RICHMOND, Va. – An Emporia man was sentenced yesterday to five years and five months in prison for a Hobbs Act Robbery.
According to court documents, on Aug. 19, 2023, David Earl Gay, 60, entered a Walmart in Emporia, approached a clerk, and told her that he had a gun in his pocket, that if she did anything he would shoot her, and to hand him all the money. The clerk complied, handing him money from the service desk. Gay fled the Walmart in a rusted white van.
Law enforcement responded to the address where the van was registered and located the van. Investigators executed a search warrant on the trailer located at that address and found Gay inside. Gay had some of the money from the robbery in his pants pocket. Investigators then found additional money from the robbery in a metal shed on the property.
Gay was previously convicted of, among other crimes, breaking and entering, uttering forged paper or instrument, common law forgery, uttering forged check, statutory burglary, larceny, possession of stolen goods or property, forgery of instrument, abuse of a child – neglect, contributing to the delinquency of a minor, and armed bank robbery. At the time he robbed the Emporia Walmart, Gay was on supervised release for his armed bank robbery conviction.
Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia, and Stanley M. Meador, Special Agent in Charge of the FBI’s Richmond Field Office, made the announcement after sentencing by U.S. District Judge M. Hannah Lauck.
Assistant U.S. Attorneys Patrick J. McGorman, Stephen E. Anthony, and Vetan Kapoor prosecuted the case.
A copy of this press release is located on the website of the U.S. Attorney’s Office for the Eastern District of Virginia. Related court documents and information are located on the website of the District Court for the Eastern District of Virginia or on PACER by searching for Case No. 3:24-cr-23.
ST. GEORGE, Utah – A Southern Utah man accused of damaging government property, specifically a Department of Homeland Security Transit Van, appeared in court today. The indictment charging Ryan Michael Gaines, 32, of Santa Clara, Utah, was unsealed on Tuesday.
According to court documents, in the morning of April 21, 2025, it was discovered that an ICE Transit Van had been damaged over the weekend at the U.S. Immigration and Customs Enforcement and Removal Operations (ICE ERO) office in St. George. The St. George Police Department was called and responding officers located surveillance footage that showed a light-colored Jeep pull into camera view in the ICE office parking lot. Shortly thereafter, an adult male wearing a black balaclava and ski goggles activated a motion sensor and was caught on surveillance camera. The suspect then approached the ICE Transit Van and ripped pieces from the passenger side mirror. The same type of damage was made on the driver’s side mirror. City-wide surveillance captured a matching Jeep – owned by and registered to Gaines at a Santa Clara address – in the area just a few minutes before and then after the incident.
As alleged in court documents, the same day as the discovery of the damage, officers contacted Gaines near his place of employment and arrested him for the incident. Officers found Gaines’ Jeep at his residence and were able to match it with the Jeep seen in the surveillance footage. Also at Gaines’ residence, officers located a pair of ski goggles and a balaclava that matched the ones worn by the individual that committed the damage to the ICE Transit Van. The estimated cost to fix the damage is over $2,900.
Gaines’ initial appearance on the indictment took place before a U.S. Magistrate Judge at the courthouse located at 206 West Tabernacle Street, St. George, Utah 84470.
The case is being investigated jointly by the St. George Police Department and the FBI Salt Lake City Field Office, St. George Resident Agency.
Assistant United States Attorney Brady Wilson of the U.S. Attorney’s Office for the District of Utah is prosecuting the case.
An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
HELENA-WEST HELENA—A man who has served as local judge, prosecutor, and criminal defense attorney was sentenced to 24 months in federal prison for making false statements to the FBI. Jonathan D. Ross, United States Attorney for the Eastern District of Arkansas, announced the sentence, which was handed down on May 19, 2025, by United States District Court Judge D. Price Marshall Jr. There is no parole in the federal system.
According to court documents and evidence presented at trial Thomas David Carruth, 64, of Clarendon, served as an elected Monroe County district court judge. In that role, Carruth presided over criminal and civil matters. In April 2022, Carruth met with the girlfriend of a defendant in a criminal case pending before him. The girlfriend sought Carruth’s assistance in getting her boyfriend’s case dismissed. During the meeting, which the girlfriend recorded, Carruth solicited sex and a lingerie show from her in exchange for assisting her boyfriend.
Carruth asked the girlfriend, “How do you feel about sex?” and “The next step back from that is, do you have any nice lingerie? …Do you mind letting me see you in it?” He also asked the girlfriend, “So, if you change your mind about giving me a lingerie show…well, you got a body that can do it and if you have an attitude where you like to wear lingerie, I’d love to look – to see it on you…If you change your mind about seeing what an old man can do, you know…”
The jury found that, when questioned by the FBI, Carruth lied to agents about the incident, including by falsely stating that he did not “request,” “ask,” “offer”, make “overture[s] about”, “insinuate,” or “even [think] about,” sex with the girlfriend.
The jury convicted Carruth of one count of making false statements. Carruth was acquitted of charges of bribery, honest services fraud, and violations of the Travel Act.
“When judges exploit their positions for personal gain, they pervert justice which erodes public trust in the judiciary,” said Ross. “The sentence underscores that no one, including a debauched judge, is above the law.”
“Officials who violate the public’s trust for their own personal gain have no place in our Arkansas communities,” said Alicia D. Corder, Special Agent in Charge, FBI Little Rock Field Office. “FBI Little Rock will continue to work with members of the ArkTrust Public Corruption Task Force to protect Arkansans from corruption and hold perpetrators accountable for their actions.”
This case was investigated by the FBI. This case was prosecuted by Senior Litigation Counsel Nicholas W. Cannon and Trial Attorney Madison H. Mumma of the U.S. Department of Justice’s Criminal Division’s Public Integrity Section. They received substantial assistance from Assistant United States Attorney Julie Peters.
# # #
Additional information about the office of the
United States Attorney for the Eastern District of Arkansas, is available online at
CHARLESTON, S.C. — Jeffrey McWhorter, 63, of Mount Pleasant, has been sentenced to five years of probation with 12 months of home confinement for conspiracy to commit honest services fraud.
Evidence obtained in the investigation revealed that McWhorter and an individual named Kevin Newkirk agreed to accept a payment from Tony Berenyi of Berenyi Construction should he be awarded a construction bid for the company Newkirk worked for, which is a Texas-based logistics company. The Texas Company went to McWhorter for contractor recommendations and McWhorter facilitated an introduction to Berenyi. Through the bidding process, McWhorter, Newkirk, and Berenyi discussed the payment and when the Texas Company awarded the contract to Berenyi Construction, payments began from Berenyi. Ultimately, through the course of the conspiracy, Berenyi paid a total of $420,000 that was wired to a bank account in the name of Newkirk’s wife. Newkirk agreed to pay McWhorter his portion in cash and the evidence revealed that McWhorter received $136,500 in total payments. McWhorter did not disclose these payments on the required filings for public officials.
United States District Judge David C. Norton sentenced McWhorter to five years of probation with 12 months of home confinement and electronic monitoring. There is no parole in the federal system. There is no parole in the federal system. McWhorter was ordered to pay restitution in the amount of $75,198.02 and was fined $4,000. He must also complete 300 hours of community service. He must also complete 300 hours of community service. Kevin Newkirk was also charged and sentenced in April to five years of probation by United States District Judge David C. Norton.
This case was investigated by the FBI Columbia field office and Internal Revenue Service Criminal Investigation. Assistant U.S. Attorney Amy Bower is prosecuting the case.
LOS ANGELES – A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damage.
The defendants include Aleksandr Stepanov, 39, a.k.a. “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix”, both of Novosibirsk, Russia. Stepanov was charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication.
Kalinkin was charged with conspiracy to gain unauthorized access to a computer to obtain information, to gain unauthorized access to a computer to defraud, and to commit unauthorized impairment of a protected computer. Both defendants are believed to be in Russia and are not in custody.
According to the indictment and complaint, DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks. Victim computers infected with DanaBot malware became part of a botnet (a network of compromised computers), enabling the operators and users of the botnet to remotely control the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.
The DanaBot malware allegedly operated on a malware-as-a-service model, with the administrators leasing access to the botnet and support tools to client coconspirators for a fee that was typically several thousand dollars a month. The DanaBot malware was multi-featured and had extensive capabilities to exploit victim computers. It could be used to steal data from victim computers, and to hijack banking sessions, steal device information, user browsing histories, stored account credentials, and virtual currency wallet information.
DanaBot also had the capability to provide full remote access to victim computers, to record keystrokes, and record videos showing the activity of users on victim computers. DanaBot has further been used as an initial means of infection for other forms of malware, including ransomware. The DanaBot malware has infected over 300,000 computers around the world, and caused damage estimated to exceed $50 million.
DanaBot administrators operated a second version of the botnet that was used to target victim computers in military, diplomatic, government, and related entities. This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot. This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe.
“Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” said United States Attorney Bill Essayli for the Central District of California. “The charges and actions announced today demonstrate our commitment to eradicating the largest threats to global cybersecurity and pursuing the most malicious cyber actors, wherever they are located.”
“The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office. “The DanaBot malware was a clear threat to the Department of Defense and our partners. DCIS will vigorously defend our infrastructure, personnel, and intellectual property.”
“Today’s announcement represents a significant step forward in the FBI’s ongoing efforts to disrupt and dismantle the cyber-criminal ecosystem that wreaks havoc on global digital security,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “We are grateful for the coordinated efforts of our domestic and international law enforcement partners in holding cyber criminals accountable, no matter where they operate.”
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
If convicted, Kalinkin would face a statutory maximum sentence of 72 years in federal prison, and Stepanov would face a statutory maximum sentence of five years in federal prison.
As part of today’s operation, Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command and control servers, including dozens of virtual servers hosted in the United States. The U.S. government is now working with partners including the Shadowserver Foundation to notify DanaBot victims and help remediate infections.
These law enforcement actions were taken in conjunction with Operation Endgame, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organizations around the world.
Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team CYMRU, and ZScaler provided valuable assistance.
The investigation into DanaBot was led by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service, working closely with Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police. The Justice Department’s Office of International Affairs provided significant assistance.
Assistant United States Attorney Aaron Frumkin of the Cyber and Intellectual Property Crimes Section is prosecuting these cases. Assistant United States Attorney James E. Dochterman of the Asset Forfeiture and Recovery Section is handling the forfeiture case.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
Authorities Made Arrests as Part of Coordinated Effort to Restore Order and Uphold Immigration Laws.
WASHINGTON – U.S. Attorney Ed Martin Jr. joined with other federal law enforcement leaders to announce today that as a result of a joint federal law enforcement initiative, authorities arrested 189 individuals following a joint federal immigration-related enforcement operation in the District of Columbia over the past week.
As part of the operation, authorities apprehended 189 illegal aliens during an enhanced targeted immigration enforcement operation focusing on egregious criminal alien offenders operating in and around Washington, D.C., May 6–9.
“Thanks to President Trump’s leadership and this administration’s focus on law and order, these arrests represent a major step forward in making Washington, D.C., safer for legal citizens and their families,” said U.S. Attorney Martin. “These arrests make clear that violating our nation’s immigration laws will not be ignored.”
“The District of Columbia is exponentially safer today because of countless hours of investigative work and dedication to duty displayed by ICE Washington, D.C., and our law enforcement partners,” said ICE Enforcement and Removal Operations Washington, D.C., Field Office Director Russell Hott. “Working with our partner agencies, ICE officers and agents arrested 189 illegal aliens and removed them from the streets of our Nation’s Capital. Throughout this enhanced enforcement operation, we targeted the most dangerous alien offenders in some of the most crime-infested neighborhoods in the city of Washington, D.C. Evil is powerless if the good are unafraid. I commend the efforts of everyone involved, as all were truly committed to the success of this operation. ICE Washington, D.C., remains dedicated to our mission of prioritizing public safety by arresting and removing criminal offenders from our Nation’s Capital and surrounding communities.”
Among those arrested during the enhanced targeted operation include the following:
• A 47-year-old illegally present Guatemalan alien whose criminal history includes drug possession, illegal reentry, aggravated assault, trespassing, disorderly conduct, and sexual assault. His current criminal charges include unlawful reentry of a previously deported alien, disorderly conduct, lewd acts, possession of a controlled substance, sex abuse, assault with a dangerous weapon, and possessing an open container. Additionally, he has numerous gang-affiliated tattoos on his arms, legs, and chest.
• A 25-year-old illegally present Guatemalan alien whose criminal history includes threat to kidnap, attempted possession of a prohibited weapon, threats to bodily harm, and simple assault. He is currently charged with alien present without admission or parole.
• A 30-year-old illegally present Salvadoran alien whose criminal history includes simple assault, driving while intoxicated, brandishing a machete, and unauthorized use of a vehicle. He is currently charged with alien present without admission or parole.
• A 36-year-old illegally present Mexican alien whose criminal history includes misdemeanor larceny, misdemeanor indecent exposure, possession of an open container, simple assault, theft, unlawful entry, and possession of a prohibited weapon (knife). He is currently charged with alien present without admission or parole.
This law enforcement activity is part of President Donald Trump’s Make D.C. Safe and Beautiful Executive Order. The Executive Order directs a coordinated federal effort to reduce crime, enhance public safety, and restore pride in the nation’s capital through targeted enforcement, improved policing, and strategic partnerships. It also calls for the beautification of public spaces, stricter enforcement of quality-of-life laws, and the removal of graffiti and encampments on federal lands to ensure D.C. remains clean, secure, and reflective of America’s strength and heritage.
Participating agencies include U.S. Immigration and Customs Enforcement; Virginia Department of Corrections; the Federal Bureau of Investigation, Washington Field Office; Bureau of Alcohol, Tobacco, Firearms and Explosives; Drug Enforcement Administration; U.S. Marshals Service; and U.S. State Department Diplomatic Security Service.
Members of the public can report crimes and suspicious activity by dialing 866-DHS-2-ICE (866-347-2423) or completing the online tip form.
All charges are merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
David X. Sullivan, United States Attorney for the District of Connecticut, announced that MICHAEL McCANN-ORTIZ, also known as “Bando,” 24, of Waterbury, was sentenced today by U.S. District Judge Kari A. Dooley in Bridgeport to 95 months of imprisonment, followed by three years of supervised release, for his participation in a violent carjacking.
According to court documents and statements made in court, in the early morning hours of June 18, 2023, two all-terrain vehicles (“ATVs”) were stolen from a Waterbury residence. After the theft, McCann-Ortiz and others mistakenly identified an individual (“Victim 1”) who they incorrectly believed was involved in the theft. Later that night, Victim 1’s friend, (“Victim 2”), picked up Victim 1 from work and drove him home. As they arrived at Victim 1’s residence, three vehicles followed them and surrounded the victims. McCann-Ortiz and his associates, one of whom carried an assault-style rifle, exited the vehicles and approached the victims. McCann-Ortiz and his associates demanded the return of the stolen ATVs, threatened to harm both victims, and physically assaulted them.
Specifically, McCann-Ortiz repeatedly threatened to kill the victims, and punched and kicked one victim, causing serious bodily injury.
McCann-Ortiz and his associates then stole Victim 2’s vehicle, which was owned by Victim 2’s relative, and other items and cash belonging to the victims. McCann-Ortiz and his associates continued to harass the victims in the following days.
McCann-Ortiz has been detained since his arrest on unrelated state charges on July 10, 2023. On February 27, 2025, he pleaded guilty in federal court to carjacking resulting in serious bodily injury.
This investigation is being conducted by the FBI’s Northern Connecticut Gang Task Force and the Waterbury Police Department. The case is being prosecuted by Assistant U.S. Attorneys Nathan J. Guevremont and David T. Huang.
Tampa, Florida –United States Attorney Gregory W. Kehoe announces a criminal complaint charging Nicki Wayne Goodman (49, Largo) with conveying false information to perpetuate a hoax. If convicted on all counts, Goodman faces a maximum penalty of five years in federal prison. Goodman made his initial appearance in federal court today, in Tampa, and was ordered detained.
According to the criminal complaint, in the early morning of May 20, 2025, the FBI Tampa Field Office discovered a suspicious black backpack placed outside the main security gate, along with a cardboard sign that identified federal agents by name and a YouTube account belonging to Goodman. The sign also stated, among other things, “My name is Nicki Goodman” and “ABolish Government,” and displayed racial epithets. Agents also discovered several other cardboard signs with messages placed nearby the main entrance gate. Surveillance footage from the previous night revealed that Goodman had placed the bag and signs outside the security gate.
Once the backpack was discovered, a large law enforcement response for public safety was initiated, including the deployment of the Tampa Police Department’s bomb squad and patrol units, and Tampa Fire Rescue engines and ambulances. The public safety response resulted in the closure of the public roadways near the incident, denied access to public businesses, and the shutdown of FBI’s Tampa Field Office for approximately five hours. No explosive materials were found in the backpack.
While first responders were on scene, Goodman posted a short video from nearby, depicting multiple emergency vehicles and personnel in the background. In the video Goodman stated: “see all the way down that street right there? Guess that’s cause of me. (inaudible) I uh the FBI office right down the road there. Look at that shit. That’s crazy huh? Wrote a few notes. Found a bag..” and “they got the SWAT team. They got the look like they got a bomb squad or something going on there.”
A criminal complaint is merely a formal charge that a defendant has committed one or more violations of federal criminal law, and every defendant is presumed innocent unless, and until, proven guilty.
This case was investigated by the Federal Bureau of Investigation, with valuable assistance provided by the Tampa Police Department and Tampa Fire Rescue. It will be prosecuted by Assistant United States Attorney Risha Asokan.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
LOS ANGELES – A Santa Barbara County investment advisor was sentenced today to 121 months in federal prison for stealing approximately $2.25 million from elderly clients of her investment advisory business, including clients that were receiving end-of-life care.
Julie Anne Darrah, 52, of Santa Maria, was sentenced by United States District Judge Otis D. Wright II, who will schedule a restitution hearing at a later date.
Darrah pleaded guilty on March 4 to one count of wire fraud.
During the scheme,Darrah stole approximately $2.25 million from her firm’s clients. She did so by obtaining control of her victims’ assets, and then – without the victims’ knowledge or consent – she liquidated their security holdings and transferred the proceeds to accounts she controlled. As part of this, she convinced victims to sign documents making her the trustee of their trusts or a signatory on their bank accounts or giving her power of attorney over their brokerage accounts and allowing her – as their investment advisor – to transfer funds from their accounts to other bank accounts, including to her own accounts.
Darrah took advantage of trust victims placed in her – often convincing them she would take care of them in their older years like a daughter, and she used this trust to convince them to sign the documents that she then used to steal money from them. In this way, Darrah stole money from victims from approximately November 2016 to July 2023. Sheused stolen funds to buy properties for herself, pay other personal expenses, buy luxury vehicles, and operate other business ventures. Some victims were left in desperate circumstances, without the money to pay for end-of-life care, when the fraud was discovered.
Darrah also convinced a company identified in the plea agreement as “Business Victim 1,” a Minnesota-based investment advisor firm, to acquire VFM based on false and misleading statements and the concealment of material facts, including not telling that firm about her theft of individual client funds. After the fraud was discovered, Business Victim 1 incurred approximately $5.4 million in losses.
In October 2023, the SEC filed a civil complaint against Darrah in connection with this scheme. In December 2024, United States District Judge Dale S. Fischer found Darrah liable to pay $2,416,511, including interest.
The FBI and the Federal Deposit Insurance Corporation Office of Inspector General investigated this matter.
Assistant United States Attorney Kerry L. Quinn of the Major Frauds Section prosecuted this case.
If you or someone you know is age 60 or older and has been a victim of financial fraud, help is available at the National Elder Fraud Hotline: 1-833-FRAUD-11 (1-833-372-8311). This Department of Justice hotline, managed by the Office for Victims of Crime, is staffed by experienced professionals who provide personalized support to callers by assessing the needs of the victim and identifying relevant next steps. Reporting can help authorities identify those who commit fraud and reporting certain financial losses due to fraud as soon as possible can increase the likelihood of recovering losses. English, Spanish and other languages are available.
Source: Federal Bureau of Investigation (FBI) State Crime News
A federal grand jury returned a one-count indictment today against Michael Keith Rubino, 39, of Vacaville, charging him with producing child sexual abuse material, Acting U.S. Attorney Michele Beckwith announced.
According to court documents, in October and November of 2024, Rubino engaged in multiple sex acts with a 17-year-old female victim. Rubino exploited his minor victim at a residence in Vacaville where Rubino lived. Rubino recorded numerous instances of his sexual abuse of his minor victim using his iPhone.
This case is the product of an investigation by the Federal Bureau of Investigation, with assistance from the Vacaville Police Department. Assistant U.S. Attorney Sam Stefanki is prosecuting the case.
If convicted, Rubino faces a minimum mandatory sentence of 15 years in prison and a maximum statutory penalty of 30 years in prison and a $250,000 fine. Any sentence, however, would be determined at the discretion of the court after consideration of any applicable statutory factors and the Federal Sentencing Guidelines, which take into account a number of variables. The charges are only allegations; the defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt.
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute those who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.usdoj.gov/psc.
Source: Federal Bureau of Investigation (FBI) State Crime News
SAN JOSE – Sayee Chaitanya Reddy Devagiri pleaded guilty in federal court today to conspiring to steal more than $2.5 million from DoorDash, Inc., a San Francisco-based delivery company.
Devagiri, 30, of Newport Beach, Calif., and three other defendants were indicted by a federal grand jury in August 2024. Devagiri was charged with a single count of conspiracy to commit wire fraud in violation of 18 U.S.C. § 1349. He pleaded guilty to that count today.
In pleading guilty, Devagiri admitted to working with others in 2020 and 2021 to cause DoorDash to pay for deliveries that never occurred. At the time, Devagiri was a delivery driver for DoorDash orders. Under the scheme, Devagiri used customer accounts to place high value orders and then, using an employee’s credentials to gain access to DoorDash software, manually reassigned DoorDash orders to driver accounts that he and others controlled. Devagiri then caused the fraudulent driver accounts to report that the orders had been delivered, when they had not, and manipulated DoorDash’s computer systems to prompt DoorDash to pay the fraudulent driver accounts for the non-existent deliveries. Devagiri would then use DoorDash software to change the orders from “delivered” status to “in process” status and manually reassign the orders to driver accounts he and others controlled, beginning the process again. This procedure usually took less than five minutes, and was repeated hundreds of times for many of the orders.
The scheme resulted in fraudulent payments exceeding $2.5 million.
Acting United States Attorney Patrick D. Robbins and Federal Bureau of Investigation (FBI) Special Agent in Charge Sanjay Virmani made the announcement.
Devagiri is the third defendant to be convicted for his role in this conspiracy. Co-defendant Manaswi Mandadapu pleaded guilty to conspiracy to commit wire fraud on May 6, 2025. Tyler Thomas Bottenhorn, who was separately charged, pleaded guilty on Nov. 7, 2023.
Devagiri is next scheduled to appear before U.S. District Judge Beth Labson Freeman for a status hearing on Sept. 16, 2025. He faces a maximum statutory penalty of 20 years in prison and a fine of $250,000. Any sentence will be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
Assistant U.S. Attorney Michael G. Pitman is prosecuting the case with the assistance of Sahib Kaur. The prosecution is the result of an investigation by the FBI.
SAN FRANCISCO – Tony Archuleta-Perkins, 49, of Palm Springs, was sentenced today to 37 months in federal prison. U.S. District Judge Jacqueline Scott Corley handed down the sentence.
Archuleta-Perkins, who was indicted in June 2024, pleaded guilty in December 2024 to one count of bank fraud in violation of 18 U.S.C. § 1344(2) and one count of engaging in monetary transactions in property derived from specified unlawful activity (money laundering) in violation of 18 U.S.C. § 1957.
Archuleta-Perkins was hired in 2017 by a San Francisco law firm and eventually became the Chief Financial Officer (CFO) of that firm as well as a related law firm. As the CFO, Archuleta-Perkins was in a position of trust and had access to the law firms’ payroll systems and end-to-end payments automation platforms. He used his position to embezzle more than $1 million while he worked at the firms. From 2017 through 2023, Archuleta-Perkins stole more than $1.3 million and used that money for, among other things, improvements to and mortgages on three houses he owned.
Acting United States Attorney Patrick D. Robbins and Federal Bureau of Investigation (FBI) Special Agent in Charge Sanjay Virmani made the announcement.
In addition to the prison term, Judge Corley also sentenced Archuleta-Perkins to a three-year period of supervised release and ordered him to pay restitution in the amount of $1,321,752.72.
Assistant U.S. Attorney Nikhil Bhagat is prosecuting the case. The prosecution is the result of an investigation by the FBI.
ANCHORAGE, Alaska – A suspended member of the Alaska Bar was arrested today after a federal grand jury in Alaska returned an indictment charging him with maintaining a drug-involved premise for the purpose of distributing and using controlled substances, and with possessing firearms as a prohibited person and in furtherance of drug trafficking.
According to court documents, in June 2023, law enforcement became aware of Justin Facey, 44, and his alleged facilitation of a drug trafficking organization run by a California prisoner, Heraclio Sanchez-Rodriguez.
Sanchez-Rodriguez was indicted on federal drug trafficking and murder charges in October 2023, and to date, over 60 other defendants have been charged in connection with the Sanchez-Rodriquez drug trafficking organization.
Facey allegedly continued his own drug trafficking operations after the indictment of Sanchez-Rodriguez and other co-conspirators. The indictment against Facey alleges that between April 2024 and 2025, he utilized his residence in Anchorage to distribute and use controlled substances, namely fentanyl and methamphetamine. It also alleges that on April 30, 2025, Facey possessed four firearms in furtherance of drug trafficking crimes.
The indictment further alleges that Facey unlawfully possessed firearms knowing that he was addicted to methamphetamine, a Schedule II controlled substance.
Court documents explain that Facey was suspended from practicing law on Feb. 24, 2025, following numerous bar complaints.
Facey is charged with one count of maintaining a drug-involved premises, one count of possession of firearms in furtherance of a drug trafficking crime and one count of possession of firearms by a prohibited person. The defendant is scheduled to make his initial court appearance on May 22, 2025, before U.S. Magistrate Judge Kyle F. Reardon of the U.S. District Court for the District of Alaska. If convicted, he faces between five years to life in prison. A federal district judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney William Narus of the District of Oregon, Special Agent in Charge David Reames of the Drug Enforcement Administration (DEA) Seattle Field Division and Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office made the announcement.
The U.S. Attorney’s Office for the District of Alaska has been recused from this case with the exception of certain personnel. Assistant U.S. Attorney Steven D. Clymer from the U.S. Attorney’s Office for the Northern District of New York has been appointed as Special Attorney to the United States Attorney General to assist with this and other recused cases. He reports to and acts under the direction of the Deputy Attorney General, or his delegee, or Acting U.S. Attorney Narus in these cases. Special Attorney Clymer supervises personnel from the District of Alaska who have been exempted from the recusal.
The DEA Anchorage District Office and FBI Anchorage Field Office, with assistance from the Anchorage Police Department, are investigating the case. If anyone has information concerning Facey’s alleged actions, please contact the FBI Anchorage Field Office at (907) 276-4441 or anonymously at tips.fbi.gov
Assistant U.S. Attorneys Adam Alexander and Jennifer Ivers are prosecuting the case.
An indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: United States Senator for Minnesota Amy Klobuchar
WATCH KLOBUCHAR’S FULL REMARKS AND QUESTION HERE
WASHINGTON – U.S. Senator Amy Klobuchar (D-MN), Ranking Member of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, held a hearing titled “The Good, the Bad, and the Ugly: AI-Generated Deepfakes in 2025.”
Testifying at the hearing was Country Music Singer-Songwriter, Martina McBride; CEO of the Recording Industry Association of America, Mitch Glazier; Senior Legal Counsel at the National Center on Sexual Exploitation (NCOSE), Christen Price; Director of Technology Policy at Consumer Reports, Justin Brookman; and Head of Music Policy at Youtube, Suzana Carlos.
“AI-enabled scams have become far too common. We know that it takes only a few seconds of audio to clone a voice. Criminals can pull the audio sample and personal back story from public sources, said Klobuchar at the hearing. “We also need rules of the road to ensure that AI technologies empower artists and creators and not undermine them. Art just doesn’t entertain us. It’s something that uplifts us and brings us together.”
“That’s why this NO FAKES Act is so important. It protects people from having their voice and likeness replicated using AI without their permission, all within the framework of the Constitution, and it protects everybody, because everyone should have a right to privacy.”
A rough transcript of Klobuchar’s opening remarks and questions is available below. Video is available HERE.
Senator Klobuchar: Thank you very much, Senator Blackburn, I’m very excited about this subcommittee and the work we’ve already done together for years on this issue and similar issues when it comes to tech.
I share your hopes for AI and see that we’re on this cusp of amazing advancements if this is harnessed in the right way, but I’m also concerned if things go the wrong way. I think it was David Brooks, a columnist, that said he has trouble writing about it because he doesn’t know if it will take us to Heaven or Hell. So it’s our job to head to heaven, and it’s our job to put some rules in place, and this is certainly one of them.
We want this to work for children, for consumers, for artists, and not against them. And you brought up the example Chair, of Randy Travis who was at the event that we recently had with you, and Senator Coons and myself about the bill and how he used AI in such a positive way. But then we know there are these risks.
And one of the things that I think is really exciting about this week is that, in fact, on Monday, the President signed my bill with Senator Cruz, the TAKE IT DOWN Act, into law. This was a bill I discussed with him and the First Lady at the inaugural lunch.
It’s an example of “use-every-moment-you-have” to advance a cause. And then she supported the bill and helped to get it passed in the House. Senator Cruz and I had already passed it in the Senate, and we were having some trouble getting it done over in the House. So we’re really pleased, because it actually does set some track moving forward, even though this bill, that bill, is about nonconsensual porn, both AI created and non AI created, it’s had huge harmful effects, about 20 some suicides a year of young kids who think they’re sending a picture innocently to a girlfriend or a potential boyfriend, and then it gets sent out on their school internet. It gets sent out to people they know, and basically, they believe their life is in ruins, and don’t have any other context, and take their own lives. And that’s just the most obvious and frightful part of this, but there’s others as well. So I’m hoping this is going to be a first step to some of the work that we can do, including with the bill that we’re going to be discussing today.
AI-enabled scams have become far too common. We know that it takes only a few seconds of audio to clone a voice. Criminals can pull the audio sample and personal back story from public sources.
Just last week, the FBI was forced to put out an alert about scams using AI-cloned voices of FBI agents and officials asking people for sensitive payment information.
Jamie Lee Curtis was forced to make a public appeal to Mark Zuckerberg to take down an unauthorized, deepfake ad that included her digital replica endorsing a dental product. While Meta removed the ad after her direct outreach, most people don’t have that kind of influence.
We also need rules of the road to ensure that AI technologies empower artists and creators and not undermine them. Art just doesn’t entertain us. It’s something that uplifts us and brings us together.
When I recently met with Cory Wong, a Grammy-nominated artist from Minnesota, he talked about how unauthorized digital replicas threaten artists’ livelihoods and undermine their ability to create art.
So this is not just a personal issue. It’s also an economic issue. One of the reasons our country, one of our best exports to the world, is music and movies. When you look at the numbers and how we’ve been able to captivate people around the world, that’s going to go away if people can just copy everything that we do.
And one of the keys to our success as a nation in innovation has been the fact, and Senator Coons does a lot of work in this area, [that] we’ve been able to respect copyrights and patents and people’s own right to their own products.
So that’s why this NO FAKES Act is so important. It protects people from having their voice and likeness replicated using AI without their permission, all within the framework of the Constitution, and it protects everybody, because everyone should have a right to privacy.
I also am working in the space on AI to put some base rules in place in my role on the Commerce Committee. Senator Thune and I have a bill that we’re reintroducing on this to set some rules for NIST to be able to put out there for companies that are using AI. And then I’m always concerned about its effect on democracy, but that is for a different day and in a different committee.
But I do want to thank Senator Blackburn for her willingness to come out on doing something about tech, including the work she does with Senator Blumenthal, the work that we’ve done together on commerce. And if Monday is any sign with the first bill getting through and there in that Rose Garden signing ceremony, there’s more to come, and so thank you and look forward to hearing from the witnesses.
…
Klobuchar: All right. Thank you very much. I guess I’ll start with Mr. Brookman, the non-Grammy winner. I want to talk to you just a little bit about this consumer angle here, which I think is interesting to people. And I think at its core, all of us involved in this legislation have made it really clear that’s not just people who are well known that will be hurt by this eventually, and that getting this bill passed as soon as possible is just as important for everyone, but I do so appreciate Ms. McBride being willing to come forward, because those stories and the stories that we’ve heard from, like I mentioned, Jamie Lee Curtis, or the stories that we’ve heard from many celebrities, are very important to getting this done. So you just did a report on AI-generated voice cloning scams, including that, AI voice cloning applications, in the words of the report, presents a clear opportunity for scammers, and we need to make sure our consumer protection enforcers are prepared to respond to the growing threat of these scams. I had this happen to my state director’s husband, who their kid is in the Marines, and they got a call. They figured out that it wasn’t really him asking for stuff and money. They knew he couldn’t call from where he was deployed to. This is just going to be happening all over the place, and the next call will be to a grandma who thinks it’s real, and she sends her life savings in. So I have called on the FTC and the FCC to step up their efforts to prevent these voice cloning scams. And what are some of the tools that agencies need to crack down on these scams, even outside of this bill?
Justin Brookman: Yeah, absolutely, so I think the first thing the Federal Trade Commission probably needed is more resources. They only have like 1200 people right now for the entire economy. That’s down from like seven, that’s down from like 100 just in the past couple of months.
Klobuchar: Down from way down from even during like, the Nixon Era.
Brookman: Yeah, like 1700 it used to be and the economy has grown like three or four times. Chairman Ferguson has, Chairman Ferguson has said more cuts are coming, which I think is the wrong direction. I worked for the Federal Trade Commission for a couple of years. We could not do, like, a fraction of all the things that we wanted to do to protect consumers, so more people, more capacity, more technologists. Like, there’s just not enough technology capacity in government. I was in the office of technology research and investigation there, that was like five people. That’s just not enough, obviously, with all these very sophisticated, I mean, just deep fakes alone, let alone the rest of the tech economy, the ability to get penalties and even injunctive relief, right if someone, if someone gets caught stealing something, the FTC often doesn’t have the ability to make them give the money back. I know this, under this committee has tried to restore that authority, but that would be important. And also, like again, maybe the FTC could have rule-making authority. But also this, I would like to see Congress consider legislative authority to address tools like again, if you are offering a tool that can be used only for harm, voice impersonation, deepfake pornographic images, maybe there should, there should be responsibilities to make sure it’s not being used for harm.
Klobuchar: Okay, thank you. Ms. Carlos, can you talk about what YouTube is doing to ensure it’s not facilitating these scams?
Suzana Carlos: Sure, and thank you for the question, Senator.
Klobuchar: And thanks for your support for the bill
Carlos: Of course. So, just to primarily consider, we obviously see great and tremendous opportunity coming from AI, but we also acknowledge that there are risks, and it is our utmost responsibility to ensure that it is deployed responsibly. So we’ve taken a number of efforts to protect against unharmful contact on our platform. Primarily, we have uploaded, we have updated our privacy policies last year to ensure that all individuals can now submit a notice to YouTube when their unauthorized voice or likeness has been used on our platform, and once reviewed, if it is applicable, and we’ve confirmed that that content should be removed, we will take it down. We’ve additionally implemented watermarks on our AI products. We originally began with both image and watermarks using our SynthID technology, and we’ve recently expanded it to also be applied to text generated from our Gemini app and web experience. And most recently, as part of our VO video tool. We’ve also taken the additional step to become a member of C2PA, the Coalition for Content Provenance and Authenticity, and there, we’re serving as a steering member to work with the organization to create indicators and markings that will allow the content provenance that was created off platforms to additionally be recognized, and we’re deploying those technologies across our platform.
Klobuchar: Okay, thank you. We mentioned the TAKE IT DOWN Act, and thank you for the support for that. Mr. Glazer, you talked about how this is the first federal law related to generative AI, and that it’s a good first step. And could you talk about how, if we don’t move on from there and we just stop and don’t do anything for years, which seems to be what’s been going on, what’s going to happen here, and why it’s so important to do this.
Mitch Glazier: I think there’s a very small window, and an unusual window, for Congress to get ahead of what is happening before it becomes irreparable. The TAKE IT DOWN Act was an incredible model. It was done for criminal activity, you know, …
Klobuchar: Yeah, I know.
Glazier: Yeah, right. You know, you wrote it, but it was a great model, but it only goes so far. But we need to use that model now, and we need to expand it carefully in a balanced way to lots of other situations, which is exactly what the NO FAKES Act does. And I think, you know, we have a very limited amount of time in order to allow people and platforms to act before this gets to a point where it’s so far out of the barn that instead of encouraging responsible AI development, instead, we allow investment and capital to go into AI development that hurts…
Klobuchar: Stealing things…
Glazier: So let’s encourage investment the right way to boost great AI development and be first. Let’s not be the folks that encourage investment in AI technologies that really harm us.
Klobuchar: And Ms. Price, you’ve expressed concerns about this 10-year moratorium on state rules. I’m very concerned, having spent years trying to pass some of these things, and I think that one of the ways we pass things quickly, like Mr. Glazier was talking about, is if people actually see a reason that they don’t want to patch work, they want to get it done. But if you just put a moratorium, and you look at, like, the Elvis law coming out of Tennessee, Ms. McBride, and some of the other things that would stop all of that. Could you, my last question here before we go to another round, could you talk about why you’re concerned about what is right in front of us now, which is this 10-year moratorium?
Christen Price: Yes, thank you for the question, Senator. We’re concerned about the moratorium because it’s basically signaling to the AI companies that they can kind of do whatever they want in the meantime, and it inhibits States’ ability to adapt their laws to this form of technology that’s changing very quickly and then has this potential to cause great harm.
Klobuchar: Thank you.
MIAMI – Yesterday, Tramaine Liptrot, 43, a police officer with the City of Miami Police Department (MPD) who has been relieved of duty, pleaded guilty to wire fraud in connection with fraudulent applications for two Paycheck Protection Program (PPP) loans totaling over $200,000. Liptrot entered his guilty plea in Miami before U.S. District Judge Beth Bloom.
According to the facts admitted at the change of plea hearing, Liptrot, along with being an MPD Police Officer, was the owner and President of Liptrots Tax Services L.L.C (Liptrots Tax). With the assistance of an associate, Liptrot fraudulently obtained two PPP loans in the name of Liptrots Tax.
On June 22, 2020, working with the associate, Liptrot caused the submission of a false and fraudulent PPP loan application on behalf of Liptrots Tax, falsely claiming that Liptrots Tax had an average monthly payroll of $36,700 for four employees, and a fraudulent IRS Form 944 in support thereof, falsely claiming that Liptrots Tax paid its employees $440,397 during 2019. As a result of this fraudulent PPP application, Liptrots Tax obtained approximately $91,750 in PPP loan proceeds from an SBA approved PPP lender.
On March 3, 2021, again working with the associate, Liptrot caused the submission of a false and fraudulent second-draw PPP loan application on behalf of Liptrots Tax, falsely claiming that Liptrots Tax had an average monthly payroll of $43,369, and including as part of the application process, a fraudulent IRS Form 944, falsely claiming that Liptrots Tax paid $496,428 in wages and other compensation in 2020. As a result of this fraudulent second-draw PPP application, Liptrots Tax obtained approximately $108,422 in PPP loan proceeds from a different SBA approved PPP lender.
Liptrot is scheduled for sentencing on August 6, 2025, at 10:30 a.m., where he faces a possible maximum sentence of up to 20 years in prison.
U.S. Attorney Hayden P. O’Byrne for the Southern District of Florida, acting Special Agent in Charge Brett D. Skiles of FBI Miami and Special Agent in Charge Amaleka McCall-Brathwaite, U.S. Small Business Administration Office of Inspector General (SBA-OIG), Eastern Region, announced the guilty plea.
FBI Miami’s Area Corruption Task Force, which includes task force officers from the City of Miami Police Department’s Internal Affairs Section, and SBA-OIG investigated the case. Assistant U.S. Attorney Edward N. Stamm is prosecuting the case and Assistant U.S. Attorney Gabrielle Raemy Charest-Turken is handling asset forfeiture.
In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted. It was designed to provide emergency financial assistance to the millions of Americans suffering the economic effects caused by the COVID-19 pandemic. Among other sources of relief, the CARES Act authorized and provided funding to the SBA to provide Economic Injury Disaster Loans (EIDLs) to eligible small businesses, including sole proprietorships and independent contractors, experiencing substantial financial disruptions due to the COVID-19 pandemic to allow them to meet financial obligations and operating expenses that could otherwise have been met had the disaster not occurred. EIDL applications were submitted directly to the SBA via the SBA’s on-line application website, and the applications were processed and the loans funded for qualifying applicants directly by the SBA.
On May 17, 2021, the Attorney General established the COVID-19 Fraud Enforcement Task Force to marshal the resources of the Department of Justice in partnership with agencies across government to enhance efforts to combat and prevent pandemic-related fraud. The Task Force bolsters efforts to investigate and prosecute the most culpable domestic and international criminal actors and assists agencies tasked with administering relief programs to prevent fraud by, among other methods, augmenting and incorporating existing coordination mechanisms, identifying resources and techniques to uncover fraudulent actors and their schemes, and sharing and harnessing information and insights gained from prior enforcement efforts. For more information on the Department’s response to the pandemic, please visit https://www.justice.gov/coronavirus.
On September 15, 2022, the Attorney General selected the Southern District of Florida’s U.S. Attorney’s Office to head one of three national COVID-19 Fraud Strike Force Teams. The Department of Justice established the Strike Force to enhance existing efforts to combat and prevent COVID-19 related financial fraud. For more information on the department’s response to the pandemic, please click here.
Anyone with information about allegations of attempted fraud involving COVID-19 can report it by calling the Department of Justice’s National Center for Disaster Fraud (NCDF) Hotline at 866-720-5721 or via the NCDF Web Complaint Form at: https://www.justice.gov/disaster-fraud/ncdf-disaster-complaint-form.
Related court documents and information may be found on the website of the District Court for the Southern District of Florida at www.flsd.uscourts.gov or at http://pacer.flsd.uscourts.gov, under case number 23-cr-20155.
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Steven D. Blumhagen, 74, of Buffalo, NY, who was convicted of wire fraud, was sentenced to serve five years in prison by U.S. District Judge John L. Sinatra, Jr.
Assistant U.S. Attorney Paul E. Bonanno, who handled the case, stated that between April 2016, and January 2020, Blumhagen defrauded three investors out of $400,000, by soliciting the victims to purchase interests in entities he claimed to own, manage, or control. Blumhagen told victims that their investments would enable those entities to finance legal marijuana operations, real estate developments, and an investment technology, and that they could expect significant returns on their investments. Instead of using the money as promised, Blumhagen used some or all of the money for personal expenses. He also used the investment of one victim to pay back previous victims. Part of the scheme involved a limited liability company allegedly owned by Blumhagen’s children, which they knew nothing about.
As a result of the scheme, at least one victim experienced a substantial financial hardship, withdrawing funds from a retirement account, resulting in substantial penalties.
Blumhagen has two prior federal convictions in the Western District of New York. In 2006, he pleaded guilty to conspiracy to commit mail fraud for bilking investors out of more than $10,000,000 related to his sale of shares in the golf course project Tee-to-Green, and was sentenced to serve 57 months in prison and ordered to pay more than $10,000,000 in restitution. In 2018, Blumhagen pleaded guilty to bank theft for his involvement in a bond scheme, which raised more than $1,400,000 from potential investors. Blumhagen was sentenced to time served and ordered to pay more than $1,200,000 in restitution. Blumhagen was on pre-trial release for the bank theft charge when he committed the wire fraud.
The sentencing is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia.
A Texas rheumatologist was sentenced to 10 years in prison and three years of supervised release for perpetrating a health care fraud scheme involving over $118 million in false claims and the payment of over $28 million by insurers as a result of him falsely diagnosing patients with chronic illnesses to bill for tests and treatments that the patients did not need. Jorge Zamora-Quezada M.D., 68, of Mission, also falsified patient records to support the false diagnoses after receiving a federal grand jury subpoena. Following a 25-day trial, Zamora-Quezada was convicted of one count of conspiracy to commit health care fraud, seven counts of health care fraud, and one count of conspiracy to obstruct justice. In addition to his prison term, Zamora-Quezada was ordered to forfeit $28,245,454, including 13 real estate properties, a jet, and a Maserati GranTurismo.
According to the evidence presented at trial, Zamora-Quezada falsely diagnosed his patients with rheumatoid arthritis and administered toxic medications in order to defraud Medicare, Medicaid, TRICARE, and Blue Cross Blue Shield. The fraudulent diagnoses made the defendant’s patients believe that they had a life-long, incurable condition that required regular treatment at his offices. After falsely diagnosing his patients, Zamora-Quezada administered unnecessary treatments and ordered unnecessary testing on them, including a variety of injections, infusions, x-rays, MRIs, and other procedures—all with potentially harmful and even deadly side effects. To receive payment for these expensive services, Zamora-Quezada fabricated medical records and lied about the patients’ condition to insurers.
“Dr. Zamora-Quezada funded his luxurious lifestyle for two decades by traumatizing his patients, abusing his employees, lying to insurers, and stealing taxpayer money,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “His depraved conduct represents a profound betrayal of trust toward vulnerable patients who depend on care and integrity from their doctors. Today’s sentence is not just a punishment—it’s a warning. Medical professionals who harm Americans for personal enrichment will be aggressively pursued and held accountable to protect our citizens and the public fisc.”
“Through the false diagnoses and excessive false billing, Dr. Zamora-Quezada abused both patient trust and public resources,” said Special Agent in Charge Jason E. Meadows of the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG). “It is imperative to investigate and address this form of fraud — not only to protect vulnerable individuals from harm but to uphold the integrity of the federal health care system and safeguard the use of public funds.”
“The FBI is dedicated to working with all of our partners to address health care fraud,” said Special Agent in Charge Aaron Tapp of the FBI’s San Antonio Field Office. “This case was not only a concern to us because of the financial loss — the physical and emotional harm suffered by the patients and their families was alarming and profound. We hope this significant sentence will help bring closure to the many victims in this case.”
Evidence at trial established that Dr. Zamora-Quezada falsely diagnosed patients in order to defraud insurers and enrich himself. Other rheumatologists in the Rio Grande Valley testified at trial that they saw hundreds of patients previously diagnosed with rheumatoid arthritis by Zamora-Quezada who did not have the condition, prompting one physician to explain that for “most” it was “obvious that the patient did not have rheumatoid arthritis.” Zamora-Quezada’s false diagnoses and powerful medications caused debilitating side effects on his patients, including strokes, necrosis of the jawbone, hair loss, liver damage, and pain so severe that basic tasks of everyday life, such as bathing, cooking, and driving, became difficult. As one patient testified, “Constantly being in bed and being unable to get up from bed alone, and being pumped with medication, I didn’t feel like my life had any meaning.” One mother described how she felt that her child served as a “lab rat,” and others described abandoning plans for college or feeling like they were “living a life in the body of an elderly person.”
Former employees detailed how Zamora-Quezada imposed strict quotas for procedures, leading to a climate of fear. Zamora-Quezada referred to himself as the “eminencia” — or eminence, threw a paperweight at an employee who failed to generate enough unnecessary procedures, hired employees he could manipulate because they were on J-1 visas and their immigration status could be jeopardized if they lost their jobs, and fired those who challenged him. Testimony also revealed Zamora-Quezada’s obstruction of insurer audits by fabricating missing patient files, including by taking ultrasounds of employees and using those images as documentation in the patient records. Testimony at trial established that Zamora-Quezada told employees to “aparecer” the missing records — “to make them appear.” Former employees also recounted being sent to a dilapidated barn to attempt to retrieve records. There, files were saturated with feces and urine, rodents, and termites that infested not only the records but also the structure.
Zamora-Quezada’s patient file storage facility
Zamora-Quezada used proceeds from his crimes to fund a lavish lifestyle, replete with real estate properties across the country and in Mexico, a jet, and a Maserati.
One of Zamora-Quezada’s luxury properties
Zamora-Quezada’s jet
FBI, HHS-OIG, Texas HHS-OIG, and the Texas Medicaid Fraud Control Unit investigated the case, with assistance from the Defense Criminal Investigative Service.
Principal Assistant Chief Jacob Foster and Assistant Chiefs Rebecca Yuan and Emily Gurskis of the Criminal Division’s Fraud Section and Assistant U.S. Attorney Laura Garcia for the Southern District of Texas prosecuted the case. Assistant U.S. Attorney Kristine Rollinson handled asset forfeiture. Fraud Section Assistant Chief Kevin Lowell initially handled the prosecution. The prosecution team thanks the Fraud Section’s Data Analytics Team, whose work initiated the investigation, Victim Witness Specialist Olga De La Rosa of the U.S. Attorney’s Office for the Southern District of Texas, and the Texas Department of Insurance.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of nine strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with HHS-OIG, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www.justice.gov/criminal-fraud/health-care-fraud-unit.
HOUSTON – A 64-year-old man has been convicted of all counts as charged for leading a Medicare fraud scheme involving the submission of falsified medical records, announced U.S. Attorney Nicholas J. Ganjei.
The jury deliberated for less than two hours before convicting Paul Njoku following a three-day trial.
Njoku owned and operated a home health care agency called Opnet Health Care Services Inc. doing business as P & P Health Care Services. Njoku was the owner and CEO.
The jury heard testimony from witnesses that Njoku, or others working at his direction, forged signatures of doctors and nurses. Specifically, Njoku and others cut out old signatures and taped them onto newly created doctors’ orders, nursing notes and nursing assessments. Medicare required home health agencies to maintain these documents to obtain payment for providing home health services. Njoku then submitted the falsified records in response to a request for records from Medicare.
The jury also heard about a registered nurse who had departed Opnet in 2017. Njoku continued using her signature on nursing notes and assessments in 2018 and 2019 without her knowledge or consent.
A witness also testified that Njoku bribed a doctor in exchange for approving home health services.
From 2015 to 2019, Opnet billed Medicare over $400,000 in claims for home health services and received over $360,000. Opnet did not maintain the required documentation for many of them and later falsified records to support the claims.
During the trial, a representative testified that Medicare would not have paid these claims had Medicare known there was no documentation or that they were based on falsified records.
“It is absolutely paramount that Americans—both as patients and as taxpayers—have confidence in the integrity of medical providers that receive Medicare funds. Here, the defendant unrepentantly abused that trust by engaging in bribery and stealing from Medicare,” said Ganjei. “With today’s guilty verdict, the Southern District of Texas aims to restore some of that lost trust. I thank the jury for their time and attention to this important case.”
The defense attempted to blame another person for the fraud. The jury did not believe those claims and found him guilty as charged.
U.S. District Judge Alfred H. Bennett presided over the trial and will set sentencing at a later date. At that time, Njoku will face a maximum of 10 years for conspiracy to commit health care fraud, five years for two counts of false statements relating to health care matters as well as another two years for the identity theft which must be served consecutively to any other prison term imposed. The convictions also carry a possible $250,000 fine for each count.
He was permitted to remain on bond pending sentencing.
The FBI, Department of Health and Human Services-Office of the Inspector General and Texas Attorney General’s Medicaid Fraud Control Unit conducted the investigation. Assistant U.S. Attorneys Christian Latham and Kathryn Olson are prosecuting the case.
Defendant Misappropriated Millions of Dollars of Investors’ Funds for His Own Use Including to Purchase Real Estate and Luxury Vehicles
Earlier today, at the federal courthouse in Brooklyn, a federal jury convicted Braden John Karony on all counts of a three-count indictment charging him with conspiracy to commit securities fraud, wire fraud, and money laundering. The charges arose from the defendant’s and his co-conspirators’ roles in defrauding investors in a decentralized finance digital asset called “SafeMoon,” issued by their company SafeMoon LLC. As alleged, the defendant agreed with his co-conspirators to lie to SafeMoon investors about whether SafeMoon executives could access the liquidity pool and whether they were using the assets from the liquidity pool for their personal benefit. As SafeMoon’s market capitalization grew to more than $8 billion, the defendant fraudulently diverted and misappropriated millions of dollars’ worth of liquidity from the SafeMoon liquidity pool for their personal benefit. The verdict followed a 12-day trial before United States District Judge Eric R. Komitee. When sentenced, Karony faces up to 45 years in prison. The jury also issued a verdict to forfeit one residential property and the proceeds from the sale of another residential property, amounting to approximately $2 million.
Joseph Nocella, Jr., United States Attorney for the Eastern District of New York; Christopher G. Raia, Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI); Harry T. Chavis, Jr., Special Agent in Charge, Internal Revenue Service Criminal Investigation, New York (IRS-CI); and Darren B. McCormack, Acting Special Agent in Charge, Homeland Security Investigations, New York (HSI New York) announced the verdict.
“As proven at trial, the SafeMoon digital asset was anything but safe and turned out to be pie in the sky for investors who were deliberately misled by Karony, a man who sought to get rich quick by stealing and diverting millions of dollars,” stated United States Attorney Nocella. “Karony used his scheme to purchase multiple homes, sports cars, custom trucks, and other luxury goods. Today’s guilty verdict should serve as a warning to all would-be fraudsters that my Office will vigorously prosecute individuals like the defendant who victimize digital asset investors and undermine investor confidence in digital assets markets, thereby threatening the stability and growth of these emerging technologies.”
Mr. Nocella expressed his appreciation to the U.S. Securities and Exchange Commission for its work on the case.
“Braden Karony, the CEO of SafeMoon, exploited his company’s digital portfolio with fictional success stories and stole millions of dollars in crypto-assets to finance luxury purchases,” stated FBI Assistant Director in Charge Raia. “Along with his co-conspirators, Karony violated his clients’ trust and wallets while attempting to conceal his misconduct through discreet transactions. May today’s conviction emphasize the FBI’s commitment to securing all markets and protecting the American people from individuals who abuse their position to satisfy personal greed.”
“Braden Karony misled investors; intentionally diverted and misappropriated millions in cryptocurrency for his personal benefit; and lined the driveways of his million dollar homes with luxury cars. While the name of his company is SafeMoon, there was nothing safe about this investment that was just a front for theft. By following the money with complex cryptocurrency tracing, IRS-CI New York’s Cyber and J5 groups worked with our investigative partners to see that this conman is held accountable for his greedy acts,” stated IRS-CI New York Special Agent in Charge Chavis. “The Joint Chiefs of Global Tax Enforcement (J5) is a global partnership that works together to gather information, share intelligence, and conduct coordinated operations against transnational financial crimes. The J5 includes the Australian Taxation Office, the Canada Revenue Agency, the Dutch Fiscal Intelligence and Investigation Service, His Majesty’s Revenue and Customs from the U.K. and IRS-CI from the U.S.”
“Steered by his selfish desires and insatiable greed, Braden John Karony treated millions of dollars in investors’ funds as his own personal bank account,” stated HSI New York Acting Special Agent in Charge McCormack. “The defendant will soon be trading his sprawling real estate and luxury vehicles for a jail cell within the four walls of a federal penitentiary. As reflected by today’s conviction, whether it involves fiat or crypto, HSI New York’s El Dorado Task Force will relentlessly pursue individuals intent on exploiting investors and the American financial system for their own gain.”
Background on SafeMoon
As proven at trial, SafeMoon tokens were digital assets first issued in March 2021 by SafeMoon LLC on a public blockchain. Through the operation of SafeMoon’s smart contract, every transaction in SafeMoon was automatically subject to a 10% tax, meaning, for example, that if a holder of SafeMoon transferred 10 SafeMoon to another user, 1 SafeMoon would automatically be retained from the transfer as a tax and the remaining 9 SafeMoon would be received by the other party. As marketed to SafeMoon investors, the proceeds of SafeMoon’s 10% tax were split into two 5% tranches, the proceeds of which were supposed to benefit holders of SafeMoon in specific ways. The first 5% tranche of the tax proceeds would be “reflected” back to, and distributed among, all SafeMoon holders in proportion to their current SafeMoon holdings and thereby increase the total quantity of SafeMoon held by every SafeMoon investor automatically. The remaining 5% tranche of SafeMoon tax proceeds would be deposited into designated SafeMoon liquidity pools. The larger the SafeMoon liquidity pool, the greater the liquidity in the market for SafeMoon. In the months after its launch in March 2021, SafeMoon grew to have millions of holders and a market capitalization of more than $8 billion.
The Defendants’ Fraudulent Scheme
Karony and his co-conspirators misrepresented various material aspects of the SafeMoon offering to investors. Such misrepresentations included that SafeMoon relied on “locked” liquidity pools that would automatically increase in size due to a 10% tax imposed on every SafeMoon transaction; that the “locked” SafeMoon liquidity pool prevented the defendants and other insiders at SafeMoon from being able to “rug pull”—a type of crypto fraud— SafeMoon investors by removing liquidity from the SafeMoon liquidity pool; that tokens in the liquidity pool would only be used for limited pre-defined business purposes, not personal enrichment; that the defendants would manually add token pairs to the SafeMoon liquidity pool when transactions of SafeMoon occurred on specific centralized exchanges; and that the developers were not and had not been holding and trading SafeMoon for their benefit.
In reality, Karony and his co-conspirators retained access to the SafeMoon liquidity pools and used that access to intentionally divert and misappropriate millions of dollars’ worth of tokens for their personal benefit. In addition, although they publicly denied that they personally held or traded SafeMoon, they repeatedly bought and sold SafeMoon, sometimes at the height of SafeMoon market price, which generated millions of dollars in profits. Karony and his co-conspirators masked their movement of the fraudulent proceeds via numerous private un-hosted crypto wallet addresses, complex transaction routing, and pseudonymous centralized exchange accounts. Karony acquired over $9 million in crypto assets from the scheme and used some of the proceeds to purchase luxury vehicles and real estate, including a $2.2 million home in Utah, additional homes in Utah and Kansas, a $277,000 Audi R8 sports car, another Audi R8, a Tesla, and custom Ford F-550 and Jeep Gladiator pickup trucks.
Co-conspirator Thomas Smith previously pleaded guilty and is awaiting sentencing. Co-conspirator Kyle Nagy remains at large.
The government’s case is being handled by the Office’s Business and Securities Fraud Section. Assistant United States Attorneys Dana Rehnquist, Sara K. Winik, and Jessica K. Weigel are in charge of the prosecution, with assistance from Paralegal Specialists Asher Martin-Rosenthal and Madison Bates. Assistant United States Attorney Laura Mantell is handling forfeiture matters.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
CHARLOTTE, N.C. – A man who used a privately made and unregistered firearm, commonly known as a “ghost gun,” to carjack a vehicle on a college campus was sentenced yesterday to seven years in prison for a firearms offense, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina. Mark Jordan Williams, 37, was also ordered to serve three years of supervised release following the completion of his prison term.
Alicia Jones, Special Agent in Charge of the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), Charlotte Field Division, joins U.S. Attorney Ferguson in making today’s announcement.
According to court documents and court proceedings, on March 23, 2023, an individual identified as L.C. was sitting in a Jeep Wrangler, parked on the campus of the University of North Carolina-Charlotte. Court records show that Williams approached the vehicle, pointed a handgun at L.C. and ordered L.C. out of the car. Williams then took L.C.’s phone, got into the Jeep, and drove away. Williams was located and arrested later that evening while inside the Jeep. When Williams was arrested, a .40 caliber Polymer 80 handgun was recovered from inside the vehicle as well. During the investigation, law enforcement determined that Williams has multiple prior criminal convictions and he prohibited from possessing a firearm.
On January 9, 2025, Williams pleaded guilty to possession and brandishing of a firearm in furtherance of a crime of violence. He is in federal custody and will be transferred to the custody of the Federal Bureau of Prisons upon designation of a federal facility.
The ATF investigated the case and the U.S. Attorney’s Office in Charlotte handled the prosecution.
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
News In Brief – Source: US Computer Emergency Readiness Team
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies.
This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of until 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. For more information on Russian state-sponsored threat actor activity, see CISA’s Russia Cyber Threat Overview and Advisories page.
Source: Federal Bureau of Investigation (FBI) (video statements)
The show is on the road! Filming on location at the annual RSAC Conference in San Francisco, hosts Bryan Vorndran and Jamil Farshchi welcome Dr. Hugh Thompson, the executive chairman of RSAC and the program coordinator of the RSAC Conference. The annual conference gathers thousands of cybersecurity officials from the private and public sector to discuss ways to thwart attacks and institute best practices. In this episode, Dr. Thompson highlights the importance of government participation, how to keep the relationships and knowledge-sharing going throughout the year, and the importance of being community-oriented to ensure effective cybersecurity postures against criminal adversaries.
More at: https://www.fbi.gov/video-repository/e10a_video.mp4/view
—————————————————
Subscribe to Inside the FBI wherever you get your podcasts:
Spotify: https://open.spotify.com/show/4H2d3cg…
Apple Podcasts: https://podcasts.apple.com/us/podcast…
Google Podcasts: https://podcasts.google.com/feed/aHR0…
More ways to follow us: https://inside-the-fbi.transistor.fm/…
Follow us on social media:
X: https://twitter.com/fbi
Facebook: https://facebook.com/FBI
Instagram: https://instagram.com/fbi
YouTube: youtube.com/user/fbi
NEW YORK — On May 19, U.S. Immigration and Customs Enforcement New York City arrested Marlon Josuel Cruz Fernandez, an illegal alien from the Dominican Republic wanted in his home country for homicide.
ICE officers and special agents assigned to ICE’s Newburgh office, along with special agents from the Federal Bureau of Investigations, the Drug Enforcement Administration and Homeland Security Investigations arrested Cruz without incident in New Rochelle pursuant to a warrant of arrest.
“This foreign fugitive mistakenly thought he could exploit our immigration laws to evade arrest in his home country,” said ICE Enforcement and Removal Operations New York City acting Field Office Director Judith Almodovar. “Let his futile attempt highlight to other criminal aliens we will always collaborate with our domestic and international law enforcement partners to ensure these fugitives are returned to their home countries to face justice.”
The U.S. Border Patrol encountered and arrested Cruz Dec. 11, 2015, in the Rio Grande Valley in Texas after he illegally entered the U.S. Border Patrol officials served him with a notice to appear for violation of the Immigration and Nationality Act and turned him over to ICE for detention placement. ICE Harlingen granted Cruz bond Feb. 1, 2016, which he posted three days later. Cruz failed to appear for his immigration proceedings Jan. 5, 2017, so the immigration judge ordered him removed in absentia from the U.S. to the Dominican Republic.
On Feb. 2, 2018, authorities in Santo Domingo, Dominican Republic, issued a warrant for Cruz’s arrest for the offense of homicide, which went international six weeks later. ICE New York City received notification March 16 this year.
The New Rochelle Police Department arrested Cruz for having improper plates and impounded his vehicle May 17. The New Rochelle Police Department released Cruz on his own recognizance prior to realizing that he was an international fugitive wanted for homicide. Upon receiving this information, the police department immediately notified ICE New York City, which — along with federal partners — arrested Cruz.
Cruz is currently detained in ICE custody pending removal to the Dominican Republic.
Learn more about ERO New York City’s mission to increase public safety in our New York City communities on X at @ERONewYork.
A Missouri man was sentenced yesterday to 111 months in prison by U.S. District Judge Matthew T. Schelp for the Eastern District of Missouri for burning down a Cape Girardeau, Missouri house of worship in 2021. He was also ordered to pay $6,968,223.36 in restitution for damages incurred by the church.
Christopher Scott Pritchard, 49, pleaded guilty in U.S. District Court for the Eastern District of Missouri in Cape Girardeau, on Dec. 19, 2024, to one count of arson and one count of violating the Church Arson Prevention Act. Pritchard admitted setting fire to the house of worship owned and used by the Church of Jesus Christ of Latter-Day Saints (LDS) in Cape Girardeau, Missouri, during the evening of April 28, 2021. Pritchard was spotted watching the fire and was arrested about 1.5 miles away by the Cape Girardeau County Sheriff’s Office. Pritchard smelled like smoke and had a backpack containing a laptop computer, a projector, speakers and 21 apples that he’d stolen from the church. Pritchard told deputies that he’d gotten into a verbal altercation with the Bishop of the church a few days before the fire and had threatened to assault the Bishop and burn the church down.
The fire destroyed the building and prevented the congregants in the free exercise of their religious beliefs. No one was injured.
“There is no place in America for criminal acts against houses of worship,” said Assistant Attorney General Harmeet K. Dhillon of the Justice Department’s Civil Rights Division. “The Civil Rights Division thanks its law enforcement partners for prosecuting this matter.”
Assistant Attorney General Harmeet K. Dhillon and U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri made the announcement.
The FBI St. Louis Field Office, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the Cape Girardeau County Sheriff’s Office and the Missouri State Fire Marshal’s Office investigated the case. Assistant U.S. Attorney Paul Hahn for the Eastern District of Missouri prosecuted the case, with assistance from the Civil Rights Division’s Criminal Section.
Coordinated Microsoft Actions and Court-Authorized Domain Seizures Disrupt LummaC2 Malware Infrastructure Used to Target Millions
The Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.
“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division. “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country. We are grateful for their work and dedication.”
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”
“The FBI is committed to disrupting the key services that cyber criminals rely on,” said Assistant Director Bryan Vorndran of FBI’s Cyber Division. “That’s why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”
As alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2 used the seized websites to distributeLummaC2, an information-stealing malware, to their affiliates and other cyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.
The government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login pages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy LummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court documents, the LummaC2 administrators informed their users of three new domains that they had set up to host the user panel. The next day, the government then seized those three domains.
The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.
Concurrent with today’s actions and consistent with the Department’s approach to public-private operational coordination, Microsoft announced an independent civil action to take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.
FBI’s Dallas Field Office is investigating the case.
The U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security Cyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the case.
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, offers a reward of up to $10 million for information on foreign government-linked individuals participating in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Anyone with information on any other foreign government-linked malicious cyber actors or activity targeting U.S. critical infrastructure should contact Rewards for Justice via the RFJ Tor-based tip line at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). Learn more about Rewards for Justice and their reward offers at RewardsforJustice.net.
If you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also contact your local FBI field office directly.
Coordinated Microsoft Actions and Court-Authorized Domain Seizures Disrupt LummaC2 Malware Infrastructure Used to Target Millions
The Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.
“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division. “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country. We are grateful for their work and dedication.”
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”
“The FBI is committed to disrupting the key services that cyber criminals rely on,” said Assistant Director Bryan Vorndran of FBI’s Cyber Division. “That’s why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”
As alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2 used the seized websites to distributeLummaC2, an information-stealing malware, to their affiliates and other cyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.
The government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login pages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy LummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court documents, the LummaC2 administrators informed their users of three new domains that they had set up to host the user panel. The next day, the government then seized those three domains.
The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.
Concurrent with today’s actions and consistent with the Department’s approach to public-private operational coordination, Microsoft announced an independent civil action to take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.
FBI’s Dallas Field Office is investigating the case.
The U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security Cyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the case.
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, offers a reward of up to $10 million for information on foreign government-linked individuals participating in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Anyone with information on any other foreign government-linked malicious cyber actors or activity targeting U.S. critical infrastructure should contact Rewards for Justice via the RFJ Tor-based tip line at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). Learn more about Rewards for Justice and their reward offers at RewardsforJustice.net.
If you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also contact your local FBI field office directly.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3.PostRequest
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. SecondPOSTRequest
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing ofexJSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing ofcJSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode0– Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode1– Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode2– Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode2Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode3– Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode3Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
Source: Federal Bureau of Investigation FBI Crime News (b)
ST. LOUIS – U.S. District Henry E. Autrey on Tuesday sentenced a man who admitted transporting a minor across state lines for sex to 230 months in prison.
Scott M. Arnold-Micke, 48, of Rolla, Missouri met the 17-year-old victim in 2021 and took him to Chicago, where they used drugs and engaged in sexual acts. Arnold-Micke engaged in drug use with the victim on an almost daily basis after Arnold-Micke moved from Sullivan, Missouri to Rolla.
Arnold-Micke, 48, pleaded guilty in January to one count of transportation of a minor to engage in a criminal sex act.
The case was investigated by the FBI and the Rolla Police Department with assistance from the Phelps County Sheriff’s Department. Assistant U.S. Attorney Dianna Edwards prosecuted the case.
“The FBI is unrelenting when it comes to protecting children,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “I commend those who brought this crime to light in order to get this child predator off the streets and in prison where he belongs.”
This case was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorneys’ Offices and the Department of Justice Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A member of the Pagan’s Motorcycle Club pleaded guilty today before U.S. District Judge Greg Kays for his involvement in an armed assault and an attempted armed assault against members of rival motorcycle clubs.
Jeremiah Z. Hahn, also known as “Pass Out,” 42, of Cameron, Mo., pleaded guilty today to one count of assault with a dangerous weapon in aid of racketeering, one count of attempting to commit assault with a dangerous weapon in aid of racketeering, and one count of felon in possession of a firearm.
On May 30, 2022, Hahn and other members of the Pagan’s and their support club, assaulted a lone rival motorcycle gang member at a business in Grain Valley, Mo. In addition to fists, Hahn used an axe handle during the assault, causing physical injury to the victim.
On Sep. 3, 2022, Hahn and other members of the Pagan’s and their support club, travelled to Topeka, Ks., to carry out a revenge attack against another rival motorcycle gang. The plan was to “catch a stray” and “smash on sight” any rival member they saw. The Pagan’s were aware that the rival motorcycle gang were having an event in Topeka that day, and the plan was to use either an axe handle or a gun on one of the rival gang members. After arriving in Topeka, a rival member was spotted in a hotel parking lot. As Hahn, who was armed with a gun, prepared to shoot the rival, a disagreement occurred among members, and the group returned to the Kansas City area.
Following both events, Hahn and others present were awarded patches for their participation.
On May 3, 2023, Hahn was stoppedby a Missouri State Highway Patrol Trooper on eastbound Highway 36 in Dekalb County, Mo., for speeding. Hahn, who was riding a black, 2012 Harley Davidson motorcycle, had passed the trooper, traveling 98 mph in a 65-mph zone. Initially,Hahn attempted to flee the trooper and reached speeds ranging from 100-102 mph before stopping. Following Hahn’s arrest, the trooper discovered a Smith and Wesson, model M&P Shield, .40 caliber semi-automatic handgun, in Hahn’s front pants’ pocket. Hahn, who had felony convictions out of Oklahoma, Kansas, and Missouri, stated that he had stolen the gun approximately a week and a half earlier from a member of a rival motorcycle club in St. Joseph, Mo.
Under federal statutes, Hahn is subject to a sentence of up to twenty years in prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorneys Bradley K. Kavanaugh and Robert Smith. It was investigated by the FBI, the Independence, Mo., Police Department, the Blue Springs, Mo., Police Department, Homeland Security Investigations, and the Kansas City, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.