US Authorities Seize 145 Domains Linked To BidenCash Dark Web marketplace
Read also: the malware testing service AVCheck dismantled, a hacker behind a $4.5M crypto mining scheme arrested, and more.
Thursday, June 5, 2025
US authorities seize 145 domains linked to the BidenCash underground marketplace
US law enforcement agencies have seized around 145 internet domains and cryptocurrency assets associated with the BidenCash Dark Web marketplace, known for selling stolen credit card data and personal information.
BidenCash, which began operations in March 2022, facilitated the sale of over 15 million stolen payment card numbers and associated personal data.
The marketplace amounted to more than 117,000 users and generated over $17 million in revenue by charging transaction fees on every illegal sale. The platform also sold compromised login credentials used to gain unauthorized access to victims’ computers.
According to the Department of Justice, the seized domains will now redirect to law enforcement-controlled servers. US authorities have also obtained authorization to seize cryptocurrency wallets used to store proceeds from BidenCash’s illegal activities.
Malware testing service AVCheck dismantled in global police op
European and American law enforcement agencies dismantled AVCheck, a counter antivirus (CAV) service used by cybercriminals to test malware against commercial antivirus products. The law enforcement action involved authorities from the United States, Netherlands, Finland, France, Germany, and Denmark, with operational assistance from Ukraine and Portugal.
AVCheck functioned as an underground tool for malware developers. It enabled them to test whether their malicious payloads could evade detection by antivirus engines before deploying malware in real-world attacks.
The AVCheck takedown is part of a broader international effort nicknamed ‘Operation Endgame’ launched in May 2024 that targeted the infrastructure supporting initial access malware loaders, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
The crackdown included the seizure of four domains linked to AVCheck, along with associated server infrastructure. The platforms provided services such as counter antivirus testing tools (CAV) and crypting services (used to obfuscate malware to evade detection). Authorities also traced usage data to email addresses and digital identifiers linked to known ransomware gangs active in the US and Europe.
A major cross-border lottery fraud ring dismantled after decade-long scam
A major international fraud ring that deceived tens of thousands of victims with fake lottery winnings has been dismantled at the request of German authorities.
During a coordinated action day across Austria, Czechia, Greece, and Slovakia, three suspects were arrested in connection with the long-running scheme, which is believed to have defrauded German citizens of at least EUR 8 million over the past ten years.
The main suspect, who ran a network of fraudulent call centers, orchestrated the scam by targeting unsuspecting individuals with claims of lottery wins or contest prizes. Victims were told their prize payments were pending due to unpaid fees or contract obligations. In many cases, they were coerced into paying money or subscribing to magazines under false pretenses. Some victims were even misled by scammers impersonating bank officials or police officers.
Authorities estimate that over 30,000 cases of fraud were committed. The joint operation, coordinated by Eurojust, involved the search of more than 35 properties linked to 39 suspects. Mobile phones and data storage devices were confiscated as part of the crackdown.
Hacker pleads guilty to running swatting ring targeting US officials
Thomasz Szabo, a Romanian national, has pleaded guilty to running a criminal ring that targeted US government officials, members of Congress, and religious institutions with bomb threats and swatting hoaxes.
Szabo, known online as ‘Plank,’ ‘Jonah,’ and ‘Cypher,’ was the founder and leader of an online group that carried out coordinated threats against high-profile individuals and locations across the United States. Szabo pleaded guilty to one count of conspiracy, which carries a maximum sentence of five years, and one count of making threats involving explosives, which carries up to ten years in prison. He was extradited from Romania in November 2024 and is scheduled to be sentenced on October 23.
In a separate case, another Romanian man, Mario Demarco, was sentenced to 33 months in a US prison for conspiracy to commit bank fraud. Described by the authorities as an “undeterred serial scammer,” Demarco used ATM skimming devices to steal personal banking data from at least 952 victims. He used the stolen information to create fake debit cards for unauthorized transactions. Demarco was also ordered to pay over $16,000 in restitution to 15 banks and will face deportation following his prison term.
Also, two members of the ViLE cybercriminal group were sentenced this week for hacking a US law enforcement web portal as part of an extortion scheme. ViLE is known for so-called ‘doxing’, a scheme involving harassing and extorting victims by stealing their personal information. One of the defendants, Sagar Steven Singh, was sentenced to 27 months in prison, while the other one, Nicholas Ceraolo, received a 25-month sentence. Both were convicted of aggravated identity theft and conspiracy to commit computer intrusion.
Ukrainian police arrest a hacker behind a $4.5M crypto mining scheme
Ukrainian law enforcement has arrested a 35-year-old man accused of orchestrating a massive cybercrime operation that compromised over 5,000 accounts at an international hosting company and caused an estimated $4.5 million in damages.
According to officials, the suspect gained unauthorized access to customer accounts belonging to an unnamed global hosting provider that offers server rental services for websites and online platforms. Once inside, he deployed virtual machines to exploit server resources for cryptocurrency mining.
The hacker had been operating since 2018, using open-source intelligence (OSINT) techniques to identify and breach vulnerable systems of international organizations. During a search of the suspect’s residence, authorities seized computer hardware, mobile phones, bank cards, and other physical evidence.
Separately, US authorities have announced a reward of up to $10 million for any information on the suspected creator of the RedLine malware, identified as Maxim Alexandrovich Rudometov, who has managed RedLine’s technical infrastructure, maintained possession of the malware, and is linked to cryptocurrency accounts used to receive and launder payments.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.