Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: law-enforcement (8 articles)Clear

Italian Guardia di Finanza dismantles CINEMAGOAL piracy app that harvested fresh auth codes from legit Netflix, Disney+, Spotify subscriptions every 3 minutes

Italian Guardia di Finanza has dismantled CINEMAGOAL, an unusual piracy operation whose customers installed an app on their devices that authenticated directly to legitimate Netflix, Disney+, Spotify, Sky, and DAZN. A network of virtual machines in Italy captured fresh authentication and decryption codes from real subscriptions (opened under false identities) every three minutes and redistributed them to subscribers, who streamed at full quality with their real IPs masked. Operation 'Tutto Chiaro' executed 100 searches across Italy, seized servers in France and Germany, and identified about 70 resellers. The first 1,000 subscribers have been fined between €154 and €5,000.

Check
If you run an enterprise streaming or subscription product: search for accounts authenticating from Italian VM ranges with abnormally short session intervals (every 3 minutes) tied to suspicious billing details.
Affected
Streaming and content platforms (Netflix, Disney+, Spotify, Sky, DAZN are named victims). Subscribers signing up under fake identities, then sharing rotating auth tokens, is the core abuse pattern.
Fix
Add device-binding to subscription sessions so a captured token does not work elsewhere. Throttle simultaneous-stream limits at the network level. Strengthen identity verification at subscription signup.

Netherlands seizes 800 servers of Stark Industries successor WorkTitans/THE.Hosting - links to NoName057(16) Russian hacktivists

The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.

Check
Search egress logs for connections to Stark Industries or THE.Hosting / WorkTitans IP ranges since 2022. Cross-reference with NoName057(16) DDoS infrastructure published by national CERTs.
Affected
Targets of pro-Russian disinformation, DDoS, and influence operations - particularly EU government, banking, and critical-infrastructure sectors. NoName057(16) frequently targets Ukrainian allies.
Fix
Block known Stark Industries / WorkTitans / Mirhosting IP ranges at the perimeter where there is no legitimate business need. Refresh DDoS protection runbooks for NoName057(16) campaigns.

First VPN service taken offline by Europol - 33 servers in 27 countries seized, Ukrainian operator questioned, used in ransomware

A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.

Check
Search VPN allowlists and detection alerts for users connecting from First VPN exit IPs in the last two years. Check 1vpns.com / 1vpns.net / 1vpns.org references in firewall and proxy logs.
Affected
Investigators or threat hunters whose historical IoC sets included First VPN exit IPs. 506 specific users have been internationally referred; affected parties should expect law-enforcement contact.
Fix
Refresh detection rules with seized First VPN exit IPs once Europol shares them. If your historical attacker IoCs included First VPN nodes, re-correlate against the freshly identified users.

Alleged Kimwolf IoT botmaster 'Dort' arrested in Ottawa, charged in US and Canada - swatting attacks against researchers cited

Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.

Check
Search EDR and netflow telemetry for outbound connections from IoT devices to known Kimwolf, Aisuru, JackSkid, and Mossad C2 sets. Inventory unpatched IoT devices on residential and SMB networks.
Affected
IoT devices - mostly routers, NVRs, and consumer IP cameras - vulnerable to the unpatched flaws Kimwolf was using to spread. Synthient helped patch the underlying weakness earlier this year.
Fix
Update firmware on all IoT and network-edge devices and disable WAN-side admin interfaces. Block known Kimwolf C2 ranges. Monitor for the lateral spread patterns documented by Synthient.

Ukraine cyber-police identifies 18-year-old Odesa infostealer operator linked to 28,000 stolen accounts and $721K California fraud

Ukrainian cyberpolice working with US law enforcement have identified an 18-year-old man from Odesa as the suspected operator of an infostealer operation that ran from 2024 through 2025 against customers of a California online retailer. The malware harvested 28,000 customer accounts; the operators used about 5,800 of them to make $721,000 in unauthorized purchases, leaving the retailer with around $250,000 in direct losses including chargebacks. The suspect ran the back-end infrastructure for processing and selling stolen session tokens. Police searched two residences and seized computers, phones, and bank cards. No arrest has been announced yet.

Check
Search HIBP and stealer-log marketplaces for your domain. If you run e-commerce, audit accounts with card-not-present orders that didn't match the legitimate user's device fingerprint in 2024-2025.
Affected
Customers of an unnamed California online retailer; 28,000 accounts harvested, 5,800 used in $721K of unauthorized purchases. Operation linked to a single 18-year-old in Odesa, Ukraine.
Fix
For affected users: rotate passwords, revoke active sessions, check card statements. For retailers: deploy session-binding device fingerprinting and require re-authentication for high-value card-not-present orders.

Microsoft dismantles Fox Tempest 'malware-signing-as-a-service' that abused Azure Artifact Signing for 1,000+ certificates

Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.

Check
Search EDR and Defender SmartScreen logs for binaries signed by Microsoft Azure Artifact Signing certificates between 2025 and 2026-05-19. Cross-reference Microsoft's revoked certificate list.
Affected
Endpoints that trust Microsoft Azure Artifact Signing certificates without additional publisher verification. Especially relevant if previously targeted by Vanilla Tempest, Storm-0501, Storm-2561, or Storm-0249.
Fix
Tighten Defender SmartScreen and AppLocker rules so a publisher signature alone is not sufficient trust. Verify the named publisher of any Microsoft Artifact Signing-signed binary matches the expected software vendor.

INTERPOL Operation Ramz disrupts MENA cybercrime: 201 arrests, 53 servers seized, 3,867 victims identified

INTERPOL says a coordinated operation called Ramz, run across 13 Middle East and North Africa countries, has produced 201 arrests, seized 53 servers, and identified 3,867 victims. Algerian authorities took down a phishing-as-a-service operation; Moroccan officials seized hard drives loaded with banking data and phishing kits; and Jordanian police uncovered 15 people running a fraudulent trading platform who turned out to be trafficking victims forced into the work. Group-IB and Team Cymru contributed intelligence on over 5,000 compromised accounts, including some tied to government systems. Participating countries included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.

Check
Review phishing and credential-theft alerts for matches against the IP ranges in INTERPOL's advisory, especially for users with MENA business or travel ties.
Affected
Organizations with users, customers, or business operations in the 13 named MENA countries. Roughly 5,000 compromised accounts (including some tied to government infrastructure) were identified.
Fix
Force credential rotation for users matching the IoCs Group-IB shared. Coordinate with your local CSIRT for country-specific victim lists. Reinforce phishing-awareness training in MENA-facing teams.

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

Check
Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected
Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix
Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.