US authorities have charged a 23-year-old Canadian man accused of developing and operating the KimWolf botnet, which infected over one million internet-connected devices, including webcams and digital photo frames. Jacob Butler, also known online as “Dort,” was arrested in Ottawa, Canada.

According to court documents, KimWolf was a “cybercrime-as-a-service” operation, allowing customers to rent access to infected devices and launch distributed denial-of-service (DDoS) attacks against targets around the globe. Authorities say the botnet generated more than 25,000 attack commands and was linked to cyber-attacks reaching nearly 30 terabits per second. Some victims reportedly suffered financial losses exceeding $1 million.

The charges against Butler were initially filed on April 10, 2026, but remained sealed until his arrest. Police allegedly linked him to the botnet using IP address records, online accounts, financial transactions, and messaging app data obtained through legal process. Butler faces one count of aiding and abetting computer intrusion. If convicted, he could face up to 10 years in prison.

The arrest follows a March 2026 international law enforcement operation that dismantled the infrastructure behind several major botnets, including KimWolf, Aisuru, JackSkid, and Mossad IoT. Authorities also seized online services connected to 45 DDoS-for-hire platforms believed to support cybercriminal activity.

Dutch police arrest two suspects, seize 800 servers in a probe linked to Russian hackers

Dutch authorities have arrested two suspects and seized more than 800 servers in an investigation into a web hosting company accused of supporting cyber-attacks, disinformation campaigns, and interference operations targeting the European Union.

The arrests were carried out by Dutch financial crime agency that said the suspects were linked to Russian and Belarusian entities currently under European Union sanctions. Authorities searched three business premises in the cities of Enschede and Almere, as well as two data centers located in Dronten and Schiphol-Rijk. During the raids, police officers confiscated administrative documents, laptops, mobile phones, and hundreds of servers.

According to authorities, the hosting company was founded on February 10, 2022, just two weeks before Russia launched its full-scale invasion of Ukraine. Officials allege that in the following years, the company became a key infrastructure provider for destabilizing activities directed at the EU.

Dutch authorities said the company facilitated cyber-attacks, interference operations, and the spread of disinformation aimed at undermining democratic institutions and disrupting public and economic systems across Europe. Officials also said that the hosting provider supported Russian efforts involving information manipulation and attacks on digital infrastructure.

Authorities didn’t disclose the names of the suspects or the companies under investigation. According to a report from Dutch newspaper De Volkskrant, the companies provided services to the pro-Russian hacktivist group NoName057(16), known for launching distributed denial-of-service (DDoS) attacks against critical organizations in Europe. In July 2025, an international law enforcement effort disrupted the NoName057(16) network, with authorities making two arrests and issuing seven arrest warrants.

In another case, a 24-year-old cargo worker from Amsterdam was arrested at Schiphol Airport on suspicion of hacking company systems and leaking confidential logistics information. Authorities say the suspect shared sensitive cargo data with drug trafficking networks, helping them move narcotics through the airport without detection.

Also, Dutch police apprehended a 35-year-old man for allegedly hacking AFC Ajax’s computer systems earlier this year. Authorities say he gained unauthorized access to the club’s systems multiple times, exposing personal data of hundreds of people. The breach also allowed changes to stadium bans for fewer than 20 fans and enabled ticket transfers between accounts.

Crime-as-a-service gang dismantled in a major European police action

An international cybercrime network responsible for large-scale banking fraud across Europe has been dismantled following a coordinated operation involving Spain’s National Police, Europol, German police, and French authorities.

The group created and distributed phishing and smishing tools that allowed criminals to steal sensitive banking information from victims. Operating under a “crime-as-a-service” model, the suspects offered ready-to-use cyber fraud platforms and services to other offenders in exchange for payment.

The criminal network operated in Spain, France, Germany, Austria, and the Netherlands, with connections to Morocco and the United States. Authorities believe the gang stole confidential banking data from thousands of victims, storing the information on hidden online platforms before selling it to other cybercriminals. According to police, the group directly targeted more than 2,000 customers of German banks through phishing campaigns and used the stolen credentials to carry out fraudulent bank transfers.

During coordinated raids in Barcelona, Sitges, Paris, and Nice, law enforcement officers arrested three suspected ringleaders of the operation. Authorities also seized cryptocurrency assets worth approximately €1.5 million and uncovered evidence of money laundering involving luxury goods and real estate purchases. Officials estimate confirmed financial losses at more than €4 million, though the actual amount could be significantly higher, as many victims may never have reported the crimes.

Albanian suspect behind the VenomRAT malware extradited to France

A 39-year-old Albanian national known online as “Venom” has been extradited to France following his arrest in Athens, Greece, last November as part of an international cybercrime investigation. The suspect was transferred to French authorities in mid-May after Greek cybercrime officers, accompanied by FBI representatives and French judicial police, raided his apartment in Athens’ Nikaia district on November 3, 2025.

Authorities allege the man developed and sold VenomRAT, a Remote Access Trojan (RAT) capable of remotely accessing infected computers and stealing sensitive data. Court documents claim he sold the malware at least 36 times between 2021 and 2025. The investigation began in 2022 when Australian authorities, targeting RAT malware developers, traced the suspect’s digital activity through social media accounts and two Greek mobile phone numbers.

In June 2023, FBI agents in Los Angeles reportedly purchased a monthly subscription to VenomRAT to analyze its capabilities. Police later linked cryptocurrency transactions and an email from the Albanian embassy in Athens regarding a passport renewal request to confirm the suspect’s identity.

French authorities issued an arrest warrant on November 5, 2025, accusing the suspect of cyber-related offenses carried out in northern France.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

Romanian hacker sentenced in the US for selling access to state network

A Romanian national has been sentenced to prison in the United States after he admitted to selling unauthorized access to an Oregon state government computer network on the Dark Web. Catalin Dragomir, 46, formerly of Constanta, Romania, pleaded guilty on February 19, 2026, to obtaining information from a protected computer and aggravated identity theft.

According to court documents, Dragomir gained unauthorized access to a computer connected to an Oregon state government office and later sold access to the system online. Prosecutors said he provided prospective buyers with samples of personal identifying information taken from the compromised computer.

Authorities said Dragomir also sold access to the networks of numerous other victims in the United States and worldwide, causing losses estimated at more than $250,000. He allegedly used multiple aliases on the Dark Web to hide his identity. Dragomir was arrested in Romania in November 2024 and extradited to the United States in January 2025.

Meanwhile, a 36-year-old man from Ohio was sentenced for computer fraud after causing more than $860,000 in damages to his former employer. After being fired from his IT contract position in May 2021, Maxwell Schultz illegally accessed the company’s network by impersonating another contractor and resetting about 2,500 employee passwords, locking thousands of workers out nationwide. He also attempted to cover his tracks by deleting logs and system records. The attack disrupted operations and customer service, leading to significant financial losses. Schultz admitted he carried out the attack because he was angry about losing his job.