The Good | Authorities Dismantle Global Fraud Ring and Crypto Laundering Network

Eurojust officials have dismantled a transnational fraud ring running call centers in Ukraine that scammed European victims out of more than €10 million.

In collaboration with authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, police arrested 12 suspects and conducted 72 searches across three Ukrainian cities, seizing vehicles, weapons, cash, computers, a polygraph machine, and forged IDs.

The network operated multiple call centers employing around 100 people and targeted more than 400 known victims. Scammers impersonated bank employees and police, claimed accounts were compromised, and coerced victims into transferring funds to “safe” accounts. Others used remote access software to steal credentials or collect cash in person.

Further seizures this week targeted the E-Note cryptocurrency exchange, dismantling its servers and domains after determining the service was used to launder more than $70 million in illicit funds. According to the DoJ, the proceeds stemmed largely from ransomware operations and account takeover attacks, routed through a global network of money mules.

The takedown was led by the FBI with support from German and Finnish authorities and Michigan State Police, with investigators confiscating multiple domains, mobile applications, backend servers, and customer databases containing transaction records.

Prosecutors have also unsealed an indictment against alleged operator Mykhalio Petrovich Chudnovets and are charging him with money laundering conspiracy. While no arrests have been made, Chudnovets faces up to 20 years in prison. Authorities say seized records may support further identifications and follow-on enforcement actions.

The Bad | North Korean Hackers Drive Record $2B Crypto Theft Surge in 2025

Democratic People’s Republic of Korea (DPRK)-linked threat actors drove a record surge in global cryptocurrency theft this year, claiming at least $2.02 billion of the $3.4 billion+ stolen worldwide between January and early December.

A new report delves into the 51% year-over-year increase, which marks the most severe year on record for DPRK-linked crypto crime while accounting for roughly 76% of all service compromises. Cumulatively, North Korean actors are now estimated to have stolen at least $6.75 billion in cryptocurrency.

A single incident, attributed to the TraderTraitor cluster, dominated the year: the February breach of Bybit that resulted in losses of approximately $1.5 billion. Beyond Bybit, DPRK-linked actors are also suspected in the theft of $36 million from South Korea’s most popular cryptocurrency exchange, Upbit.

These operations roll up into what is widely referred to as the Lazarus Group, a long-running threat actor tied to Pyongyang’s Reconnaissance General Bureau (RBG), which has historically blended large-scale crypto heists with espionage campaigns such as Contagious Interview, a campaign using fake recruitment-themed lures to deliver malware and harvest job applicant’s data.

In recent years, these state-backed actors have expanded tactics to include covert IT worker infiltration, sometimes via front companies, to gain privileged access at exchanges and Web3 firms – all to fund the regime despite international sanctions.

The growing scale of DPRK-linked crypto theft shows the profitability of high-value, state-backed operations, also incentivizing other actors to adopt similar tactics, including advanced laundering schemes, affiliate-based attacks, and cross-border exploitation.

For the broader ecosystem, North Korean threat operations continue to both normalize large-scale crypto heists and accelerate the professionalization of illicit networks, complicating attribution and straining global law enforcement resources.

The Ugly | Threat Actors Upscaling Abilities with Widespread Adoption of LLMs

Ransomware operations are undergoing a rapid, dangerous transformation not through novel “super-hacks” but via the industrialized efficiency of Large Language Models (LLMs). A new report by SentinelLABS assesses that LLMs have become a critical operational accelerator, compressing the ransomware lifecycle and dramatically lowering the barrier to entry for novice cybercriminals.

The researchers say that threat actors are now automating reconnaissance, generating localized phishing lures, and triaging massive datasets across language barriers with unprecedented speed and accuracy with the help of LLMs. Ransomware-as-a-Service operators are already claiming to offer AI-assisted tools to affiliates to increase attack productivity.

SentinelLABS says attackers are successfully evading commercial guardrails through “prompt smuggling”, a process by which malicious requests are broken down into innocent-looking pieces across multiple chats. The outputs are then stitched together offline to build working attack tools.

The researchers predict that top-tier actors will go further, likely migrating to self-hosted, open-source models like Ollama to entirely avoid provider guardrails. This evolution would allow criminals to operate without telemetry or censorship, effectively weaponizing unrestricted AI.

Real-world campaigns already illustrate this escalation. Anthropic has reported on tools like Claude Code being used to automate entire extortion chains, from technical reconnaissance to calculating optimal ransom demands. In other instances, malware such as QUIETVAULT has been seen hijacking a victim’s own locally installed LLMs to intelligently hunt for crypto-wallets and sensitive files.

While the report adds to the general industry concern around the use of AI by threat actors, it also debunks one of the wider myths in common circulation. The risk from today’s LLMs, the researchers say, isn’t superintelligent malware or novel attack vectors, it’s the more mundane industrialization of extortion with smarter target selection, tailored demands, and faster operational tempo, factors that increasingly complicate attribution and challenge defenders to adapt to a significantly higher-volume threat landscape.