Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the Phobos ransomware-as-a-service ecosystem as part of Europol-coordinated Operation Aether, seizing materials such as stolen credentials and access information; and Operation Red Card 2.0 (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams.
Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an FBI warning about a surge in ATM jackpotting losses and reporting on Operation Red Card 2.0. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed Lotus Blossom espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Timeline
Feb 22, 2026
Security Affairs roundup highlights KEV additions and active threat activity
A February 22, 2026 Security Affairs newsletter summarized multiple newly highlighted KEV entries, active exploitation cases, enforcement actions, and data exposure incidents. It served as a roundup rather than a single new incident, consolidating developments already reported elsewhere.
Feb 20, 2026
Researchers detail infostealer attacks against OpenClaw AI assistant
Researchers observed infostealer malware exfiltrating sensitive configuration and memory files from a locally running OpenClaw agentic AI assistant. The findings showed attackers could potentially hijack the assistant's capabilities without exploiting a vulnerability in OpenClaw itself.
Feb 20, 2026
Researchers disclose CRESCENTHARVEST espionage campaign
Security researchers reported a new campaign dubbed CRESCENTHARVEST targeting Farsi-speaking supporters of Iran's anti-government protests. The operation used protest-themed lures and a multi-stage Windows infection chain to deploy an undocumented RAT and infostealer.
Feb 20, 2026
INTERPOL reports 651 arrests from Operation Red Card 2.0
INTERPOL announced that Operation Red Card 2.0 resulted in 651 arrests and substantial seizures tied to investment fraud and mobile money and loan scams. The results were reported in February 2026 and reflected a large multinational enforcement action.
Feb 20, 2026
Polish authorities detain suspect tied to Phobos ransomware
As part of Europol-coordinated Operation Aether, Polish authorities detained a suspect linked to the Phobos ransomware ecosystem. The arrest was reported in February 2026 as a significant disruption of ransomware-related activity.
Feb 20, 2026
Dutch police arrest suspect in extortion over misdirected documents
Authorities in the Netherlands arrested a man accused of extorting officials after he received confidential documents that had been sent to him by mistake. The case was cited as a notable law-enforcement action in February 2026 cybersecurity reporting.
Feb 1, 2026
Google patches first exploited Chrome zero-day of 2026
Google released a fix for CVE-2026-2441, described as the first actively exploited Chrome zero-day of 2026. The patch was noted in February 2026 roundup coverage of major security developments.
Dec 31, 2025
FBI warns ATM jackpotting caused $20 million in losses in 2025
The FBI issued a warning about increased ATM jackpotting activity, stating that losses reached $20 million during 2025. The alert underscored growing criminal use of malware and physical access techniques against cash machines.
Nov 1, 2025
INTERPOL launches Operation Red Card 2.0 across 16 African countries
INTERPOL, through its African Joint Operation against Cybercrime (AFJOC), coordinated Operation Red Card 2.0 across 16 countries to target cyber-enabled financial crime, including investment fraud and mobile money and loan scams. The operation ultimately led to hundreds of arrests and major seizures.
Jan 1, 2024
China-linked APT began exploiting Dell RecoverPoint zero-day
A China-linked advanced persistent threat reportedly started weaponizing a zero-day in Dell RecoverPoint in 2024. The activity was later highlighted in February 2026 reporting as part of broader vulnerability and exploitation coverage.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
Related Stories
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
2 weeks ago
Year-End Cybersecurity Review: Major Law Enforcement Actions and Notable Incidents
Law enforcement agencies worldwide achieved significant victories against cybercriminals in 2025, including the takedown of Ukrainian call centers defrauding Europeans of €10 million, the seizure of servers from the E-Note crypto exchange laundering $70 million, and the arrest of individuals aiding state-backed hacking groups. Authorities also dismantled infrastructure supporting ransomware and account takeover operations, with notable convictions such as the prison sentence for the "evil twin" WiFi hacker and the seizure of the Cryptomixer crypto mixer, which laundered €1.3 billion since 2016. These actions reflect a growing trend of international cooperation, combining legal, operational, and financial measures to disrupt cybercrime and hold perpetrators accountable. In addition to law enforcement successes, 2025 saw a range of high-profile cyber incidents and campaigns. Notable events included a massive cyberattack on Venezuela’s oil and gas infrastructure, suspected to be linked to U.S. operations, and targeted phishing campaigns against Russian military personnel using malicious Excel files. Iranian hackers exploited known vulnerabilities to breach Israeli institutions outside the country’s critical infrastructure sector, exposing gaps in cybersecurity mandates for hospitals, universities, and government ministries. These incidents underscore the evolving tactics of both state and non-state actors and the persistent vulnerabilities in global cyber defenses.
1 months ago
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
1 months ago