Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury today for robbing fourteen convenience stores at gunpoint. He also faces charges for attempting to rob another convenience store and illegally possessing a firearm.
Marquise L. North, 31, of Kansas City, Mo., was charged in a thirty-one count indictment returned by a federal grand jury in Kansas City, Mo.
Today’s indictment charges North with fourteen counts of Hobbs Act robbery, one count of attempted Hobbs Act robbery, fourteen counts of brandishing a firearm in furtherance of a crime of violence, and one count of being a felon in possession of a firearm.
The federal indictment alleges North committed the robberies between July 26, 2024, and Sep. 21, 2024. North is alleged to have brandished a firearm during each of the robberies.
Under federal law, it is illegal for anyone who has been convicted of a felony to be in possession of any firearm or ammunition. North has a prior felony conviction for unlawful possession of a firearm.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, North is subject to a sentence of up to life in federal prison without parole. Brandishing a firearm during a crime of violence carries a mandatory minimum sentence of seven years in federal prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Special Assistant U.S. Attorney Jessica L. Jennings. It was investigated by the FBI, Kansas City, Missouri Police Department, Raytown, Missouri Police Department, and Independence, Missouri Police Department.
Project Safe Neighborhoods
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
SPRINGFIELD, Mo. – Two men from Springfield, Mo., were sentenced in federal court for their roles in a conspiracy to distribute large quantities of methamphetamine in the Springfield area.
Erik C. Foster, 43, was sentenced by U.S. District Judge Brian C. Wimes, to 215 months in federal prison without parole, to be followed by 5 years of supervised release. Foster pleaded guilty on Dec. 16, 2024.
Tilton Chase Tate, 41, was sentenced by U.S. District Judge Brian C. Wimes, to 146 months in federal prison without parole, to be followed by 5 years of supervised release. Tate pleaded guilty on October 15, 2024.
Foster and Tate were charged, along with other individuals, in a 24-count superseding indictment on July 25, 2023, for their roles in a drug conspiracy that lasted from Dec. 2020 to Oct. 2022.
Foster admitted to purchasing and delivering methamphetamine for other conspirators to distribute in Southwest Missouri. During the course of the conspiracy, law enforcement seized well over 50 grams of methamphetamine from members of the conspiracy.
According to court records, on Sep. 10, 2022, officers with the Republic, Mo. Police Department located two plastic bags containing at least 844 grams of methamphetamine from inside a speaker during a traffic stop where Foster was the passenger. Foster told officers that he had picked up the methamphetamine in Joplin and was taking it to Springfield to deliver it to a co-conspirator for distribution.
On Oct. 12, 2022, deputies with the Greene County, Mo., Sheriff’s Office seized a small plastic bag of what appeared to be black tar heroin, a backpack containing 70 grams of methamphetamine, and over $11,960 in cash from Foster during a traffic stop. During a post-Miranda interview, Foster told officers that he was taking the backpack to a co-conspirator for distribution and that he had made six or seven similar trips to deliver methamphetamine.
Tate admitted to possessing and distributing methamphetamine to others as part of the conspiracy.
On Oct. 19, 2021, during a traffic stop, a Springfield, Mo. Police Department (SPD) detective seized over 440 grams of methamphetamine from Tate.
On April 14, 2022, while executing a search warrant for Tate’s residence, SPD officers located a Ruger LCP 380 handgun and a Stoeger Arms, STR 9C 9mm handgun, as well as miscellaneous pills and suspected methamphetamine.
Later in April, during a post-Miranda interview, Tate admitted to purchasing the methamphetamine seized during the Oct. traffic stop from a co-conspirator. He estimated that he was selling a pound of methamphetamine each week.
This case is being prosecuted by Assistant U.S. Attorney Stephanie L. Wan. It was investigated by the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Federal Bureau of Investigation, the Greene County, Mo., Sheriff’s Office, the Missouri State Highway Patrol, the Republic, Mo., Police Department, and the Springfield, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was sentenced in federal court today for his role in a conspiracy to distribute fentanyl, methamphetamine, and heroin and for possession of firearms in furtherance of that conspiracy.
Codi J. Monteer, 38, was sentenced by U.S. District Judge D. Greg Kays to 30 years in federal prison without parole.
On Oct. 8, 2024, Monteer pleaded guilty to one count of conspiracy to distribute fentanyl, methamphetamine, heroin, and marijuana; one count of maintaining a drug involved premises; one count of possession of firearms in furtherance of the drug conspiracy; and one count of being a felon in possession of firearms.
Monteer’s participation in the drug trafficking conspiracy lasted approximately one year and he was responsible for conspiring with others to distribute at least 124 kilograms of methamphetamine; 700 grams of fentanyl (powder and pills); and 1.58 kilograms of heroin. He was also in possession of several firearms used in furtherance of his drug trafficking.
On one occasion, in March 2021, Monteer led members of the Kansas Highway Patrol on a high-speed pursuit that reached speeds of approximately 145 miles per hour. The pursuit did not conclude until two of the tires came off Monteer’s vehicle. During the pursuit, drugs were thrown from the vehicle.
Monteer was an associate of Autumn Dicks, Ian Hazel, They Kelley, Marc Downs, and Jamison Hopson-Stephens. Those individuals have already been sentenced for their roles within the conspiracy. Monteer was also an associate of Davion Williams, Curtis Lewis, Daniel Anderson, and Aaron Dorsey in this conspiracy. Those individuals have all pleaded guilty and are awaiting sentencing.
This case is being prosecuted by Assistant U.S. Attorney Ashleigh A. Ragner. It was investigated by the Kansas City, Mo. Police Department, FBI, United States Postal Inspection Service, and the Kansas State Highway Patrol.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon after he allegedly stabbed a man multiple times during an altercation near Shiprock.
According to court documents, on the night of April 19, 2025, Navajo Police Department officers responded to a 911 call reporting a stabbing in Shiprock, New Mexico. Officers located the victim who had sustained three stab wounds to his upper and lower back. The victim was transported to the hospital for emergency treatment.
An investigation led by the FBI and Navajo Nation Criminal Investigators revealed that Matthew Charley, 29, an enrolled member of the Navajo Nation, approached the victim and two witnesses. After a brief verbal exchange, the witnesses left the area, leaving Charley and the victim alone. When the witnesses returned a short time later, they found the victim had been stabbed. The victim identified Charley as his assailant.
Law enforcement collected witness statements, obtained video evidence, and reviewed surveillance footage that corroborated the description and movements of the suspect.
Screenshot of video showing Charley
Charley is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Charley faces 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Waleed Abughanem, 33, of Lackawanna, NY, who was convicted of misprision of felony, was sentenced to serve 36 months in prison by U.S. District Judge John L. Sinatra, Jr.
Assistant U.S. Attorneys Charles M. Kruly and Maeve E. Huggins, who handled the case, stated that Abughanem is the son of Khaled Abughanem and the brother of Adham Abughanem. On September 8, 2021, Khaled and Adham Abughanem flew from Buffalo, NY, to Guadalajara, Mexico to kidnap Victim 1, who is the daughter of Khaled and the sister of Adham and Waleed. Between September 10, 2021, and April 6, 2023, Waleed, Khaled and Adham Abughanem conspired to transport Victim 1 from the Western District of New York to Cairo, Egypt, and then to Sanaa, Yemen, where they confined Victim 1 for approximately 16 months with the purpose of marrying her to a man not of her choosing.
Waleed Abughanem knew Victim 1 was being held involuntarily, and during some of this period, he was present in Yemen. When he was not present in Yemen, Waleed Abughanem instructed his wife to monitor and supervise Victim 1. In December 2022, Waleed Abughanem traveled from Yemen to the United States. When questioned by U.S. Customs and Border Protection as to the whereabouts of his siblings, Waleed Abughanem told the CBP Officer that the Victim was in the United States. By making a false statement, Waleed Abughanem concealed that Victim 1 had been kidnapped and was being involuntarily held in Yemen.
Khaled and Adham Abughanem were previously convicted by a federal jury at trial and are awaiting sentencing.
Waleed Abughanem’s sentencing is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the U.S. Department of State’s Diplomatic Security Service, under the direction of Diplomatic Security Director Carlos Matus and Deputy Assistant Secretary Paul Houston. Additional assistance was provided by the Lackawanna Police Department, under the direction of Chief Mark Packard, Customs and Border Protection, under the direction of Director of Field Operations Rose Brophy, and CPB in Boston, Massachusetts.
CONCORD – A Dover man plead guilty yesterday in federal court for stalking three women he was in romantic relationships with by using anonymous phone numbers and email accounts to create a fictious stalker, Acting U.S. Attorney Jay McCormack announces.
Jason Subirana, age 48, pleaded guilty in federal court in Concord to three counts of Stalking. U.S. District Court Judge Steven J. McAuliffe scheduled sentencing for August 27, 2025.
According to the charging documents and statements made in court, between November 2016 – December 2021, the defendant stalked three women he was in romantic relationships with. He used more than 50 anonymous phone numbers, provided by TextNow, and anonymous email accounts to send over 650 harassing messages to the three victims from a fictious stalker. He attempted to manipulate his victims, catch them in lies, and cause emotional distress. For example, he sent one victim a text message that read:
“How can you b*tch to everyone about your birthday? You should be grateful he’s put up with all your lies and shit for so long. Stop trying to make him look like a bad guy, he’s the best thing you have and lucky he hasn’t put you to the curb like the trash bag that you are. Own your shit and stop lying to everyone. You want more? Be honest to EVERYONE around you. Stop thinking you are smarter than everyone.”
In addition to sending harassing communications to the victims, the defendant also sent himself harassing messages from the fictious stalker using anonymous accounts. For example, the defendant texted himself from an anonymous TextNow number, “Do you really think you’re the only one she’s banging? You really should get yourself tested. Put something in the mail for you keep an eye out for it.” On February 10, 2021, the defendant texted himself from an anonymous TextNow number, “How many times do you think she’s going to take it this afternoon before coming to give you sloppy seconds?”
The defendant also collected compromising information about the victims and then sent the compromising information to himself under the guise that he received it from “the stalker”. For example, the defendant gained access to Victim 2’s email account and forwarded himself an email exchange from 2015 where Victim 2 mentioned a potential romance with an acquaintance of hers. The defendant orchestrated a series of email forwards through anonymous accounts before making its way back to Victim 2. This email controversy led to Victim 2 admitting to the defendant a prior romantic relationship with that acquaintance, with the defendant responding, “You’re only telling me this now because of the email you got. What else are you hiding from me?” and “What wlse [sic] is out there? Has this all been based on lies???”
The defendant actively distanced himself from “the stalker” by accusing innocent individuals of being his victim’s “stalker.” For example, the defendant sent numerous harassing messages to a male colleague of Victim 3. Between April 22, 2018, and August 15, 2018, the defendant sent 52 harassing text messages to the victim’s colleague from at least five anonymous TextNow numbers. The defendant also sent the victim’s colleague numerous explicit photos of a woman’s body that resembled Victim 3 but was not in fact Victim 3. When Victim 3 described this to the defendant in messages, he then sent himself multiple messages from “the stalker,” including two of the explicit photos that he had sent to the victim’s colleague and suggested to Victim 3 that her colleague was in fact her stalker.
The charging statute provides for a sentence of a maximum penalty of 5 years in prison. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
The Federal Bureau of Investigation led the investigation. Assistant U.S Attorney John Kennedy is prosecuting the case.
CHARLOTTE, N.C. – Dujuan Marquise McNeil, 39, of Charlotte, was sentenced yesterday to 10 years in prison followed by three years of supervised release for illegal possession of a firearm after he assaulted two U.S. Postal Service mail carriers on the same day, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina.
Rodney Hopkins, Inspector in Charge of the Atlanta Division of the U.S. Postal Inspection Service (USPIS), which oversees Charlotte, joins U.S. Attorney Ferguson in making today’s announcement.
“My office will continue to aggressively prosecute those that threaten or harm our postal workers,” said U.S. Attorney Ferguson. “Postal workers are hard-working Americans that are vital to our way of life and essential to our system of commerce.”
“A core mission of the U.S. Postal Inspection Service is to provide a safe environment for Postal employees and the American public. Illegal weapons threaten the safety of all our communities,” said Inspector in Charge Hopkins. “We extend our utmost appreciation to our law enforcement partners and the U.S. Attorney’s Office in the Western District of North Carolina for supporting our mission and bringing this investigation to a successful conclusion.”
According to court records, on June 1, 2023, McNeil, used firearms to threaten two U.S. Postal Service mail carriers. In both instances, McNeil used his vehicle to block a mail truck, before threatening the carrier inside with his guns. McNeil believed someone with the post office stole an unidentified item from his package. McNeil also went to a local post-office complain about the alleged theft. Clerks at that office reported that McNeil stated he would kill whichever carrier was responsible for the alleged theft.
During the investigation, law enforcement determined the McNeil had multiple prior criminal convictions, including Possession of a Firearm by a Felon, Discharge of a Weapon into Occupied Property, and Domestic Violence Protective Order Violation, and was prohibited from possessing firearms.
On June 14, 2023, a federal search warrant was executed at McNeil’s residence, where law enforcement found and seized multiple firearms, including: three 9mm semi-automatic pistols (one fitted with an extended magazine); a Polymer 80 9mm semi-automatic pistol (commonly referred to as a “ghost gun”) with an extended magazine; an AR15 semi-automatic rifle; multiple magazines; and nearly 300 rounds of ammunition.
On October 30, 2024, McNeil pleaded guilty to possession of a firearm by a convicted felon. He is currently in federal custody and will be transferred to the custody of the Federal Bureau of Prisons.
In making today’s announcement U.S. Attorney Ferguson commended USPIS for their work in this investigation and thanked the Bureau of Alcohol, Tobacco, Firearms and Explosives and the Charlotte Mecklenburg Police Department for their assistance.
The U.S. Attorney’s Office in Charlotte prosecuted the case.
Greenbelt, Maryland – Chase William Mulligan, 28, of Silver Spring, Maryland, pled guilty to two counts of producing child sexual abuse material in federal court. The charges are in connection with a scheme in which he met young girls through social media and internet chat rooms and eventually “sextorted” them.
Specifically, through the scheme, Mulligan coerced at least 108 girls — ranging from ages 5-17 — to send him sexually explicit photographs and videos of themselves. When the girls told him they no longer wanted to send him sexually graphic images, Mulligan threatened to post the images online or come to their house.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the guilty plea with Special Agent in Charge William J. DelBagno of the Federal Bureau of Investigation (FBI) – Baltimore Field Office.
“Mulligan used manipulation, fear, and intimidation to exploit over 100 young victims. Now we must ensure that we send a clear message to Mulligan, and others, that those who abuse the most vulnerable members of our communities will pay a steep price,” Hayes said. “We’re committed to working with our law-enforcement partners to relentlessly pursue, prosecute, and bring to justice those who engage in these deplorable acts.”
“Chase Mulligan is a depraved and dangerous predator. He used social media to target, viciously threaten, and horribly abuse more than 100 minor victims – one as young as five years old,” DelBagno said. “His abhorrent behavior is not diminished by the fact he was thousands of miles away and never met his victims, rather, it’s the opposite. Despite his distance, he presents a serious threat to any child he can access through the internet. The FBI works diligently every day to find and arrest predators like Mulligan so they can no longer prey on innocent children.”
As detailed in the plea agreement, between at least 2019 and December 2023, Mulligan used numerous Snapchat, Discord, Roblox, Skype, Omegle, and Instagram accounts to target young girls. He convinced minors living in the United States, Canada, Denmark, Spain, Philippines, Australia, and United Kingdom to produce and send him sexually explicit images.
Mulligan also directed minors to expose their genital areas and engage in sexual conduct. Additionally, Mulligan coerced multiple girls to urinate on camera, insert objects into their genitalia, and participate in sexual acts with dogs.
After some victims informed Mulligan that they no longer wished to send him sexually explicit images, he threatened to publicly post the images or come to their homes. Mulligan wanted the victims to send more images depicting increasingly graphic sexual conduct.
As part of his plea agreement, Mulligan must register as a sex offender in places where he resides, is an employee, and is a student, under the Sex Offender Registration and Notification Act.
Mulligan is facing a mandatory minimum of 15 years and a statutory maximum of 60 years in federal prison. U.S. District Judge Theodore C. Chuang scheduled sentencing for Wednesday, August 27, at 2:30 p.m.
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorney’s Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, visit www.justice.gov/psc. Click the “Resources” tab on the left side of the page to learn about Internet safety education.
U.S. Attorney Hayes commended the FBI for its work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorneys Megan S. McKoy and Elizabeth Wright who are prosecuting the case.
Source: Federal Bureau of Investigation FBI Crime News (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury on charges related to child pornography.
According to an indictment returned this week, Jeffrey Lynn Petrie, 40, of Kansas City, Mo., was charged with one count of distributing child pornography over the internet in May 2024, and one count of receiving child pornography from Dec. 9, 2024, to Dec. 10, 2024.
The indictment replaces a complaint originally filed on Friday, April 25, 2025. According to an affidavit filed in support of the criminal complaint, law enforcement officers received a Cybertip reporting that a user, “kinkypopper69,” was uploading video files depicting child sexual abuse materials. Petrie was later identified as the user “kinkypopper69.”
On April 24, 2025, the FBI conducted a search at Petrie’s residence and seized a cell phone and other electronic devices.
Petrie is a registered sex offender in Missouri based on prior convictions for child molestation in the 2nd degree.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, if convicted of distribution and receipt of child pornography, a prison sentence of not less than 15 years and not more than 40 years and a fine of up to $250,000 is authorized on each count. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorney Teresa A. Moore. This case was investigated by the Federal Bureau of Investigation, and the Franklin County, Missouri Sheriff’s Office.
Project Safe Childhood
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.usdoj.gov/psc. For more information about Internet safety education, please visit www.usdoj.gov/psc and click on the tab “resources.”
Source: Federal Bureau of Investigation FBI Crime News (b)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon following a shooting incident outside a restaurant.
According to court documents, Navajo Nation Police responded to a 911 call reporting that an individual was shot in the hand in front of the Little Caesars Restaurant in Shiprock. Officers located the suspect, identified as TerroldTyler, 35, an enrolled member of the Navajo Nation, near the scene carrying a black backpack that contained a homemade firearm and five live shotgun shells. Tyler was detained without incident.
Investigators determined that Tyler and the victim were involved in an argument behind the restaurant prior to the shooting. Tyler allegedly produced the homemade shotgun and shot the victim in the left hand. Paramedics responded to the scene, but the victim declined medical treatment. A social media video depicting Tyler with the firearm was also recovered as evidence.
Tyler is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Tyler faces up to 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
WASHINGTON, May 21, 2025 (GLOBE NEWSWIRE) — Rhizome, the leading climate resilience planning platform for the power grid, today announced the close of a $6.5 million oversubscribed Seed funding round led by Base10 Partners. The company will use the funding to scale their AI platform and team as they continue to help utilities protect their grid and customers from the impacts of extreme weather events. Rhizome will focus on building out its existing platform, new product research and development, and expanding its geographic footprint domestically and internationally.
Rhizome, launched in 2023, supports utilities by helping them model the impacts of increasingly severe extreme weather events against their systems. By leveraging AI against climate risk data and digital representations of the physical grid, Rhizome’s platform identifies vulnerabilities and prioritizes resilience investments and upgrades. This fundraise will further fuel Rhizome’s mission to integrate climate intelligence into utility planning workflows at a time when grid resilience has never been more crucial.
Extreme weather events are rapidly increasing in frequency, intensity, and cost. In 2024 alone, the U.S. faced 27 billion-dollar climate and weather disasters, totaling over $182 billion in damages. For electric utilities, the stakes are particularly high. A McKinsey analysis found that major storms have cost individual utilities an average of $1.4 billion over a 20-year period, underscoring the urgent need for smarter, more resilient infrastructure planning in the face of growing climate volatility.
At the same time, electric utility capital expenditures hit a record $179 billion, with projections rising to $194 billion in 2025. In an environment where every dollar counts, utilities need advanced planning tools that can simulate a range of climate scenarios — removing the guesswork from resilience planning and helping every dollar go further.
“We set out to partner with investors who deeply understand the power sector and share our commitment to solving pressing climate resilience challenges,” said Mishal Thadani, Co-founder and CEO of Rhizome. “This funding allows us to scale our work and continue refining a suite of products that help utilities prepare the grid for an increasingly uncertain future.”
“Resilience is unquestionably one of the most important factors in ensuring a safe, reliable power grid,” said Rexhi Dollaku, General Partner at Base10 Partners. “Mish, Rahul, and the team bring the right mix of vision, urgency, and technical depth to solve this challenge, and we’re proud to support them.”
In just under two years, Rhizome has developed and commercialized a suite of mission-specific products used by electric utilities in diverse geographical regions. Its flagship product, gridADAPT, supports long-term infrastructure planning by helping utilities prioritize investments that improve reliability and resilience. This was followed by the launch of gridFIRM, a first-of-its-kind platform for wildfire risk mitigation, and most recently, gridCAVA –– an affordable climate vulnerability assessment tool designed specifically for municipal and cooperative utilities. Built on Rhizome’s scalable, cloud-based Aspen platform, these tools round out a powerful portfolio of climate resilience planning tools designed to model current and future climate risk against utility infrastructure, available to utilities across Rhizome’s expanding geographical footprint.
Rhizome is expanding its platform, growing its team, and partnering with more utilities to strengthen resilience in the face of climate-driven threats. Contact Rhizome or visit here to learn more about the company’s expanding portfolio of climate risk solutions.
About Rhizome Rhizome is an AI-powered software platform that helps utilities identify vulnerabilities from climate threats, quantify risk at high resolutions, and measure the economic and social benefits of grid-enhancing investments. Rhizome provides the highest standard of equitable climate risk mitigation to ensure that communities and businesses are protected against intensifying extreme weather events.
About Base10 Partners Founded by Adeyemi Ajao and TJ Nahigian, Base10 is a San Francisco-based venture capital fund investing in founders who believe purpose is key to profits and companies that are automating sectors of the Real Economy, including transportation, retail, logistics, and construction. Through its program, The Advancement Initiative, Base10 aims to donate 50% of profits to underfunded colleges and universities to support financial aid and other key initiatives. Portfolio companies include Notion, Figma, Nubank, Stripe, Motive, Chili Piper, and Popmenu. Connect via base10.vc.
Zug, Switzerland, May 21, 2025 (GLOBE NEWSWIRE) — – Panther Protocol has officially released its codebase as open-source software, following a successful security audit conducted by Veridise, a leader in blockchain auditing. This launch offers access to Panther’s industry-leading Zero-Knowledge technology to build DeFi solutions that meet customizable regulatory requirements and users’ on-chain data privacy needs.
The open-source code will enable developers, financial market participants, and blockchain innovators to integrate, utilize, and build upon Panther’s privacy-enhancing technology. Panther’s move to greater accessibility for development reflects its organizational shift towards more community-led development, as Panther’s IP has transitioned to the Panther Protocol Foundation.
Moving forward, the Foundation will oversee the protocol’s ongoing development and strategic growth, setting the stage for increased community engagement and a decentralized governance model through the Panther DAO.
Before being made publicly available, Panther’s code underwent a detailed review by Veridise. The audit included an analysis of Panther’s Zero-Knowledge circuits, and smart contracts. With the audit now complete, Panther’s codebase has been made publicly available under the LGPL3.0 and MIT License.
Dr. Anish Mohammed, Co-Founder of Panther Protocol, commented: “Open-sourcing Panther’s audited code represents a significant milestone in our journey toward transparency and decentralization. By making our technology accessible, we invite the broader decentralized finance and Web3 community to contribute, innovate, and verify our security, ensuring Panther’s continued growth as a trusted, privacy-preserving DeFi protocol. The goal of the project was always to build an infrastructure where compliance and confidentiality can coexist, and we would like to invite everyone to try out the solutions that have been built.”
A Platform for Builders
Panther’s open-source release supports the broader Web3 community. Web3 builders, licensed Zone Managers, and developers will be able to take advantage of Panther’s privacy-focused infrastructure and tooling to build DeFi applications that provide greater privacy and confidentiality to users. With Panther’s codebase now open-source, developers can adapt and build upon existing tools to create their own infrastructure that benefits from Panther.
With governance remaining in the hands of the Panther DAO, the protocol will continue to evolve in line with community values. This release furthers Panther’s mission of enabling confidential, compliant access to DeFi.
Panther’s codebase can be found on the Panther Protocol’s Foundation GitHub and GitLab. The licensing chosen supports the open-source ethos of the Web3 ecosystem, fostering a community-driven approach to Panther’s evolution.
ENDS
About Panther Protocol Foundation
The Panther Protocol Foundation is dedicated to supporting the adoption and sustainability of the Panther Protocol across the decentralized Web. The Foundation works to anchor the Panther Protocol for DeFi and blockchain ecosystems, thus empowering users, builders, and licensed operators to participate in tomorrow’s internet while remaining confidential. The Foundation also focuses on open-source code, research, and awareness of the Panther Protocol’s core technologies.
SAN ANTONIO — U.S. Immigration and Customs Enforcement arrested 275 illegal aliens, including 178 criminal aliens, during a seven-day operation focused on increasing public safety May 11-17.
“Criminal aliens have taken advantage of our immigration laws for long enough. We will continue to prioritize public safety,” said ICE Enforcement and Removal Operations San Antonio acting Field Office Director Sylvester M. Ortega. “Our mission to protect the American people is stronger than ever thanks to the hard work and dedication of ICE personnel out every day locating, arresting and removing criminal aliens illegally present in our country.”
Included among the criminal aliens arrested during the operation are the following:
A 34-year-old, twice-deported criminal alien from Mexico, arrested May 14 who has been convicted of felony — illegal reentry, and is facing charges for a second criminal charge for illegal reentry into the U.S. after deportation.
A 37-year-old criminal alien from Cuba, arrested May 15 who has been convicted of manufacturing and distributing heroin/methamphetamines and selling marijuana. This alien has also been arrested for forgery and drug possession.
A 49-year-old, twice-deported criminal alien from Mexico arrested May 15 who has been convicted of assault and battery, illegal reentry into the U.S., and disturbing the peace.
A 57-year-old alien from Costa Rica arrested May 16 who is wanted by Costa Rican authorities for fraud.
Criminal aliens arrested during this operation also had charges that included domestic violence, cocaine possession, larceny, driving under the influence, drug trafficking, weapon offenses, and assault.
Numerous law enforcement agencies assisted ICE during the operation, including the Texas Department of Public Safety, Drug Enforcement Administration, Bureau of Alcohol Tobacco Firearms and Explosives, Federal Bureau of Investigations, U.S. Border Patrol and the U.S. Marshals Service.
“These joint operations show the public what can be done when agencies work together toward a common goal of public safety,” added Ortega.
Members of the public can report crime and suspicious activity by calling 866-347-2423 or completing the online tip form. Follow us on X at @EROSanAntonio to learn more about ERO’s missions and operations.
A foreign national was sentenced today to 30 months in prison for his role in a scheme to defraud Medicare of more than $3.2 million through a sham durable medical equipment company.
According to court documents, Julian Lopez, 55, a citizen of Cuba who resides in Miami-Dade County, Florida, obtained Medicare beneficiary identification cards and sold Medicare beneficiaries’ personal information to a durable medical equipment company, One Medical Services. Lopez knew the Medicare identification cards he obtained would be used to submit fraudulent claims to Medicare. One Medical Services used the information from Lopez to bill Medicare for orthotic braces that were never provided to the Medicare beneficiaries. In connection with the scheme, One Medical Services submitted and caused the submission of over $3.2 million in false and fraudulent claims to Medicare for medically unnecessary DME.
Lopez pleaded guilty to two counts of health care fraud in February 2025. At sentencing, he was also ordered to pay $1,496,412 in restitution.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division; Acting Special Agent in Charge Jesus Barranco at the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) Miami Regional Office; and Acting Special Agent in Charge Brett Skiles of the FBI Miami Field Office made the announcement.
The FBI and HHS-OIG investigated the case.
Assistant Chief Emily Gurskis and Trial Attorney Owen Dunn of the Criminal Division’s Fraud Section prosecuted the case.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of nine strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with HHS-OIG, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www.justice.gov/criminal-fraud/health-care-fraud-unit.
WASHINGTON – Kenneth Watts, 57, of Upper Marlboro, Md., and James Kinard, 47, of Temple Hills, Md., were found guilty by a federal jury today for their roles in a drug trafficking conspiracy that distributed large amounts of cocaine, fentanyl and PCP in the DMV. The conspiracy also used firearms to protect their narcotics and the proceeds from their trafficking operation.
The verdicts were announced by U.S. Attorney Jeanine Ferris Pirro, FBI Assistant Director in Charge Steven J. Jensen of the Washington Field Office, DEA Special Agent in Charge Ibrar A. Mian of the Drug Enforcement Administration Washington Division, and Chief Pamela Smith of the Metropolitan Police Department.
The jury found both defendants guilty of conspiracy to distribute and possess with intent to distribute one kilogram or more of PCP. The jury also found defendant Kinard guilty of conspiracy to distribute and possess with intent to distribute 40 grams or more of fentanyl. U.S. District Court Judge Jia M. Cobb scheduled sentencing for August 7, 2025. Watts and Kinard each face a minimum-mandatory sentence of 10 years in federal prison.
Watts has two prior felony drug convictions. Kinardhas a prior 1995 conviction for second-degree murder while armed and a prior 2016 conviction assault with intent to commit robbery while armed and related offenses. Kinard was on supervised release during the investigation in this case.
Three co-defendants pleaded guilty before the case went to trial on May 7.
Melvin Grayson, 51, of District Heights, Maryland, pleaded guilty to conspiracy to distribute a detectable amount of cocaine, more than 40 grams or more of fentanyl, and more than one kilogram or more of PCP. Grayson faces a minimum-mandatory sentence of ten years. He has two prior felony drug convictions from 1993.
Tyrone Ragland, 56, aka “Tech,” of the District, pleaded guilty to a charge of conspiracy to distribute one kilogram of PCP. Charles Cunningham, 58, of the District, pleaded guilty to unlawful possession of a firearm by a felon. According to their plea agreements, Ragland and Cunningham will be required to serve 15 years in prison. Cunningham has four prior felony drug convictions.
According to court documents and evidence presented at trial, officers with the Prince George’s County Police Department intercepted a package containing six kilos of PCP at a FedEx facility in Maryland. The officers set up a controlled delivery of the package and stopped defendant Kenneth Watts after he picked it up. In Watts’ cell phone, investigators found text messages linking Watts to the package and to co-defendant Melvin Grayson.
Through controlled purchases and wiretaps, evidence showed that Grayson distributed PCP, fentanyl, cocaine, and heroin, in the Washington, D.C. metropolitan area. The investigation also showed that defendants Ragland, Cunningham, Kinard and others conspired with Grayson to distribute the narcotics. In search warrants conducted at various residences, agents recovered four firearms, more than 2.5 kilos of PCP, more than 100 grams of fentanyl, and approximately $50,000 in cash.
This case is being investigated by the FBI’s Washington Field Office Cross Border Task Force and the DEA Washington Field Office, with assistance from MPD’s Violent Crime Suppression Division and the Prince George’s County Police Department. The Cross Border Task Force is a part of the FBI’S Safe Streets Initiative and targets the most egregious and violent street crews operating in the District of Columbia. Valuable assistance was provided by the U.S. Attorney’s Office for the District of Maryland and the Baltimore/Washington High Intensity Drug Trafficking Area (HIDTA) program.
This investigation was part of an Organized Crime Drug Enforcement Task Force (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at www.justice.gov/OCDETF.
The matter is being prosecuted by Assistant U.S. Attorneys Nihar R. Mohanty and Iris Y. McCranie of the U.S. Attorney’s Office for the District of Columbia.
ST. LOUIS – U.S. District Judge Sarah E. Pitlyk on Tuesday sentenced a purported auto mechanic from Arizona to 33 Months in Prison and ordered him to repay $1.37 million to his fraud victims.
Beginning in November 2019, Andres “Manny” Lopez, 37, defrauded customers of his Arizona company, All Performance Tuning and Diesel Repair LLC, by accepting money for vehicles, vehicle upgrades and parts with no intention of performing the work or turning over the vehicles. He also damaged some customer vehicles and loaned vehicles to others without the owners’ consent.
A Missouri victim who wanted to buy a vehicle for his mother wired Lopez $45,000 for a Toyota RAV4. Lopez falsely claimed that he’d bought the vehicle, and then provided a series of false excuses about why it was not being delivered. Lopez claimed delivery delays were due to product recalls and even impersonated the general manager of a Florida Toyota dealership in text messages to the client’s mother.
After Lopez was indicted in October of 2023, he defrauded another victim out of approximately $567,892.
Lopez used the money for personal expenses.
In a letter to the court, one victim spoke of Lopez’s pattern: “Promise… then a reason why I cannot meet that promise… then a new promise… then repeat the string (for years).”
Lopez pleaded guilty in February U.S. District Court in St. Louis to one count of wire fraud.
“For years, Andres Lopez lied to customers to line his own pockets. The lies and manipulation continued even after he had been charged for the crime and released on bond,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “Today, Lopez earned every day of his prison sentence for victimizing people with his fraudulent business practices.”
The FBI investigated the case. Assistant U.S. Attorney Derek Wiseman is prosecuting case.
OAKLAND – Adesola Kehinde was sentenced yesterday to 57 months in federal prison for unlawful possession of a firearm and ammunition as a felon. U.S. District Judge Araceli Martínez-Olguín handed down the sentence.
Kehinde, 38, of Alameda, was charged by complaint in January 2024 and by information in May 2024. On Dec. 16, 2024, Kehinde pleaded guilty to one count of being a felon in possession of a firearm and ammunition in violation of 18 U.S.C. § 922(g)(1). According to the plea agreement, Kehinde admitted that on Jan. 9, 2024, officers with the Alameda Police Department detained him while he was seated in the driver’s seat of his car, which was parked outside of his apartment building. At the time, Kehinde was on parole after serving a state prison sentence for human trafficking of a minor, threats with intent to terrorize, and robbery. Officers searched Kehinde’s car and located a loaded Glock pistol with one round in the chamber and six rounds inside the magazine inserted into the pistol.
Acting United States Attorney Patrick D. Robbins and FBI Special Agent in Charge Sanjay Virmani made the announcement.
In addition to the prison term, Judge Martínez-Olguín also sentenced Kehinde to a three-year period of supervised release and ordered him to forfeit the firearm and ammunition he possessed.
Assistant U.S. Attorney Jonah Ross is prosecuting the case with the assistance of Amala James. The prosecution is the result of an investigation by the FBI and the Alameda Police Department.
Gulfport, MS – An Ocean Springs, Mississippi man pleaded guilty today to extortion by official right and witness tampering.
According to court documents, Steven Wood, 64, used his position as a Mississippi Probation and Parole officer to extort drugs, sexual photos, and sexual services from multiples state probationers. The investigation was initiated when a probationer reported to the Federal Bureau of Investigation (“FBI”) that Wood was having her bring him methamphetamine. Subsequent investigation including additional witness interviews, and the forensic examination of Wood’s phone revealed that he solicited methamphetamine, sexual photos, and videos from multiple probationers. Wood took official action on those probationer’s behalf by not reporting their use, possession, or transfer of illegal drugs, not requiring them to report for their probation visits, not requiring some of them to pay their probation fees and writing at least one letter to be submitted by a probationer in a child custody dispute.
During the course of the investigation, Wood contacted multiple probationers, and he told one probationer to lie about her relationship with Wood and to hide evidence.
Wood pleaded guilty to one count of extortion by official right in violation of the Hobbs Act and one count of witness tampering. He is scheduled to be sentenced on September 17, 2025. He faces not more than 20 years of imprisonment for both the Hobbs Act and Witness Tampering offenses. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney Patrick A. Lemon of the Southern District of Mississippi and FBI Special Agent in Charge, Rob Eikhoff, made the announcement.
The FBI, with assistance of the Mississippi Department of Corrections and the Mississippi Bureau of Narcotics are investigating the case.
Assistant U.S. Attorney Jonathan Buckner is prosecuting the case.
Defendant allegedly embezzled hundreds of thousands of dollars from relatives with disabilities
BOSTON – A Lexington, Mass. attorney has been charged and agreed to plead guilty in connection with alleged schemes to defraud Massachusetts victims, including two of his own relatives.
David Smerling, 75, has agreed to plead guilty to a Superseding Information charging him with four counts of wire fraud, two counts of money laundering and one count of aggravated identity theft. Smerling was previously indicted in January 2025 on charges of embezzling from a business partner.
“The alleged multi-million-dollar embezzlement that Mr. Smerling was originally charged with was, unfortunately, just the tip of the iceberg. Today’s charges allege that Mr. Smerling also preyed on a family member with special needs and another with dementia, allegedly stealing money these victims needed for their own care,” said United States Attorney Leah B. Foley.
“For anyone with elderly and vulnerable loved ones, these are frightening allegations,” said Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “David Smerling allegedly betrayed the trust of his victims and took full advantage – embezzling from them to line his own pockets while trying to cover up his crimes. The FBI will never stop working to protect the public from criminals like this, and we’re gratified to see him brought to justice.”
According to court filings, between January 2016 and May 2020, Smerling embezzled more than $2.5 million from three Massachusetts companies for whom he worked as a bookkeeper. Specifically, it is alleged that Smerling transferred funds from the victim companies into a separate bank account that he controlled, before moving the money to bank accounts in his own name or directly from the companies’ accounts to bank accounts in his own name. Smerling allegedly concealed his scheme by changing the mailing address on victims’ bank statements to his home address and refusing to share the online banking password for the victims’ accounts.
Court filings further allege that, between May 2020 and August 2021, Smerling embezzled more than $470,000 from a trust established for the benefit of a relative with special needs for which Smerling served as the trustee. Smerling allegedly transferred trust funds to bank accounts he controlled before sending the funds to bank accounts in his wife’s name or using the funds to pay for personal expenses. It is alleged that Smerling concealed his scheme by making lulling payments to the beneficiary so he would not discover the trust had been depleted.
Court filings also allege that, between May 2023 and April 2025, Smerling embezzled more than $150,000 from a relative with dementia for whom Smerling served as the financial power of attorney. Specifically, Smerling allegedly transferred funds from the victim’s accounts to accounts he controlled, used a credit card in the victim’s name for personal purchases and took out a loan in the victim’s name. To conceal this scheme, Smerling allegedly misrepresented the purpose of the transfers to the financial institutions in which the victim’s accounts were held.
The charge of wire fraud provides for a sentence of up to 20 years in prison, three years of supervised release and a fine of up to $250,000 or twice the gross gain or loss, whichever is greater. The charge of money laundering provides for a sentence of up to 20 years in prison, three years of supervised release and a fine of up to $500,000 or twice the value of the property involved in the transaction, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison to be served consecutive to any sentence imposed on the wire fraud and money laundering charges. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
U.S. Attorney Leah B. Foley and FBI Acting SAC Milka made the announcement today. Assistant U.S. Attorney Kristen A. Kearney of the Securities, Financial & Cyber Fraud Unit is prosecuting the case.
The details contained in the charging documents are allegations. The defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Nicholas Mangione, 44, of Buffalo, NY, pleaded guilty before U.S. District Judge Lawrence J. Vilardo to possession of child pornography following a prior conviction, which carries a mandatory minimum penalty of 10 years in prison, a maximum of 20 years, and a fine of $250,000.
Assistant U.S. Attorney Aaron J. Mango, who handled the case, stated that in April 2013, Mangione was convicted of possession of child pornography and sentenced to serve 48 months in prison. On August 15, 2024, a federal search warrant was executed at Mangione’s residence after it was discovered he uploaded a file containing child pornography to the Snapchat server. During the search, Mangione’s cellular telephone was seized. An examination of the device uncovered approximately 20 images and 52 videos of child pornography. It was also determined that Mangione distributed child pornography to other individuals using the Telegram application in exchange for other child pornographic files.
On August 16, 2024, the defendant was arrested on New York State charges and was found to be in possession of an additional cell phone, which also contained images and videos of child pornography. Some of the child pornography possessed by Mangione depicted the sexual exploitation of an infant or toddler and depictions of violence against children.
The plea is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the New York State Police, under the direction of Major Amie Feroleto.
Sentencing is scheduled for September 30, 2025, at 9:30 a.m. before Judge Vilardo.
Defendant staged armed robberies so that “victims” could apply for immigration benefits in exchange for thousands of dollars
BOSTON – An Indian national, residing in New York, pleaded guilty today in federal court in Boston to staging armed robberies in furtherance of a visa fraud conspiracy.
Rambhai Patel, 37, pleaded guilty to on one count of conspiracy to commit visa fraud. U.S. District Court Judge Myong J. Joun scheduled sentencing for Aug. 20, 2025. In December 2023, Patel was charged along with a co-conspirator.
Beginning in March 2023, Patel and his alleged co-conspirator set up and carried out staged armed robberies of at least nine convenience/liquor stores and fast-food restaurants across the United States – including at least five in Massachusetts. The purpose of the staged robberies was to allow the store clerks to claim that they were victims of a violent crime on an application for U nonimmigrant status (U Visa). A U Visa is available to victims of certain crimes who have suffered mental or physical abuse and who have been helpful to law enforcement in the investigation or prosecution of criminal activity.
During the staged robberies, the “robber” would threaten store clerks and/or owners with an apparent firearm before taking cash from the register and fleeing, while the interaction was captured on store surveillance video. The clerks and/or owners would then wait five or more minutes until the “robber” had escaped before calling police to report the “crime.” The “victims” paid Patel to participate in the scheme. One purported victim paid $20,000 to participate as a victim in one of the staged armed robberies. In turn, Patel paid the store owners for the use of their stores for the staged robbery.
At least two purported victim co-conspirators submitted U Visa applications based on being victims of the staged armed robberies.
Singh is scheduled to plead guilty on May 22, 2025.
The charge of conspiracy to commit visa fraud provides for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000. The defendant is subject to deportation upon completion of any sentence imposed. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
United States Attorney Leah B. Foley and Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division made the announcement. Valuable assistance in the investigation was provided by the U.S. Attorney’s Offices for the Eastern District of New York and the Western District of Washington; FBI’s New York and Seattle Field Offices; U.S. Citizenship and Immigration Services; Massachusetts State Police; Worcester County District Attorney’s Office; and the Hingham, Marshfield, Randolph, Weymouth, Worcester, Upper Darby, (Pa.), West Pittston (Pa.), Louisville, (Ky.) and Bean Station (Tenn.) Police Departments. Assistant U.S. Attorneys Elianna J. Nuzum and Jessica L. Soto of the Criminal Division are prosecuting the case.
The details contained in the charging documents are allegations. The remaining defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
ALBANY, NEW YORK – Joseph Mitchell, age 38, of Nelliston, New York, was sentenced today to 135 months in prison for conspiring to distribute methamphetamine and possession of a firearm as a previously convicted felon. United States Attorney John A. Sarcone III and Special Agent in Charge Frank A. Tarentino III of the U.S. Drug Enforcement Administration (DEA), New York Field Division, made the announcement.
United States Attorney Sarcone stated: “Montgomery County will be safer with this defendant off the streets. We will continue to aggressively investigate and prosecute drug dealers and felons who possess firearms.”
DEA Special Agent in Charge Frank A. Tarentino III stated: “As we often see, drugs and weapons go hand in hand. Today’s sentencing is a reminder that justice will be delivered to those who push illicit narcotics into our communities. The DEA remains committed to working with our law enforcement partners in protecting our communities and enhancing public safety.”
Mitchell admitted to working with another person to distribute more than 350 grams of methamphetamine throughout August 2024. A search warrant executed at Mitchell’s home on September 5, 2024, led to the recovery of two rifles and one shotgun. As a result of his prior felony convictions for attempted robbery and narcotics possession, Mitchell could not lawfully possess firearms.
United States District Judge Mae A. D’Agostino also ordered Mitchell to serve 5 years of supervised release and to forfeit the seized firearms.
The DEA investigated the case with assistance from the Federal Bureau of Investigation. Assistant U.S. Attorney Jonathan S. Reiner prosecuted the case.
ALBANY, NEW YORK – Zyjee Lind, a/k/a “Fredo,” age 30, of Troy, New York, was arraigned today on an indictment charging him with possession of firearms as a previously convicted felon, possession of controlled substances with intent to distribute, and possession of a firearm in furtherance of drug trafficking crimes. United States Attorney John A. Sarcone III and Craig L. Tremaroli, Special Agent in Charge of the Albany Field Office of the Federal Bureau of Investigation (FBI), made the announcement.
If convicted on all charges, Lind would face at least 5 years and up to life in prison, and a term of supervised release of at least 3 years and up to life. A defendant’s sentence is imposed by a judge based on the particular statutes the defendant is charged with violating, the U.S. Sentencing Guidelines, and other factors.
The charges in the indictment are merely accusations. The defendant is presumed innocent unless and until proven guilty.
The FBI is investigating the case, which Assistant U.S. Attorney Jonathan S. Reiner is prosecuting.
SALT LAKE CITY, Utah – Wicliff Yves Fleurizard, 27, of Leander, Texas, was sentenced today on a felony conviction to time-served (approximately six months’ imprisonment), after he unlawfully boarded a Delta Airlines flight in 2024 and hid in a lavatory for a flight to Austin, Texas, from Salt Lake City International Airport.
The sentence, imposed by U.S. District Court Judge David Barlow, comes after Fleurizard pleaded guilty on March 11, 2025, to being a stowaway on an aircraft. Fleurizard was also sentenced to three years’ supervised release and ordered to pay a $5,000 fine.
According to court documents and statements made at Fleurizard’s change of plea and sentencing hearings, on March 17, 2024, he intentionally boarded Delta Airlines flight #1683 at Gate 2 of the Salt Lake City International Airport, which was destined for Austin, Texas. Fleurizard intended to board the aircraft without purchasing a ticket and he hid in the lavatory to avoid getting caught, but was confronted by flight crew. Prior to boarding, Fleurizard was captured on surveillance footage in the boarding area taking photos of multiple passengers’ personal information on his cell phone. He then used that information to obtain electronic boarding passes in their names and successfully boarded airplanes in both Austin and Salt Lake City. See prior release: Texas Man Admits to Stowaway Charge Onboard a Delta Airlines Flight.
“Today’s sentence sends a clear message to would-be offenders that the District of Utah will not tolerate crimes committed in and around our vital airports,” said Acting U.S. Attorney Felice John Viti of the District of Utah. “Airport crimes will be prosecuted.”
“Mr. Fleurizard’s actions were not only disruptive to passengers, it also compromised the safety and security for all on board,” said Special Agent in Charge Mehtab Syed of the Salt Lake City FBI. “The sentence holds him accountable for trespassing, theft, and fraud.”
“This was a deliberate breach of security that put passengers and crew, at risk,” said Salt Lake City Police Chief Brian Redd. “The security measures we have in place are to keep everyone safe and this reminds us that we must regularly work to strengthen those aviation security measures. I want to thank our officers and FBI task force detectives who responded to investigate this incident alongside our federal partners, and the flight crew whose attentiveness on board helped protect the safety of our traveling community.”
The case was investigated jointly by an FBI Task Force Officer with the Salt Lake City Police Department.
Assistant United States Attorneys Bryan N. Reeves and Michael Kennedy of the U.S. Attorney’s Office for the District of Utah prosecuted the case.
SPRINGFIELD, Mo. – Two men from Springfield, Mo., were sentenced in federal court for their roles in a conspiracy to distribute large quantities of methamphetamine in the Springfield area.
Erik C. Foster, 43, was sentenced by U.S. District Judge Brian C. Wimes, to 215 months in federal prison without parole, to be followed by 5 years of supervised release. Foster pleaded guilty on Dec. 16, 2024.
Tilton Chase Tate, 41, was sentenced by U.S. District Judge Brian C. Wimes, to 146 months in federal prison without parole, to be followed by 5 years of supervised release. Tate pleaded guilty on October 15, 2024.
Foster and Tate were charged, along with other individuals, in a 24-count superseding indictment on July 25, 2023, for their roles in a drug conspiracy that lasted from Dec. 2020 to Oct. 2022.
Foster admitted to purchasing and delivering methamphetamine for other conspirators to distribute in Southwest Missouri. During the course of the conspiracy, law enforcement seized well over 50 grams of methamphetamine from members of the conspiracy.
According to court records, on Sep. 10, 2022, officers with the Republic, Mo. Police Department located two plastic bags containing at least 844 grams of methamphetamine from inside a speaker during a traffic stop where Foster was the passenger. Foster told officers that he had picked up the methamphetamine in Joplin and was taking it to Springfield to deliver it to a co-conspirator for distribution.
On Oct. 12, 2022, deputies with the Greene County, Mo., Sheriff’s Office seized a small plastic bag of what appeared to be black tar heroin, a backpack containing 70 grams of methamphetamine, and over $11,960 in cash from Foster during a traffic stop. During a post-Miranda interview, Foster told officers that he was taking the backpack to a co-conspirator for distribution and that he had made six or seven similar trips to deliver methamphetamine.
Tate admitted to possessing and distributing methamphetamine to others as part of the conspiracy.
On Oct. 19, 2021, during a traffic stop, a Springfield, Mo. Police Department (SPD) detective seized over 440 grams of methamphetamine from Tate.
On April 14, 2022, while executing a search warrant for Tate’s residence, SPD officers located a Ruger LCP 380 handgun and a Stoeger Arms, STR 9C 9mm handgun, as well as miscellaneous pills and suspected methamphetamine.
Later in April, during a post-Miranda interview, Tate admitted to purchasing the methamphetamine seized during the Oct. traffic stop from a co-conspirator. He estimated that he was selling a pound of methamphetamine each week.
This case is being prosecuted by Assistant U.S. Attorney Stephanie L. Wan. It was investigated by the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Federal Bureau of Investigation, the Greene County, Mo., Sheriff’s Office, the Missouri State Highway Patrol, the Republic, Mo., Police Department, and the Springfield, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
KANSAS CITY, Mo. – A Kansas City, Mo., man was sentenced in federal court today for his role in a conspiracy to distribute fentanyl, methamphetamine, and heroin and for possession of firearms in furtherance of that conspiracy.
Codi J. Monteer, 38, was sentenced by U.S. District Judge D. Greg Kays to 30 years in federal prison without parole.
On Oct. 8, 2024, Monteer pleaded guilty to one count of conspiracy to distribute fentanyl, methamphetamine, heroin, and marijuana; one count of maintaining a drug involved premises; one count of possession of firearms in furtherance of the drug conspiracy; and one count of being a felon in possession of firearms.
Monteer’s participation in the drug trafficking conspiracy lasted approximately one year and he was responsible for conspiring with others to distribute at least 124 kilograms of methamphetamine; 700 grams of fentanyl (powder and pills); and 1.58 kilograms of heroin. He was also in possession of several firearms used in furtherance of his drug trafficking.
On one occasion, in March 2021, Monteer led members of the Kansas Highway Patrol on a high-speed pursuit that reached speeds of approximately 145 miles per hour. The pursuit did not conclude until two of the tires came off Monteer’s vehicle. During the pursuit, drugs were thrown from the vehicle.
Monteer was an associate of Autumn Dicks, Ian Hazel, They Kelley, Marc Downs, and Jamison Hopson-Stephens. Those individuals have already been sentenced for their roles within the conspiracy. Monteer was also an associate of Davion Williams, Curtis Lewis, Daniel Anderson, and Aaron Dorsey in this conspiracy. Those individuals have all pleaded guilty and are awaiting sentencing.
This case is being prosecuted by Assistant U.S. Attorney Ashleigh A. Ragner. It was investigated by the Kansas City, Mo. Police Department, FBI, United States Postal Inspection Service, and the Kansas State Highway Patrol.
A foreign national was sentenced today to 30 months in prison for his role in a scheme to defraud Medicare of more than $3.2 million through a sham durable medical equipment company.
According to court documents, Julian Lopez, 55, a citizen of Cuba who resides in Miami-Dade County, Florida, obtained Medicare beneficiary identification cards and sold Medicare beneficiaries’ personal information to a durable medical equipment company, One Medical Services. Lopez knew the Medicare identification cards he obtained would be used to submit fraudulent claims to Medicare. One Medical Services used the information from Lopez to bill Medicare for orthotic braces that were never provided to the Medicare beneficiaries. In connection with the scheme, One Medical Services submitted and caused the submission of over $3.2 million in false and fraudulent claims to Medicare for medically unnecessary DME.
Lopez pleaded guilty to two counts of health care fraud in February 2025. At sentencing, he was also ordered to pay $1,496,412 in restitution.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division; Acting Special Agent in Charge Jesus Barranco at the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) Miami Regional Office; and Acting Special Agent in Charge Brett Skiles of the FBI Miami Field Office made the announcement.
The FBI and HHS-OIG investigated the case.
Assistant Chief Emily Gurskis and Trial Attorney Owen Dunn of the Criminal Division’s Fraud Section prosecuted the case.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of nine strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with HHS-OIG, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www.justice.gov/criminal-fraud/health-care-fraud-unit.
ESET has released its latest advanced persistent threat (APT) report.
Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers.
China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors.
North Korea-aligned groups expanded their financially motivated campaigns using fake job listings and social engineering.
BRATISLAVA, Slovakia, May 20, 2025 (GLOBE NEWSWIRE) — ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country’s critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations.
Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. “The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,” says ESET Director of Threat Research Jean-Ian Boutin.
Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039).
In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups.
Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company.
Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment.
“The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,” adds Boutin.
Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page.
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.
PANAMA CITY, Fla. — U.S. Immigration and Customs Enforcement joined the Bay County Sheriff’s Office and other agencies held a joint press conference May 16 to announce the results of a two-day joint-agency operation that resulted in the arrest of 21 illegal aliens.
The operation with BCSO, ICE Homeland Security Investigations Panama City, ICE Enforcement and Removal Operations Miami-Tallahassee field office, the U.S. Department of Justice, the FBI, the Drug Enforcement Administration, the Bureau of Alcohol, Tobacco, Firearms and Explosives, U.S. Citizenship and Immigration Services, the Panama City Beach Police Department, the Florida Highway Patrol, the Panama City Police Department, and the Florida Department of Law Enforcement, mainly targeted those who overstayed a visa. During the operation, 18 were arrested in Bay County, and three in Leon County, Florida. Those arrested were from India, Venezuela, Nicaragua, Mexico, Guatemala, and Jamaica. Most illegal aliens arrested overstayed temporary visas for tourism and recreation.
“These people came on legit visas and abused that, which takes away from other people trying to obtain these visas. It’s also a federal crime to enter illegally, and a federal crime to overstay and set up residence when these visas expire,” said ICE Homeland Security Investigations Tallahassee Assistant Special Agent in Charge Nicholas Ingegno. “You can see a group of great people here that have gotten together to meet Sheriff Ford’s priorities, to meet the (Florida) governor’s priorities, and to meet the White House priorities.”
“Our partnership with ICE strengthens our efforts to keep Bay County safe,” said Sheriff Tommy Ford. “By working alongside federal, state, and local agencies, we’re better equipped to address illegal immigration tied to criminal activity. We look forward to expanding this cooperation through the 287(g) Task Force and Warrant Service Officer programs, giving us more tools to protect our community”
Four of the illegal aliens arrested entered the United States without inspection by a U.S. immigration official and one has been charged with felony illegal reentry after being previously removed. Sixteen of the illegal aliens arrested entered the county legally under a work, travel, or other visa program with a date assigned to leave the country, but they remained after the expiration date, violating the terms of their visa. Overstaying a visa is an abuse of the immigration system and a violation of federal law.
Ingegno pointed out the importance of removing people who abused the visa system by reminding everyone, “if you remember, a majority of the hijackers on 9/11 were visa overstays. This means the United States let them into the country and they did not leave when they were supposed to. Then they murdered 3,000 Americans.”
According to Ford, since Jan. 1, 2025, 178 illegal aliens have been arrested by Bay County law enforcement and had ICE detainers placed on them.
ICE officials have continually emphasized the agency’s continued focus to identifying public safety and national security threats. Individuals unlawfully present in the United States who are encountered during enforcement operations may be taken into custody and processed for removal in accordance with federal law.
Members of the public with information about suspected immigration violations or related criminal activity are encouraged to contact the ICE Tip Line at 866-DHS-2-ICE (866-347-2423) or submit information online via the ICE Tip Form.
For more information about ICE HSI Tampa and ICE ERO Miami and their efforts to enhance public safety in Florida, follow them on X at @HSITampa and ERO Miami.