February 26, 2025
In 2024 threat actors continued to be extremely active. Major cyber-attacks occurred across multiple industries and ransomware attacks increased year over year. These attacks had huge financial and reputational implications for all those targeted. However internationally, law enforcement continued to fight back against cyber actors making several high profile and important arrests.
In this blog we explore some of the more notable law enforcement activities and arrests.
Operation CRONOS
Led by the UK’s National Crime Agency (NCA), this international operation targeted the LockBit ransomware cartel. The operation dismantled key infrastructure and exposed the identity of the group’s leader, Dmitry Yuryevich Khoroshev, undermining the gang’s operations. The groups’ Dark Web site was taken offline for a period of time. Highlighting a new technique by law enforcement the NCA “hijacked” the leak site in order to update on the actions of Op CRONOS.
Figure 1: LockBit leak site taken by NCA
Rui-Siang Lin (aka “Pharoah”)
In May 2024, Rui-Siang Lin was arrested at JFK Airport for operating “Incognito Market,” a dark web narcotics marketplace that facilitated over $100 million in illegal drug sales worldwide. The Taiwanese national went by the alias “Pharoah” on the dark web drug site. According to the indictment as “the leader of Incognito market — Lin supervised all of its operations, including its employees, vendors, and customers, and had ultimate decision-making authority over every aspect of the multimillion-dollar operation.”
In a strange twist to the story, it emerged that LIN had actually trained law enforcement officers in St Lucia on cybercrime and cryptocurrency on the dark web which had been organized by the Taiwanese embassy.
Snowflake Data Breach
In June 2024 at least 100 Snowflake customers were affected by a Cyber-attack. Threat actors used exposed credentials to log in to Snowflake portals and target their customers for data exfiltration. They then sold this information on the dark web for financial gain. High profile targets included Ticketmaster, AT&T and Santander.
In November 2024 Canadian authorities arrested Alexander Connor Moucka accused of compromising multiple Snowflake cloud storage accounts and the behest of US law enforcement. Additionally, the U.S. charged John Binns in connection with these breaches, highlighting the international collaboration in combating cyber threats.
Figure 3: Ticketmaster data advertised on the DW
Tenzin Orgil
In May 2024, Tenzin Orgil was sentenced to 168 months in federal prison for participating in a drug trafficking enterprise that included the sale of methamphetamine and fentanyl on the dark web, as well as the manufacture of ecstasy and methamphetamine in clandestine laboratories. Orgil had operated on several dark web markets under several aliases selling the drugs he produced in underground laboratories. The Orange County resident pled guilty to the charges in 2023.
Figure 4: Source: DarkOwl Vision
Mikhail Pavlovich Matveev (aka Wazawaka)
A prominent figure in the ransomware community, Mikail Pavlovich Matveev was arrested in Russia for his involvement in cybercrimes against Russian entities. This arrest signaled a potential shift in Russia’s stance toward domestic cybercriminals.
According to the FBI MATVEEV is linked to several ransomware variants, including LockBit, Hive and Babuk. He had previously been charged by the US government for computer crimes in 2022 but remained in Russia.
He has allegedly conducted significant attacks against both United States and worldwide businesses, including critical infrastructure. Matveev was identified as one of the alleged developers/administrators behind the Babuk ransomware variant. Matveev has been charged with multiple LockBit attacks which included a police department located within New Jersey. He has also been charged with multiple Babuk attacks including the attack against the Washington D.C. Metropolitan Police Department. In addition, Matveev has been charged with Hive-related counts of conspiracy and intentional damage to a protected computer, including an attack against a New Jersey-based company.
Scattered Spider Group
Following high-profile attacks on companies like Okta, MGM, and Caesars by a group known as Scattered Spider, authorities arrested several members of the group.
The individuals, including Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan, faced charges related to wire fraud and identity theft. Officials said the suspects’ illegal activity spanned from September 2021 and April 2023.
Scattered Spider are a loosely affiliated group of young individuals assessed to be based in the US and UK who have conducted multiple cyber and ransomware attacks. They are known to conduct sophisticated phishing attacks and social engineering attacks on call centers in order to gain access. They are also affiliated to several ransomware groups. According to security researchers, “The group has been blamed for unusually aggressive cybercrime sprees, targeting major multinational companies as well as individual cryptocurrency investors.”
Operation Endgame
Europol coordinated an extensive operation against botnets, leading to multiple arrests and the seizure of hundreds of servers. The crackdown targeted platforms facilitating ransomware deployment, significantly disrupting the cybercrime ecosystem.
According to Europol, between 27 and 29 May 2024 Operation Endgame targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The agency focused on arresting high value individuals, taking down infrastructure and tracking and seizing cryptocurrency payments. The operation consisted of input from several different countries as well as private companies highlighting the need for coordinated efforts to stop these cyber activities which have no borders.
Conclusion
Although law enforcement has been very successful in targeting a number of high-profile threat actor and criminal groups in 2024, many groups continue to operate in slightly different forms. The nature of criminal cyber operations means that they are very difficult to combat. Actors are spread throughout the globe, usually in countries which will not cooperate with US and European law enforcement agencies. However, it is important that law enforcement continue to send a message that these activities can be combatted and there are consequences to these actions.
As we move into 2025, we expect law enforcement activities to continue to combat the increase in ransomware attacks and disrupt markets and other areas where criminals operate. However, the pardon of Silk Road owner Ross Ulbricht by President Trump appears to send a message that leniency will be shown to some of those who profit from criminal activities.
Keep up with all DarkOwl research. Sign up for email.
The post Notable Cyber Arrests: 2024 appeared first on DarkOwl, LLC.