The cybercriminal underground historically has been shaped by global law enforcement operations that target key actors and infrastructure, and this was never more apparent than in 2024. A consistent cadence of operations throughout the year impacted some of the most maligned cyber threats, including ransomware and the proliferation of malware. The scale of the operations was grand, with the targeting of the biggest name in ransomware — LockBit. Also disrupted were some of the most mature botnet operations active in the underground, including IcedID and SmokeLoader, and infrastructure behind information-stealing (infostealer) malware of RedLine and Meta. The impressive impact law enforcement agencies were able to effectuate was in part due to the adoption of aggressive media campaigns where they implemented baiting techniques that were picked up and amplified in open source and the underground. Furthermore, a steady flow of sanctions and indictments against cybercriminals — past and present — demonstrated the possible ramifications of a life of crime and thrust those impacted into the limelight. This post will summarize some of the most significant actions and examine their effects.
Operation Cronos
On Feb. 20, 2024, the U.K.’s National Crime Agency (NCA) and the U.S. FBI announced the disruption of the LockBit ransomware-as-a-service (RaaS) as a result of Operation Cronos, a coordinated effort involving law enforcement agencies from 10 countries. Investigators deeply compromised LockBit’s infrastructure, gaining information about affiliates, internal data and critical operational details, such as the fact the group didn’t delete data despite promising it would to victims who paid. Investigators also used one of the group’s data leak sites to reveal more information they collected. Authorities obtained more than 1,000 LockBit ransomware decryption keys, numerous individuals linked to LockBit were indicted or arrested across the globe and more than 200 cryptocurrency accounts linked to the group were frozen. The operation resulted in the identification, indictment and sanctioning of Dmitry Yuryevich Khoroshev for allegedly running the group under the persona LockBitSupp. The operation continued after the initial announcement of the disruption, demonstrating the action was not a one-off.
Effects: After the first action, LockBit stood up new infrastructure and continued to post victims. However, U.K. authorities said most of those entities were not actually victims and others could not be verified. In the fourth quarter of 2024, LockBit posted only four victims. The sustained suppression and pressure on LockBit suggests it is an effective method that degrades the operations of ransomware groups over time. The drawback of this approach, however, is that it is resource intensive and potentially takes away from efforts against other groups that may fill the void.
Operation Endgame
In late May 2024, the European Union Agency for Law Enforcement Cooperation (Europol) and law enforcement agencies from several countries targeted multiple malware droppers including IcedID aka Bokbot, SystemBC, Pikabot, SmokeLoader and Bumblebee in the “largest ever operation against botnets.” The action resulted in the disruption of infrastructure used by the botnets, as well as arrests, server takedowns and domain seizures. The operation was initiated and led by officers in France, Germany and the Netherlands and supported by the European Union Agency for Criminal Justice Cooperation (Eurojust) and several other countries. It led to four arrests — one in Armenia and three in Ukraine — 16 location searches, the takedown of more than 100 servers and law enforcement taking control of more than 2,000 domains. Additionally, Europol added eight additional fugitives linked to this criminal activity to Europe’s Most Wanted list. Similar to the LockBit action, authorities sought to maximize psychological impacts on the cybercriminal community. From near when the operation started through early August 2024, Europol officials released eight stylized videos dedicated to Operation Endgame where they revealed actor names and provided cryptic clues regarding their operations. These videos, some of which mimicked graphic novel illustrations, depicted shocked threat actors as their systems were being disrupted.
Effects: This operation had an immediate effect because authorities were able to shut down or dismantle the infrastructure of these botnets and malware families. However, the longer-term results are mixed, as threat actors developing these tools often rebounded their efforts. This is because there is strong market demand for compromised computers that can be exploited for credential and data extraction and other schemes such as ransomware.
- Bokbot aka IcedID is a malware family that emerged in early 2017 and started by stealing banking information but can also download and execute other malware. The developers have redeveloped it from scratch at least three times and a version of it continues to circulate as of January 2025.
- SystemBC, which leverages socket secure internet protocol (SOCKS5) to hide malicious traffic from other malware families to evade detection, was updated in August 2024 by the threat actor psevdo, one of its developers. The malware continues to be used.
- Pikabot is a backdoor and malware loader observed in early February 2023 as part of campaigns that simultaneously distributed QBot aka Qakbot, which was targeted by law enforcement in October 2023. Pikabot appeared to be poised to replace Qakbot but faded.
- SmokeLoader’s prevalence as a payload fell dramatically after the law enforcement action but rose again in the months afterwards. It still ranks as one of the top malware families seen circulating as a payload. It also ranks as one of the most seen downloaders, or malware used to download other payloads. Authorities also added a Russian man, Airat Rustemovich Gruber — SmokeLoader’s alleged operator — to Europe’s Most Wanted list.
- Bumblebee, which is malware that is used to load other malware onto compromised devices similar to SmokeLoader, was quiet after the disruption. In October 2024, Intel 471 Malware Intelligence systems identified a new sample of the Bumblebee malware family after several months of inactivity. The newly analyzed malware samples revealed a configuration update, indicating ongoing development efforts.
Operation Magnus
On Oct. 29, 2024, Dutch and U.S. authorities confirmed a disruption operation against the RedLine and Meta information-stealing malware dubbed Operation Magnus. The coordinated law enforcement action reportedly resulted in the seizure of two domains and three command-and-control (C2) servers supporting the stealers. Multiple associated Telegram channels were taken offline and millions of compromised victim credentials were recovered. Additionally, U.S. authorities unsealed charges against Maxim Rudometov, an alleged developer of RedLine.
Effects: RedLine’s popularity peaked in 2023 when Intel 471’s malware emulation systems tracked it as the most downloaded malware and the most downloaded infostealer. The law enforcement operation struck at its core infrastructure, but RedLine’s activity continued. A variety of vendors who sold RedLine’s code and administration panel software were unaffected by the enforcement action, and pirated versions of RedLine still circulated. Meta aka MetaStealer is a fork of RedLine. We observed one threat actor in November 2024 seeking partners to distribute MetaStealer and samples of the malware still circulate but on a small scale.
TheCom charges, arrests
TheCom is a broad online ecosystem composed of diverse individuals with a significant number of youths operating mostly from Canada, the U.S. and the U.K. that engage in cybercriminal activities such as subscriber identity module (SIM) card-swapping, cryptocurrency theft, online harassment, swatting, bricking and corporate intrusions. This online ecosystem is assessed as the origin of high-profile threat groups over the years including LAPSUS$, Roasting 0ktapus and the Scattered Spider, UNC3944, Octo Tempest and Muddled Libra intrusion clusters.
Several individuals were charged or arrested in law enforcement operations targeting cybercriminals linked to TheCom this year that included:
- In January 2024, the U.S. Department of Justice (DOJ) announced details of an indictment with a series of charges against the individual Noah Michael Urban aka Sosa, Elijah, King Bob, Anthony Ramirez, linked with the Roasting 0ktapus group.
- In June 2024, the Spanish National Police and the U.S. FBI announced a U.K. national allegedly involved in a spree of corporate intrusions was arrested in a joint operation. The individual was identified as Tyler Buchanan aka tylerb, another member of the Roasting 0ktapus group.
- In October 2024, an FBI special agent filed a criminal complaint charging the individual Remington Goy Ogletree aka remi with wire fraud in relation to alleged crimes linked to the Scattered Spider intrusion cluster.
- In October 2024, Alexander “Connor” Moucka aka judische was taken into custody on a provisional arrest warrant, according to Canada’s Department of Justice. The actor was linked to the large-scale supply chain attack impacting the U.S.-based cloud storage provider Snowflake.
In November 2024, the FBI unsealed criminal charges against five defendants in connection with a phishing campaign — Ahmed Hossam Eldin Elbadawy aka AD, Noah Michael Urban aka Sosa, Evans Onyeaka Osiebo, Joel Martin Evans aka joeleoli and Tyler Robert Buchanan aka tylerb. We previously linked joeleoli and Sosa to the Roasting 0ktapus group.
A screenshot of a video Spain’s National Police released June 14, 2024, of a man believed to be Tyler Buchanan of the U.K.
Effects: TheCom is not one singular, monolithic group but rather many individuals and small groups of people that often unite for specific fraud jobs, disband and then reform with other individuals. The FBI estimated there are more than 1,000 threat actors in the sphere, which means reining it in may be a multiyear process. These individuals often prioritize displaying their ill-gotten gains to their peer group at the expense of their own operational security (OPSEC) by publishing photos and videos on social media. This has proven advantageous for investigators. Threat actors do indeed take note when their peers are charged or arrested but it’s unclear if it dissuades future offending.
Operation Passionflower
On Dec. 3, 2024, Europol announced the results of an international law enforcement operation named Operation Passionflower that targeted the Matrix aka Mactrix, Totalsec, X-quantum, Q-safe encrypted messaging platform. The platform's infrastructure consisted of more than 40 servers and was taken down by Dutch and French authorities with follow-up actions carried out by law enforcement agencies in Italy, Lithuania and Spain. Europol's statement revealed the authorities were monitoring the platform and intercepting communications for three months prior to the takedown. The operation came hot off the heels of Telegram updating its terms of services and privacy policy confirming the intent to comply with information sharing requests from authorities, including IP addresses and phone numbers.
Effects: For more than a decade, technology providers have emerged that specialized in providing secure, encryption communication for criminals via messaging apps and custom phones. The idea was to provide surveillance-proof security. The platforms have included Sky Global, EncroChat, Phantom Secure, Ghost and Anom. However, law enforcement often undermined the platforms, covertly gaining access to messages. In the case of Anom, law enforcement ran an operation for three years that distributed Anom devices to the criminal underworld. This happened to Matrix as well, where investigators read messages in real time for three months. Matrix was a smaller, technically complex operation that was invitation-only for users, indicating that those developing these services are seeking to implement better security and avoid attracting attention. However, this line of business — particularly ones in which hardware is distributed that could be seized during arrests — will involve a certain degree of exposure.
Conclusion
The cybercriminal ecosystem is a resilient one. As cybercrime continues to expand its reach and profits, the demand for certain services — whether it be ransomware infrastructure, malware code, access and access credentials or leaked data — continues to rise. The impact of law enforcement actions is often immediate but groups and threat actors tend to reconstitute. For example, LockBit as a RaaS has been irreparably damaged by continued law enforcement pressure, but the RansomHub group has risen as a result. Threat actors responsible for malware infrastructure such as the Bumblebee loader continue to experiment with new variations and infrastructure. And despite the arrests of several individuals associated with TheCom, this community of threat actors remains highly active on messaging services and forums, displaying the usual swagger and propensity toward real-world violence. These statements are not meant to diminish the incredible and intensive work by law enforcement but more to highlight how cybercrime’s low-risk, high-reward dynamic means it remains alluring.
This information comes from Intel 471’s Annual Report, which contains summaries of trends seen in the threat landscape throughout 2024. For more information, please reach out.
