An international law enforcement operation has dismantled key parts of a malware network linked to the Russia-based cybercrime group known as Evil Corp.

Authorities from the Netherlands, Canada, the United States, and Germany have seized more than 100 servers and domain names used by the SocGholish botnet. Officials also disinfected nearly 15,000 compromised websites that had been used to distribute malware.

Dutch police said they removed malware and backdoors from thousands of infected WordPress sites and alerted website owners to the breaches. Also known as FakeUpdates, SocGholish has operated since 2018 and was distributed via fake browser or software update prompts on legitimate websites. Once downloaded, the malware allows attackers to install additional malicious tools on victims' devices.

The botnet has reportedly been used to facilitate ransomware attacks, serving as an entry point for groups including DoppelPaymer, WastedLocker, Hades, LockBit, and RansomHub. The Evil Corp cybercrime group was sanctioned by the US in 2019 in connection to the Dridex banking malware, which authorities say caused more than $100 million in global financial losses.

According to Europol, the operation, codenamed “Operation Endgame,” has neutralized two information-stealing strains called StealC and Amadey, also used for dropping and loading malware.

At the same time, Canada’s intelligence agency obtained a court warrant allowing it to access infected servers, home routers, and Internet of Things (IoT) devices located in Canada to disrupt two foreign-operated botnets.

The authorization permitted CSIS to modify, degrade, or delete botnet-related data and disconnect compromised devices from the malicious networks. Targets included Canadian servers, small office and home office (SOHO) routers, and consumer devices such as Ring doorbells, security cameras, smart TVs, and other Wi-Fi-connected appliances. It is not yet clear whether the court-authorized operation was related to the dismantling of the SocGholish botnet.

Spanish police arrest a suspect in a government database breach investigation

Spain’s National Police have arrested a young man in Madrid for allegedly accessing restricted government databases through an illegal software tool linked to an unnamed Spanish hacker.

The arrest is part of Operation Borraska, an ongoing investigation into the unauthorized theft of personal information from public administration databases. Authorities say the suspect was among a small group granted access to a specialized tool that enabled real-time searches of sensitive government records.

Police have made five arrests so far, including the alleged mastermind, a hacker previously convicted of cyber-attacks against major public and private organizations. Prosecutors accuse him of stealing and selling large volumes of sensitive data.

The Market0Day admin arrested and charged in the US

An Algerian national accused of operating online black-market platforms used to facilitate cybercrime and financial fraud has been arrested and extradited to the United States. Abdellah Belmili, 26, also known online as “Dila Belmili” and “SPOX,” has been charged with conspiracy to commit bank fraud, an offense carrying a maximum penalty of 30 years in prison.

Belmili was running the Market0Day marketplace that allegedly sold illicit goods and services, including stolen banking credentials, compromised account information, malware tools, and phishing-related services.

Authorities allege that Belmili promoted the marketplace and provided customer support through his Telegram channel. After customers complained in late 2020 about undelivered purchases, Belmili allegedly announced that he was no longer operating Market0Day and instead launched a new platform called ‘Spoxy[.]us,’ which he advertised as a service for “bulk SMS” messaging typically used in phishing campaigns.

Prosecutors claim the scheme targeted major financial institutions, including American Express, Bank of America, JPMorgan Chase, Wells Fargo, and several banks in the United Kingdom. Authorities estimate that approximately $900,000 was deposited into accounts controlled by Belmili between January 2020 and January 2023.

In an unrelated action, US authorities have seized infrastructure linked to what officials describe as one of the world’s largest criminal online marketplaces, allegedly used for cyber scams and other illegal activities. The seized cloud computing account hosted backend systems operated by subsidiaries of the Cambodia-based Huione Group, which authorities say played a key role in supporting the marketplace’s operations.

Alleged Scattered Spider members plead guilty over the £39M TfL cyber-attack

Two men have admitted their roles in a major cyber-attack against Transport for London (TfL), the public body that oversees most of London's transport network. The attack caused widespread disruption for several months and resulted in losses of approximately £39 million.

Thalha Jubair and Owen Flowers pleaded guilty to conspiring to carry out unauthorized actions against TfL in violation of the Computer Misuse Act. The 2024 cyber-attack disrupted TfL operations for roughly three months, affecting around 10 million customers. The attackers accessed sensitive personal data, including information stored within TfL’s Oyster refund system. The incident also forced TfL to suspend applications for Oyster photocards used by children and young people.

Flowers separately admitted attempting to compromise the computer systems of US healthcare providers Sutter Health and SSM Healthcare Corporation.

Both suspects were arrested in September 2024 during a joint investigation with the City of London Police. Authorities seized multiple electronic devices, including laptops and hard drives. Sentencing is scheduled to take place at a later date.

In a separate case, a man has been sentenced to four years in prison for helping criminals send fake text messages to people’s phones. The group used an SMS blaster device to send scam messages that looked like they came from HMRC. London police found that Di Li helped set up the operation and support another man who used the device. He was found guilty and jailed.

Demo anfordern

ImmuniWeb kann Ihnen helfen, Datenpannen zu verhindern und regulatorische Anforderungen zu erfüllen.

A third hacker sentenced in DraftKings hacking case

A 21-year-old US national has been sentenced to 18 months in prison for his involvement in a cyber-attack that targeted DraftKings customer accounts in 2022. Nathan Austad, aka “Snoopy,” pleaded guilty in December 2025 to conspiracy to commit computer intrusion. He admitted to helping hack around 60,000 DraftKings accounts.

The attack on the DraftKings fantasy sports and sports betting platform took place in November 2022 and used the credential stuffing technique that exploits weak or reused passwords. Hackers added payment methods to about 1,600 accounts and stole roughly $600,000.

Austad was one of several people charged in connection with the scheme. Prosecutors said he sold access to stolen accounts through online marketplaces and his own shop. In addition to his prison sentence, Austad received three years of supervised release. He was also ordered to pay more than $1.3 million in restitution and nearly $464,000 in forfeiture.

Other members of the group have also been sentenced, including Joseph Garrison, who received 18 months in prison, and Kamerin Stokes, who was sentenced to 30 months.