role in operating Kingdom Market, a Dark Web marketplace that specialized in trading narcotics and stolen personal data.

Alan Bill of Bratislava has pleaded guilty in US District Court in St. Louis to one count of conspiracy to distribute controlled substances. Kingdom Market operated from March 2021 until its takedown in December 2023, allowing users to buy and sell illicit goods using cryptocurrency. Authorities also seized the domains Kingdommarket[.]live and Kingdommarket[.]so during the December 2023 takedown.

According to court records, Bill admitted to providing web administration services for the marketplace, receiving cryptocurrency payments from Kingdom-associated wallets, and managing its online presence on platforms such as Reddit and Dread.

Bill was arrested on December 15, 2023, at Newark Liberty International Airport, where customs officers seized electronic devices and a hardware cryptocurrency wallet containing evidence linking him to the operation.

As part of his plea agreement, Bill agreed to forfeit cryptocurrency holdings across five different digital coins. Sentencing is scheduled for May 5. The charge carries a mandatory minimum sentence of five years in prison and a maximum of 40 years, along with potential fines of up to $5 million.

In a separate case, the co-owner of one of the largest underground markets Empire Market has pleaded guilty to a federal drug conspiracy charge in Chicago. Raheim Hamilton, 30, admitted that he and co-owner Thomas Pavey ran the site from 2018 to 2020, facilitating more than $430 million in illegal transactions, mostly drug sales, while using cryptocurrency to evade law enforcement. Hamilton faces a mandatory minimum of 10 years in prison and has agreed to forfeit 1,230 bitcoin and 24.4 ether, as well as three properties in Virginia. His sentencing is set for June 17, 2026.