Defendant Misappropriated Millions of Dollars of Investors’ Funds for His Own Use Including to Purchase Real Estate and Luxury Vehicles
Earlier today, at the federal courthouse in Brooklyn, a federal jury convicted Braden John Karony on all counts of a three-count indictment charging him with conspiracy to commit securities fraud, wire fraud, and money laundering. The charges arose from the defendant’s and his co-conspirators’ roles in defrauding investors in a decentralized finance digital asset called “SafeMoon,” issued by their company SafeMoon LLC. As alleged, the defendant agreed with his co-conspirators to lie to SafeMoon investors about whether SafeMoon executives could access the liquidity pool and whether they were using the assets from the liquidity pool for their personal benefit. As SafeMoon’s market capitalization grew to more than $8 billion, the defendant fraudulently diverted and misappropriated millions of dollars’ worth of liquidity from the SafeMoon liquidity pool for their personal benefit. The verdict followed a 12-day trial before United States District Judge Eric R. Komitee. When sentenced, Karony faces up to 45 years in prison. The jury also issued a verdict to forfeit one residential property and the proceeds from the sale of another residential property, amounting to approximately $2 million.
Joseph Nocella, Jr., United States Attorney for the Eastern District of New York; Christopher G. Raia, Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI); Harry T. Chavis, Jr., Special Agent in Charge, Internal Revenue Service Criminal Investigation, New York (IRS-CI); and Darren B. McCormack, Acting Special Agent in Charge, Homeland Security Investigations, New York (HSI New York) announced the verdict.
“As proven at trial, the SafeMoon digital asset was anything but safe and turned out to be pie in the sky for investors who were deliberately misled by Karony, a man who sought to get rich quick by stealing and diverting millions of dollars,” stated United States Attorney Nocella. “Karony used his scheme to purchase multiple homes, sports cars, custom trucks, and other luxury goods. Today’s guilty verdict should serve as a warning to all would-be fraudsters that my Office will vigorously prosecute individuals like the defendant who victimize digital asset investors and undermine investor confidence in digital assets markets, thereby threatening the stability and growth of these emerging technologies.”
Mr. Nocella expressed his appreciation to the U.S. Securities and Exchange Commission for its work on the case.
“Braden Karony, the CEO of SafeMoon, exploited his company’s digital portfolio with fictional success stories and stole millions of dollars in crypto-assets to finance luxury purchases,” stated FBI Assistant Director in Charge Raia. “Along with his co-conspirators, Karony violated his clients’ trust and wallets while attempting to conceal his misconduct through discreet transactions. May today’s conviction emphasize the FBI’s commitment to securing all markets and protecting the American people from individuals who abuse their position to satisfy personal greed.”
“Braden Karony misled investors; intentionally diverted and misappropriated millions in cryptocurrency for his personal benefit; and lined the driveways of his million dollar homes with luxury cars. While the name of his company is SafeMoon, there was nothing safe about this investment that was just a front for theft. By following the money with complex cryptocurrency tracing, IRS-CI New York’s Cyber and J5 groups worked with our investigative partners to see that this conman is held accountable for his greedy acts,” stated IRS-CI New York Special Agent in Charge Chavis. “The Joint Chiefs of Global Tax Enforcement (J5) is a global partnership that works together to gather information, share intelligence, and conduct coordinated operations against transnational financial crimes. The J5 includes the Australian Taxation Office, the Canada Revenue Agency, the Dutch Fiscal Intelligence and Investigation Service, His Majesty’s Revenue and Customs from the U.K. and IRS-CI from the U.S.”
“Steered by his selfish desires and insatiable greed, Braden John Karony treated millions of dollars in investors’ funds as his own personal bank account,” stated HSI New York Acting Special Agent in Charge McCormack. “The defendant will soon be trading his sprawling real estate and luxury vehicles for a jail cell within the four walls of a federal penitentiary. As reflected by today’s conviction, whether it involves fiat or crypto, HSI New York’s El Dorado Task Force will relentlessly pursue individuals intent on exploiting investors and the American financial system for their own gain.”
Background on SafeMoon
As proven at trial, SafeMoon tokens were digital assets first issued in March 2021 by SafeMoon LLC on a public blockchain. Through the operation of SafeMoon’s smart contract, every transaction in SafeMoon was automatically subject to a 10% tax, meaning, for example, that if a holder of SafeMoon transferred 10 SafeMoon to another user, 1 SafeMoon would automatically be retained from the transfer as a tax and the remaining 9 SafeMoon would be received by the other party. As marketed to SafeMoon investors, the proceeds of SafeMoon’s 10% tax were split into two 5% tranches, the proceeds of which were supposed to benefit holders of SafeMoon in specific ways. The first 5% tranche of the tax proceeds would be “reflected” back to, and distributed among, all SafeMoon holders in proportion to their current SafeMoon holdings and thereby increase the total quantity of SafeMoon held by every SafeMoon investor automatically. The remaining 5% tranche of SafeMoon tax proceeds would be deposited into designated SafeMoon liquidity pools. The larger the SafeMoon liquidity pool, the greater the liquidity in the market for SafeMoon. In the months after its launch in March 2021, SafeMoon grew to have millions of holders and a market capitalization of more than $8 billion.
The Defendants’ Fraudulent Scheme
Karony and his co-conspirators misrepresented various material aspects of the SafeMoon offering to investors. Such misrepresentations included that SafeMoon relied on “locked” liquidity pools that would automatically increase in size due to a 10% tax imposed on every SafeMoon transaction; that the “locked” SafeMoon liquidity pool prevented the defendants and other insiders at SafeMoon from being able to “rug pull”—a type of crypto fraud— SafeMoon investors by removing liquidity from the SafeMoon liquidity pool; that tokens in the liquidity pool would only be used for limited pre-defined business purposes, not personal enrichment; that the defendants would manually add token pairs to the SafeMoon liquidity pool when transactions of SafeMoon occurred on specific centralized exchanges; and that the developers were not and had not been holding and trading SafeMoon for their benefit.
In reality, Karony and his co-conspirators retained access to the SafeMoon liquidity pools and used that access to intentionally divert and misappropriate millions of dollars’ worth of tokens for their personal benefit. In addition, although they publicly denied that they personally held or traded SafeMoon, they repeatedly bought and sold SafeMoon, sometimes at the height of SafeMoon market price, which generated millions of dollars in profits. Karony and his co-conspirators masked their movement of the fraudulent proceeds via numerous private un-hosted crypto wallet addresses, complex transaction routing, and pseudonymous centralized exchange accounts. Karony acquired over $9 million in crypto assets from the scheme and used some of the proceeds to purchase luxury vehicles and real estate, including a $2.2 million home in Utah, additional homes in Utah and Kansas, a $277,000 Audi R8 sports car, another Audi R8, a Tesla, and custom Ford F-550 and Jeep Gladiator pickup trucks.
Co-conspirator Thomas Smith previously pleaded guilty and is awaiting sentencing. Co-conspirator Kyle Nagy remains at large.
The government’s case is being handled by the Office’s Business and Securities Fraud Section. Assistant United States Attorneys Dana Rehnquist, Sara K. Winik, and Jessica K. Weigel are in charge of the prosecution, with assistance from Paralegal Specialists Asher Martin-Rosenthal and Madison Bates. Assistant United States Attorney Laura Mantell is handling forfeiture matters.
A Texas man was sentenced on Monday to 19 years in prison for unlawfully conspiring to distribute millions of opioid pills and aiding the falsification of tax records.
According to court documents, Christopher Obaze, 64, of Houston, Texas, was the owner and pharmacist-in-charge of Chrisco Pharmacy. Obaze and his co-conspirators operated Chrisco Pharmacy as an illegal “ghosting pharmacy,” purchasing pharmaceutical opioids and other commonly abused prescription drugs from wholesalers and then selling them in bulk to drug traffickers, without involving physicians, patients, or prescriptions. From January 2018 through October 2021, Obaze and his co-conspirators distributed at least 2,268,700 hydrocodone 10-325 mg and oxycodone 30 mg pills as part of the scheme.
The defendant and his pharmacy technician attempted to conceal their illegal activities by reporting no dispensing of the drugs to the Texas State Board of Pharmacy’s prescription monitoring program after July 2018, and by structuring cash deposits and submitting false documents to banks to maintain accounts to hold the proceeds of their unlawful distribution scheme. Obaze also aided and assisted in the preparation and presentation of false and fraudulent tax returns to the IRS by understating, among other things, the gross receipts of Chrisco Pharmacy.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division, U.S. Attorney Nicholas J. Ganjei for the Southern District of Texas, Special Agent in Charge William Kimbell of the Drug Enforcement Administration (DEA) Houston Division, and Special Agent in Charge Lucy Tan of the IRS Criminal Investigation (IRS-CI) Houston Field Office made the announcement.
The DEA and IRS-CI investigated the case.
Trial Attorney Drew Pennebaker of the Criminal Division’s Fraud Section prosecuted the case.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of 9 strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with the Office of the Inspector General for the Department of Health and Human Services, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www.justice.gov/criminal/criminal-fraud/health-care-fraud-unit.
The IAEA team based at Ukraine’s Zaporizhzhya Nuclear Power Plant (ZNPP) heard bursts of gunfire this morning, coinciding with a purported drone attack on the site’s training centre, Director General Rafael Mariano Grossi said.
It was the third time this year that the training centre, located just outside the site perimeter, was reportedly targeted by such an unmanned aerial vehicle.
The ZNPP told the IAEA team that the drone hit the roof of the training centre, without causing any casualties or major damage. It was not immediately known whether the drone had directly struck the building or whether it crashed on the structure after being shot down, the ZNPP said.
The IAEA staff members heard the gunfire shortly before 10am local time, but it was not clear if this observation was connected to the drone.
The IAEA team requested to visit the training centre, as it was able to do following the previous such incident that occurred in April. However, on this occasion permission has not yet been granted.
“These reported drone incidents are very concerning, as they could pose a direct threat to nuclear safety and security. To put it simply: there are too many drones flying near nuclear sites, not just the Zaporizhzhya Nuclear Power Plant. It should stop immediately,” Director General Grossi said.
In February, a drone severely damaged the New Safe Confinement (NSC) at the Chornobyl plant in northern Ukraine, built to prevent any radioactive release from the reactor unit 4 destroyed in the 1986 accident and to protect it from external hazards.
In mid-April, a drone was reportedly shot down and crashed near the ZNPP’s training centre, just over three months after another reported drone attack on the same centre.
Ukraine’s operating nuclear power plants (NPPs) – Khmelnytskyy, Rivne and South Ukraine – also regularly report of drones being detected near the respective sites. Last Friday, the IAEA team at the South Ukraine NPP was informed that drones were observed as close as 2km from the site and the team reported hearing anti-aircraft fire from their hotel. The same night, drones were reported to have been observed transiting through the Chornobyl Exclusion Zone.
Source: United States Department of Justice (National Center for Disaster Fraud)
PHOENIX, Ariz. – Ronnie Lamar Strawberry, Jr., 39, of Los Angeles, California was sentenced on May 19, 2025, by Senior United States District Judge G. Murray Snow to 33 months in prison and ordered to pay $528,426 in restitution. Strawberry pleaded guilty to Conspiracy to Commit Wire Fraud. His sister, Raychelle Strawberry, who pleaded guilty to the same charge, was sentenced on the same day to 60 months of probation for her role in the offense.
According to the court documents and statements made in court, Ronnie Strawberry conspired with his sister and others to file false and fraudulent unemployment insurance claims under the Pandemic Unemployment Assistance program. Strawberry filed fraudulent claims in both California and Arizona using stolen identities. The scheme was sophisticated and used personal identifiable information — such as name, date of birth, and social security number — from more than 25 individuals to file online unemployment applications in Arizona and California.
“The defendant exploited a national crisis for personal gain,” said U.S. Attorney Timothy Courchaine. “He stole nearly $500,000 in pandemic relief funds that were meant to support struggling families and small businesses. This office will continue to investigate and prosecute those who stole from state and federal governments during the pandemic and intentionally depleted the public fisc for personal profit.”
“An important part of the mission of the U.S. Department of Labor, Office of Inspector General is to investigate allegations of fraud involving unemployment insurance (UI) programs. We will continue to work with our law enforcement partners to protect the integrity of the nation’s Unemployment Insurance system,” said Quentin Heiden, Special Agent-in-Charge, Western Region, U.S. Department of Labor, Office of Inspector General.
U.S. Department of Labor, Office of Inspector General (OIG), Arizona Department of Economic Security (DES) OIG, and Homeland Security, OIG conducted the investigation in this case. Assistant U.S. Attorney, Kevin M. Rapp, District of Arizona handled the prosecution.
CASE NUMBER: CR-24-00390- PHX-GMS RELEASE NUMBER: 2025-080_Strawberry
# # # For more information on the U.S. Attorney’s Office, District of Arizona, visit http://www.justice.gov/usao/az/ Follow the U.S. Attorney’s Office, District of Arizona, on Twitter @USAO_AZfor the latest news.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
SIOUX FALLS—United States Attorney Alison J. Ramsdell announced today that Judge Charles B. Kornmann has sentenced a Watertown, South Dakota, man convicted of Possession of a Firearm by a Prohibited Person. The sentencing took place on May 19, 2025.
Anthony Thomas Lee Baker, 43, was sentenced to 15 years and 8 months in federal prison, followed by 5 years of supervised release, and ordered to pay a $100 special assessment to the Federal Crime Victims Fund. Forfeiture of the firearm was also ordered.
Baker was indicted for Felon in Possession of a Firearm by a federal grand jury in May 2024. He pleaded guilty on September 30, 2024.
The charges arose from an incident when Baker, driving a vehicle, was stopped by law enforcement in Watertown, South Dakota. He was found to be in possession of a .45 caliber semi-automatic pistol. Baker is prohibited from possessing any firearm based on a prior felony conviction. More specifically, Baker has at least three prior violent felony convictions, including one for possession of another firearm following his conviction for a crime of violence in Ramsey County, Minnesota, in 2017.
This case was investigated by the ATF and the Watertown Police Department. Assistant U.S. Attorney Paige Petersen prosecuted the case.
Baker was immediately remanded to the custody of the U.S. Marshals Service.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
During the action day, authorities in both countries seized assets worth at least several millions euros, including apartments and companies, as well as various luxury vehicles. . Large amounts of cash and quantities of cocaine and heroin were also seized. A full and complete evaluation of the seizures will be carried out in the coming days.
No complete estimate of the total profits of the cooperation between the three OCGs is available. However, information obtained through the JIT shows that the criminal networks were involved in payments, often in cash, of close to EUR 5 million and the trafficking of at least 1 800 kilos of cocaine and heroin.
Investigations into the linked criminal organisations were initiated in 2016 by the Public Prosecutor’s Office of Bari and the Special Anti-Corruption and Organised Crime Prosecutor’s Office of Tirana and the Albanian Police. On the Albanian side, one OCG, which operated from Durres, was responsible for the transport and wholesale distribution of large quantities of cocaine, heroin and cannabis trafficked between the Balkans, Northern Europe, South America and Puglia in Italy.
Two Italian-led criminal gangs carried out the cutting and packaging of illicit drugs and supplied cocaine and heroin from Latin America and Turkey to local gangs in organisations in Bari, Brindisi and Lecce.
The arrests in Italy and Albania are the result of a long-term collaboration through the JIT. This involved the use of wiretaps, intensive video surveillance, the monitoring of suspects and the analysis of encrypted chats. These chats were decrypted following intensive cooperation through Eurojust.
Since 2020, Eurojust has supported the authorities in Italy and Albania with the JIT. Furthermore, the Agency provided assistance with the execution of requests for Mutual Legal Assistance during the action day and gave cross-border judicial support. Albania is one of the twelve countries outside the European Union with a Liaison Prosecutor at Eurojust. The investigations were also coordinated and supported by the office of the dedicated security expert at the Italian Embassy in Tirana.
The judicial cooperation between Italy and Albania has already proven effective in recent years. Between 2018 and 2021, the Anti-Mafia Investigation Directorate of Bari issued and executed 118 arrest warrants against alleged drug traffickers operating in both countries. As a result, various defendants were sentenced up to 20 years imprisonment.
This week’s operation was carried out at the request of and by the following authorities:
Italy: Public Prosecutor’s Office Bari – District Anti-Mafia Directorate; Anti-Mafia Investigation Directorate Bari, under the coordination of the National Anti-Mafia and Anti-Terrorism Directorate Rome, with support of the Office of the Security Expert at the Italian Embassy in Tirana
Albania: Special Anti-Corruption and Organised Crime Prosecutor’s Office (SPAK) of Tirana; Albanian Police
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
RICHMOND, Va. – A Richmond man was sentenced today to five years in prison for possession of a firearm by a convicted felon.
According to court documents, on March 16, 2023, Richmond Police detectives performed a traffic stop on a vehicle with no front license plate. James Marvin Smith, 43, was driving the vehicle. While speaking with Smith and a passenger, the detectives observed a crumpled lottery ticket near the cupholders and noticed that the passenger had white powder on his nose. The detectives asked Smith and the passenger to get out of the car.
While searching the vehicle for drug evidence, a detective found a firearm and a detached extended magazine. The firearm had one round of ammunition in the chamber and the magazine was loaded with 21 rounds of ammunition.
Prior to his arrest, Smith had been convicted of, among other crimes, possession of heroin, obstruction of justice, resisting arrest with force, possession of cocaine, breaking and entering, using a firearm in the commission of a felony, robbery, unlawful wounding, illegal possession of a firearm, assault and battery, possession of a firearm by a convicted violent felon, and grand larceny. As a previously convicted felon, Smith cannot legally possess a firearm or ammunition.
Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia; Anthony A. Spotswood, Special Agent in Charge of the Bureau of Alcohol, Tobacco, Firearms and Explosives Washington Field Division; Rick Edwards, Chief of Richmond Police; and Colette Wallace McEachin, Commonwealth’s Attorney for the City of Richmond, made the announcement after sentencing by Senior U.S. District Judge John A. Gibney Jr.
Special Assistant U.S. Attorney Katherine E. Groover, an Assistant Commonwealth’s Attorney with the Richmond Commonwealth’s Attorney Office, prosecuted the case.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
A copy of this press release is located on the website of the U.S. Attorney’s Office for the Eastern District of Virginia. Related court documents and information are located on the website of the District Court for the Eastern District of Virginia or on PACER by searching for Case No. 3:24-cr-23.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
CHARLOTTE, N.C. – A man who used a privately made and unregistered firearm, commonly known as a “ghost gun,” to carjack a vehicle on a college campus was sentenced yesterday to seven years in prison for a firearms offense, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina. Mark Jordan Williams, 37, was also ordered to serve three years of supervised release following the completion of his prison term.
Alicia Jones, Special Agent in Charge of the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), Charlotte Field Division, joins U.S. Attorney Ferguson in making today’s announcement.
According to court documents and court proceedings, on March 23, 2023, an individual identified as L.C. was sitting in a Jeep Wrangler, parked on the campus of the University of North Carolina-Charlotte. Court records show that Williams approached the vehicle, pointed a handgun at L.C. and ordered L.C. out of the car. Williams then took L.C.’s phone, got into the Jeep, and drove away. Williams was located and arrested later that evening while inside the Jeep. When Williams was arrested, a .40 caliber Polymer 80 handgun was recovered from inside the vehicle as well. During the investigation, law enforcement determined that Williams has multiple prior criminal convictions and he prohibited from possessing a firearm.
On January 9, 2025, Williams pleaded guilty to possession and brandishing of a firearm in furtherance of a crime of violence. He is in federal custody and will be transferred to the custody of the Federal Bureau of Prisons upon designation of a federal facility.
The ATF investigated the case and the U.S. Attorney’s Office in Charlotte handled the prosecution.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
Jacksonville, Florida – U.S. District Judge Harvey Schlesinger has sentenced Alton Wayne Cope, III (64, St. Augustine) to four years and three months in federal prison for possessing a firearm as a convicted felon and conspiring to deal firearms without a license. Cope entered a guilty plea in October 2024.
According to court documents, agents began investigating Cope and a co-conspirator when agents learned that Cope may have been illegally selling firearms. During the summer of 2024, agents conducted multiple controlled purchase operations during which they purchased 11 firearms from Cope and a co-conspirator. Throughout the investigation, agents learned that Braden Hobbs was the original purchaser of multiple firearms purchased from Cope and a co-conspirator. Cellphone records later showed that the co-conspirator regularly purchased firearms from Hobbs. Additionally, at least two of the firearms sold by Cope and a co-conspirator had previously been reported stolen. In August 2024, agents executed a federal search warrant at Cope’s residence. During the search, agents found an additional firearm in his bedroom.
Although he engaged in the business of dealing firearms, Cope is not a federally licensed firearms dealer, as required by federal law. Additionally, Cope was previously convicted of multiple felonies, including two counts of possession of cocaine and possession of a firearm by a convicted felon. Therefore, he is prohibited from possessing firearms or ammunition under federal law.
In related court proceedings, co-conspirator Braden Hobbs has been charged by indictment and is scheduled for trial later this year. If convicted, Hobbs faces a minimum sentence of 5 years, up to 95 years, in federal prison. An indictment is merely a formal charge that a defendant has committed one or more violations of federal criminal law, and every defendant is presumed innocent unless, and until, proven guilty.
This case was investigated by the Bureau of Alcohol, Tobacco, Firearms and Explosives, the Internal Revenue Service – Criminal Investigation, the United States Secret Service, the North Florida HIDTA Tri-County Narcotics Task Force with the Florida Department of Law Enforcement, the St. Johns County Sheriff’s Office, and the Jacksonville Sheriff’s Office. It is being prosecuted by Assistant United States Attorney Elisibeth Adams.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
WASHINGTON – The Department of Homeland Security today announced that Immigration and Customs Enforcement (ICE) lodged a detainer for a 24-year-old illegal alien from Venezuela who posed as a teenager to attend an Ohio high school.
On May 19, the Perrysburg Ohio Police Department arrested and charged Anthony Emmanuel Labrador-Sierra with forgery. On May 20, ICE issued a detainer.
Mug shot from Wood County Jail.
“Anthony Emmanuel Labrador-Sierra is a 24-year-old illegal alien from Venezuela who has been posing as teenager and attending Perrysburg High School in Ohio,” said Assistant Secretary Tricia McLaughlin. “Labrador was arrested and charged with forgery by the Perrysburg Ohio Police Department on May 19 for using fake documents to become enrolled in the high school. ICE lodged a detainer to ensure that this criminal illegal alien is removed from this community and no longer able to prey on the students of Perrysburg High School. It is disturbing that a grown man would impersonate a teenager and infiltrate the lives of underage girls and boys to fool them into doing God knows what.”
Labrador has illegally been in the U.S. since March 24, 2020.
RCMP Halifax Regional Detachment has arrested two people for assaulting fishers in Eastern Passage.
On May 4, at approximately 7 p.m., RCMP officers responded to a report of an assault in progress near Cow Bay Rd. in Eastern Passage. On arrival, officers found two people with serious injuries and arrested two other people – one youth and one man. Police also seized several items used as weapons in this assault, including fishing hooks and a metal pipe. The incident occurred while the victims were fishing for gaspereau.
The victims were transported to hospital by EHS, one with life-threatening injuries.
The youth had a first court appearance and remains in custody, facing four charges including aggravated assault.
The 39-year-old man, from Cow Bay, was later released on conditions. He will appear in Dartmouth Provincial Court on June 10, 2025, to face a charge of assault.
This incident is still under investigation. Police are aware of allegations that this was a hate-motivated crime or hate-motivated incident based on information provided by witnesses. The RCMP takes incidents of hate with utmost seriousness and condemns all hate-motivated incidents, and may follow up with further charges as is necessary based on the ongoing investigation.
Anyone with information about this incident and who has not yet spoken to police is asked to contact RCMP Halifax Regional Detachment at 902-490-5020. To remain anonymous, call Nova Scotia Crime Stoppers, toll-free, at 1-800-222-TIPS (8477), submit a secure web tip at www.crimestoppers.ns.ca, or use the P3 Tips app.
A Missouri man was sentenced yesterday to 111 months in prison by U.S. District Judge Matthew T. Schelp for the Eastern District of Missouri for burning down a Cape Girardeau, Missouri house of worship in 2021. He was also ordered to pay $6,968,223.36 in restitution for damages incurred by the church.
Christopher Scott Pritchard, 49, pleaded guilty in U.S. District Court for the Eastern District of Missouri in Cape Girardeau, on Dec. 19, 2024, to one count of arson and one count of violating the Church Arson Prevention Act. Pritchard admitted setting fire to the house of worship owned and used by the Church of Jesus Christ of Latter-Day Saints (LDS) in Cape Girardeau, Missouri, during the evening of April 28, 2021. Pritchard was spotted watching the fire and was arrested about 1.5 miles away by the Cape Girardeau County Sheriff’s Office. Pritchard smelled like smoke and had a backpack containing a laptop computer, a projector, speakers and 21 apples that he’d stolen from the church. Pritchard told deputies that he’d gotten into a verbal altercation with the Bishop of the church a few days before the fire and had threatened to assault the Bishop and burn the church down.
The fire destroyed the building and prevented the congregants in the free exercise of their religious beliefs. No one was injured.
“There is no place in America for criminal acts against houses of worship,” said Assistant Attorney General Harmeet K. Dhillon of the Justice Department’s Civil Rights Division. “The Civil Rights Division thanks its law enforcement partners for prosecuting this matter.”
Assistant Attorney General Harmeet K. Dhillon and U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri made the announcement.
The FBI St. Louis Field Office, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the Cape Girardeau County Sheriff’s Office and the Missouri State Fire Marshal’s Office investigated the case. Assistant U.S. Attorney Paul Hahn for the Eastern District of Missouri prosecuted the case, with assistance from the Civil Rights Division’s Criminal Section.
Over the May long weekend, Clarenville RCMP implemented educational and enforcement efforts towards road safety. A number of check points and traffic stops were conducted in various areas. Forty-seven tickets were issued for various violations of the Highway Traffic Act.
Officers remained focussed in the area of impaired driving. During one check stop, it is estimated that more than 150 vehicles and drivers were checked. Police were pleased to report that no incidents of impaired driving were detected over the weekend.
A breakdown of the 47 tickets issued is provided here:
Speeding – 31
No registration – 6
No insurance – 2
Driving while suspended – 2
Other moving violations – 6
Road safety is a priority for RCMP NL during Canada Road Safety Week and throughout the year. If you suspect a motorist is driving while impaired or in a dangerous manner, please contact your local police to make a report.
A man has been charged with a terrorism offence following an investigation by the Met’s Counter Terrorism Command.
Liam O’Hanna, 27, (16.10.97) of Belfast has been charged, via postal requisition, with displaying a flag in support of Hizballah, a proscribed organisation, namely:
On 21 November 2024, in a public place, namely the O2 Forum, Kentish Town, London, displayed an article, namely a flag, in such a way or in such circumstances as to arouse reasonable suspicion that he is a supporter of a proscribed organisation, namely Hizballah, contrary to section 13(1)(b) and (3) of the Terrorism Act 2000.
Officers from the Met’s Counter Terrorism Command were made aware on Tuesday, 22 April of an online video from the event. An investigation was carried out, which led to the Crown Prosecution Service authorising the above charge.
O’Hanna is due to appear at Westminster Magistrates’ Court on Wednesday, 18 June.
Today, the Department of Justice’s Civil Rights Division is beginning the process of dismissing lawsuits against the Louisville, Kentucky and Minneapolis, Minnesota police departments.
These lawsuits, which were filed at the last minute by the Biden administration after President Donald Trump’s reelection, accused Louisville and Minneapolis of widespread patterns of unconstitutional policing practices by wrongly equating statistical disparities with intentional discrimination and heavily relying on flawed methodologies and incomplete data. They also sought to subject the Louisville and Minneapolis police departments to sweeping consent decrees that went far beyond the Biden administration’s accusations of unconstitutional conduct; the decrees would have governed many aspects of those police departments, including their management, supervision, training, performance evaluations, discipline, staffing, recruitment, and hiring. In short, these sweeping consent decrees would have imposed years of micromanagement of local police departments by federal courts and expensive independent monitors, and potentially hundreds of millions of dollars of compliance costs, without a legally or factually adequate basis for doing so.
“Overbroad police consent decrees divest local control of policing from communities where it belongs, turning that power over to unelected and unaccountable bureaucrats, often with an anti-police agenda,” added Assistant Attorney General Harmeet K. Dhillon of the Justice Department’s Civil Rights Division. “Today, we are ending the Biden Civil Rights Division’s failed experiment of handcuffing local leaders and police departments with factually unjustified consent decrees.”
The Civil Rights Division will be taking all necessary steps to dismiss the Louisville and Minneapolis lawsuits with prejudice, to close the underlying investigations into the Louisville and Minneapolis police departments, and to retract the Biden administration’s findings of constitutional violations.
The Civil Rights Division will also be closing its investigations into, and retracting the Biden administration’s findings of constitutional violations on the part of, the following additional local police departments:
Phoenix, Arizona
Trenton, New Jersey
Memphis, Tennessee
Mount Vernon, New York
Oklahoma City, Oklahoma
Louisiana State Police
The Department of Justice will continue to offer its full support to police departments across the country, including through grants and technical assistance. The Department is confident that the vast majority of police officers across the Nation will continue to vigorously enforce the law and protect the public in full compliance with the Constitution and all applicable federal laws. When bad actors in uniform fail to do so, the Department stands ready to take all necessary action to address any resulting constitutional or civil-rights violations, including via criminal prosecution.
Coordinated Microsoft Actions and Court-Authorized Domain Seizures Disrupt LummaC2 Malware Infrastructure Used to Target Millions
The Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.
“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division. “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country. We are grateful for their work and dedication.”
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”
“The FBI is committed to disrupting the key services that cyber criminals rely on,” said Assistant Director Bryan Vorndran of FBI’s Cyber Division. “That’s why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”
As alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2 used the seized websites to distributeLummaC2, an information-stealing malware, to their affiliates and other cyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.
The government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login pages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy LummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court documents, the LummaC2 administrators informed their users of three new domains that they had set up to host the user panel. The next day, the government then seized those three domains.
The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.
Concurrent with today’s actions and consistent with the Department’s approach to public-private operational coordination, Microsoft announced an independent civil action to take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.
FBI’s Dallas Field Office is investigating the case.
The U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security Cyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the case.
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, offers a reward of up to $10 million for information on foreign government-linked individuals participating in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Anyone with information on any other foreign government-linked malicious cyber actors or activity targeting U.S. critical infrastructure should contact Rewards for Justice via the RFJ Tor-based tip line at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). Learn more about Rewards for Justice and their reward offers at RewardsforJustice.net.
If you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also contact your local FBI field office directly.
A Virginia attorney pleaded guilty yesterday to filing a false tax return that concealed a significant portion of his income.
The following is according to court documents and statements made in court: Asim Ghafoor, of Ashburn, was an attorney who operated a law practice in Virginia. His law practice had clients in various states, including Michigan. Ghafoor reported income from his practice on individual income tax returns that he personally prepared and signed. For 2012 through 2016, Ghafoor prepared and filed false tax returns that underreported the income he earned from his business.
In total, Ghafoor caused a tax loss to the IRS of $354,634.
Ghafoor is scheduled to be sentenced on Sept. 23. He faces a maximum penalty of three years in prison for filing a false tax return. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting Deputy Assistant Attorney General Karen E. Kelly of the Justice Department’s Tax Division made the announcement.
IRS Criminal Investigation is investigating the case.
Trial Attorneys Richard J. Kelley and Jeffrey A. McLellan of the Tax Division are prosecuting the case.
The conference, which is open to media, will take place from 26 to 30 May at the IAEA in the M-Building of the Vienna International Centre (VIC). The conference will also be livestreamed.
A dialogue between IAEA Director General Rafael Mariano Grossi and Robert Stone, director of the documentary Pandora’s Promise, will open the conference on Monday, 26 May, at 10:00. Isabelle Boemeke, nuclear energy influencer, will moderate the session.
Over 500 participants from about 80 countries and 13 international organizations are registered to participate in the event.
Stakeholder engagement is an essential part of nuclear power programmes. It aims to enhance public confidence, strengthen communication and support informed decision making through strong, long-term relationships with stakeholders. The conference will cover development and implementation of stakeholder engagement strategies; managing changing landscapes; crisis communication and emergency preparedness; outreach and media relations. A series of side events will highlight the roles of private philanthropy, gender perceptions and art in shaping stakeholder engagement. See the full programme here.
Nuclear Communities and Mayors in Focus, a unique platform for open dialogue and the exchange of ideas among municipal leaders from around the world, will take place in the afternoon of Tuesday, 27 May. A family photo will be taken at 13:30.
All journalists – including those with permanent accreditation to the Vienna International Centre (VIC) – are requested to inform the IAEA Press Office of their plans to attend the conference in person. Journalists without permanent accreditation to the VIC must send copies of their passport and press ID to press@iaea.org by 12:00 CEST on Friday, 23 May.
Journalists who do not yet have permanent accreditation are encouraged to request it at UNIS Vienna.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3.PostRequest
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. SecondPOSTRequest
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing ofexJSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing ofcJSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode0– Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode1– Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode2– Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode2Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode3– Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode3Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
On Wednesday (21 May 2025), NATO Secretary General Mark Rutte welcomed the Prime Minister of the Netherlands, Dick Schoof to NATO Headquarters. The leaders held productive discussions on boosting defence spending, support for Ukraine and the upcoming NATO Summit in The Hague.
Mr Rutte thanked the Netherlands for its steadfast contributions to the Alliance’s collective defence, playing “a pivotal role in strengthening the Alliance” on the ground, in the sky and at sea. He also thanked the Prime Minister for the excellent cooperation in organising the upcoming NATO Summit in The Hague.
The Secretary General welcomed efforts to invest in modernised land forces and cutting-edge capabilities, including allocating over €1 billion to expand the Dutch defence industry. At the same time, he urged all Allies to invest even more, including in the defence industry and in defence-related areas such as infrastructure and resilience. “2% will not be nearly enough to meet the capability targets that Allies will soon agree,” Mr Rutte stated.
On Ukraine, Mr Rutte thanked the Netherlands for its impressive offer of 3.5 billion euros in support for Ukraine in 2026, including €100 million for NATO’s Comprehensive Assistance Package. “Your contributions clearly underscore your long-term commitment to Kyiv’s sovereignty and security. This is a priority we all share” he emphasised.
President Trump and Secretary Noem are working every day to get vicious criminals out of our country while activist judges are fighting to bring them back onto American soil
WASHINGTON – The Department of Homeland Security today hosted a press conference to set the record straight and to address the media’s misleading reporting on migrant flights to South Sudan. DHS conducted a deportation flight from Texas to remove some of the most barbaric, violent individuals illegally in the United States. Now a federal judge in Massachusetts is trying to force the United States to bring these criminals back.
“We are removing these convicted criminals from American soil so they can never hurt another American victim. It is absurd that an activist judge is trying to force the United States to bring back these uniquely barbaric monsters who present a clear and present threat to the safety of the American people,” said Assistant Secretary Tricia McLaughlin.“We have given the media the names of these monsters. I implore the media to stop doing the bidding of these criminals and to tell the stories of innocent Americans who have been victimized.”
Below are the individuals ICE removed from American communities.
Enrique ARIAS-Hierro, a Cuban national, was arrested by ICE on May 2, 2025. His criminal history includes convictions for homicide, armed robbery, false impersonation of official, kidnapping, robbery strong arm.
On April 30, 2025, ICE arrested Cuban national, Jose Manuel RODRIGUEZ-QUINONES. He has been convicted of attempted first-degree murder with a weapon, battery and larceny, canine possession and trafficking.
Thongxay NILAKOUT, a citizen of Laos, was arrested by ICE on January 26, 2025. NILAKOUT is Convicted of first-degree murder and robbery; sentenced to life confinement.
On May 12, 2025, ICE arrested Mexican national, Jesus MUNOZ-Gutierrez. He is Convicted of second-degree murder; sentenced to life confinement.
Dian Peter DOMACH, a citizen of South Sudan, was arrested by ICE on May 8, 2024. DOMACH is convicted of robbery and possession of a firearm, of possession of burglar’s tools and possession of defaced firearm and driving under the influence.
Kyaw MYA, a citizen of Burma was arrested by ICE on February 18, 2025. MYA is convicted of Lascivious Acts with a Child-Victim less than 12 years of age; sentenced to 10 years confinement, paroled after 4 years.
Nyo MYINT, a citizen of Burma was arrested by ICE on February 19, 2025. MYINT is convicted of first-degree sexual assault involving a victim mentally and physically incapable of resisting; sentenced to 12 years confinement. MYINT is also charged with aggravated assault-nonfamily strongarm.
On May 3, 2025, ICE arrested Tuan Thanh PHAN, a Vietnamese national. PHAN is Convicted of first-degree murder and second-degree assault; sentenced to 22 years confinement.
Source: Federal Bureau of Investigation FBI Crime News (b)
ST. LOUIS – U.S. District Henry E. Autrey on Tuesday sentenced a man who admitted transporting a minor across state lines for sex to 230 months in prison.
Scott M. Arnold-Micke, 48, of Rolla, Missouri met the 17-year-old victim in 2021 and took him to Chicago, where they used drugs and engaged in sexual acts. Arnold-Micke engaged in drug use with the victim on an almost daily basis after Arnold-Micke moved from Sullivan, Missouri to Rolla.
Arnold-Micke, 48, pleaded guilty in January to one count of transportation of a minor to engage in a criminal sex act.
The case was investigated by the FBI and the Rolla Police Department with assistance from the Phelps County Sheriff’s Department. Assistant U.S. Attorney Dianna Edwards prosecuted the case.
“The FBI is unrelenting when it comes to protecting children,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “I commend those who brought this crime to light in order to get this child predator off the streets and in prison where he belongs.”
This case was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorneys’ Offices and the Department of Justice Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.
This joint operation targeted the sophisticated ecosystem that allowed criminals to exploit stolen information on a massive scale. Europol coordinated with law enforcement in Europe to ensure action was taken, leveraging intelligence provided by Microsoft.Between 16 March and 16 May 2025, Microsoft identified over 394 000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this…
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A member of the Pagan’s Motorcycle Club pleaded guilty today before U.S. District Judge Greg Kays for his involvement in an armed assault and an attempted armed assault against members of rival motorcycle clubs.
Jeremiah Z. Hahn, also known as “Pass Out,” 42, of Cameron, Mo., pleaded guilty today to one count of assault with a dangerous weapon in aid of racketeering, one count of attempting to commit assault with a dangerous weapon in aid of racketeering, and one count of felon in possession of a firearm.
On May 30, 2022, Hahn and other members of the Pagan’s and their support club, assaulted a lone rival motorcycle gang member at a business in Grain Valley, Mo. In addition to fists, Hahn used an axe handle during the assault, causing physical injury to the victim.
On Sep. 3, 2022, Hahn and other members of the Pagan’s and their support club, travelled to Topeka, Ks., to carry out a revenge attack against another rival motorcycle gang. The plan was to “catch a stray” and “smash on sight” any rival member they saw. The Pagan’s were aware that the rival motorcycle gang were having an event in Topeka that day, and the plan was to use either an axe handle or a gun on one of the rival gang members. After arriving in Topeka, a rival member was spotted in a hotel parking lot. As Hahn, who was armed with a gun, prepared to shoot the rival, a disagreement occurred among members, and the group returned to the Kansas City area.
Following both events, Hahn and others present were awarded patches for their participation.
On May 3, 2023, Hahn was stoppedby a Missouri State Highway Patrol Trooper on eastbound Highway 36 in Dekalb County, Mo., for speeding. Hahn, who was riding a black, 2012 Harley Davidson motorcycle, had passed the trooper, traveling 98 mph in a 65-mph zone. Initially,Hahn attempted to flee the trooper and reached speeds ranging from 100-102 mph before stopping. Following Hahn’s arrest, the trooper discovered a Smith and Wesson, model M&P Shield, .40 caliber semi-automatic handgun, in Hahn’s front pants’ pocket. Hahn, who had felony convictions out of Oklahoma, Kansas, and Missouri, stated that he had stolen the gun approximately a week and a half earlier from a member of a rival motorcycle club in St. Joseph, Mo.
Under federal statutes, Hahn is subject to a sentence of up to twenty years in prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorneys Bradley K. Kavanaugh and Robert Smith. It was investigated by the FBI, the Independence, Mo., Police Department, the Blue Springs, Mo., Police Department, Homeland Security Investigations, and the Kansas City, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury today for robbing fourteen convenience stores at gunpoint. He also faces charges for attempting to rob another convenience store and illegally possessing a firearm.
Marquise L. North, 31, of Kansas City, Mo., was charged in a thirty-one count indictment returned by a federal grand jury in Kansas City, Mo.
Today’s indictment charges North with fourteen counts of Hobbs Act robbery, one count of attempted Hobbs Act robbery, fourteen counts of brandishing a firearm in furtherance of a crime of violence, and one count of being a felon in possession of a firearm.
The federal indictment alleges North committed the robberies between July 26, 2024, and Sep. 21, 2024. North is alleged to have brandished a firearm during each of the robberies.
Under federal law, it is illegal for anyone who has been convicted of a felony to be in possession of any firearm or ammunition. North has a prior felony conviction for unlawful possession of a firearm.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, North is subject to a sentence of up to life in federal prison without parole. Brandishing a firearm during a crime of violence carries a mandatory minimum sentence of seven years in federal prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Special Assistant U.S. Attorney Jessica L. Jennings. It was investigated by the FBI, Kansas City, Missouri Police Department, Raytown, Missouri Police Department, and Independence, Missouri Police Department.
Project Safe Neighborhoods
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
SPRINGFIELD, Mo. – Two men from Springfield, Mo., were sentenced in federal court for their roles in a conspiracy to distribute large quantities of methamphetamine in the Springfield area.
Erik C. Foster, 43, was sentenced by U.S. District Judge Brian C. Wimes, to 215 months in federal prison without parole, to be followed by 5 years of supervised release. Foster pleaded guilty on Dec. 16, 2024.
Tilton Chase Tate, 41, was sentenced by U.S. District Judge Brian C. Wimes, to 146 months in federal prison without parole, to be followed by 5 years of supervised release. Tate pleaded guilty on October 15, 2024.
Foster and Tate were charged, along with other individuals, in a 24-count superseding indictment on July 25, 2023, for their roles in a drug conspiracy that lasted from Dec. 2020 to Oct. 2022.
Foster admitted to purchasing and delivering methamphetamine for other conspirators to distribute in Southwest Missouri. During the course of the conspiracy, law enforcement seized well over 50 grams of methamphetamine from members of the conspiracy.
According to court records, on Sep. 10, 2022, officers with the Republic, Mo. Police Department located two plastic bags containing at least 844 grams of methamphetamine from inside a speaker during a traffic stop where Foster was the passenger. Foster told officers that he had picked up the methamphetamine in Joplin and was taking it to Springfield to deliver it to a co-conspirator for distribution.
On Oct. 12, 2022, deputies with the Greene County, Mo., Sheriff’s Office seized a small plastic bag of what appeared to be black tar heroin, a backpack containing 70 grams of methamphetamine, and over $11,960 in cash from Foster during a traffic stop. During a post-Miranda interview, Foster told officers that he was taking the backpack to a co-conspirator for distribution and that he had made six or seven similar trips to deliver methamphetamine.
Tate admitted to possessing and distributing methamphetamine to others as part of the conspiracy.
On Oct. 19, 2021, during a traffic stop, a Springfield, Mo. Police Department (SPD) detective seized over 440 grams of methamphetamine from Tate.
On April 14, 2022, while executing a search warrant for Tate’s residence, SPD officers located a Ruger LCP 380 handgun and a Stoeger Arms, STR 9C 9mm handgun, as well as miscellaneous pills and suspected methamphetamine.
Later in April, during a post-Miranda interview, Tate admitted to purchasing the methamphetamine seized during the Oct. traffic stop from a co-conspirator. He estimated that he was selling a pound of methamphetamine each week.
This case is being prosecuted by Assistant U.S. Attorney Stephanie L. Wan. It was investigated by the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Federal Bureau of Investigation, the Greene County, Mo., Sheriff’s Office, the Missouri State Highway Patrol, the Republic, Mo., Police Department, and the Springfield, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was sentenced in federal court today for his role in a conspiracy to distribute fentanyl, methamphetamine, and heroin and for possession of firearms in furtherance of that conspiracy.
Codi J. Monteer, 38, was sentenced by U.S. District Judge D. Greg Kays to 30 years in federal prison without parole.
On Oct. 8, 2024, Monteer pleaded guilty to one count of conspiracy to distribute fentanyl, methamphetamine, heroin, and marijuana; one count of maintaining a drug involved premises; one count of possession of firearms in furtherance of the drug conspiracy; and one count of being a felon in possession of firearms.
Monteer’s participation in the drug trafficking conspiracy lasted approximately one year and he was responsible for conspiring with others to distribute at least 124 kilograms of methamphetamine; 700 grams of fentanyl (powder and pills); and 1.58 kilograms of heroin. He was also in possession of several firearms used in furtherance of his drug trafficking.
On one occasion, in March 2021, Monteer led members of the Kansas Highway Patrol on a high-speed pursuit that reached speeds of approximately 145 miles per hour. The pursuit did not conclude until two of the tires came off Monteer’s vehicle. During the pursuit, drugs were thrown from the vehicle.
Monteer was an associate of Autumn Dicks, Ian Hazel, They Kelley, Marc Downs, and Jamison Hopson-Stephens. Those individuals have already been sentenced for their roles within the conspiracy. Monteer was also an associate of Davion Williams, Curtis Lewis, Daniel Anderson, and Aaron Dorsey in this conspiracy. Those individuals have all pleaded guilty and are awaiting sentencing.
This case is being prosecuted by Assistant U.S. Attorney Ashleigh A. Ragner. It was investigated by the Kansas City, Mo. Police Department, FBI, United States Postal Inspection Service, and the Kansas State Highway Patrol.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon after he allegedly stabbed a man multiple times during an altercation near Shiprock.
According to court documents, on the night of April 19, 2025, Navajo Police Department officers responded to a 911 call reporting a stabbing in Shiprock, New Mexico. Officers located the victim who had sustained three stab wounds to his upper and lower back. The victim was transported to the hospital for emergency treatment.
An investigation led by the FBI and Navajo Nation Criminal Investigators revealed that Matthew Charley, 29, an enrolled member of the Navajo Nation, approached the victim and two witnesses. After a brief verbal exchange, the witnesses left the area, leaving Charley and the victim alone. When the witnesses returned a short time later, they found the victim had been stabbed. The victim identified Charley as his assailant.
Law enforcement collected witness statements, obtained video evidence, and reviewed surveillance footage that corroborated the description and movements of the suspect.
Screenshot of video showing Charley
Charley is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Charley faces 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
U.S. Coast Guard 7th District PA Detachment Jacksonville Contact: Coast Guard PA Detachment Jacksonville Office: 904-714-7606/7607 After Hours: 786-393-4138 PA Detachment Jacksonville online newsroom
05/21/2025 10:21 AM EDT
JACKSONVILLE, Fla. — The Coast Guard is scheduled to provide boating safety tips and offer boat rides, Friday, during National Safe Boating Week and ahead of Memorial Day weekend at Coast Guard Station Mayport.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Waleed Abughanem, 33, of Lackawanna, NY, who was convicted of misprision of felony, was sentenced to serve 36 months in prison by U.S. District Judge John L. Sinatra, Jr.
Assistant U.S. Attorneys Charles M. Kruly and Maeve E. Huggins, who handled the case, stated that Abughanem is the son of Khaled Abughanem and the brother of Adham Abughanem. On September 8, 2021, Khaled and Adham Abughanem flew from Buffalo, NY, to Guadalajara, Mexico to kidnap Victim 1, who is the daughter of Khaled and the sister of Adham and Waleed. Between September 10, 2021, and April 6, 2023, Waleed, Khaled and Adham Abughanem conspired to transport Victim 1 from the Western District of New York to Cairo, Egypt, and then to Sanaa, Yemen, where they confined Victim 1 for approximately 16 months with the purpose of marrying her to a man not of her choosing.
Waleed Abughanem knew Victim 1 was being held involuntarily, and during some of this period, he was present in Yemen. When he was not present in Yemen, Waleed Abughanem instructed his wife to monitor and supervise Victim 1. In December 2022, Waleed Abughanem traveled from Yemen to the United States. When questioned by U.S. Customs and Border Protection as to the whereabouts of his siblings, Waleed Abughanem told the CBP Officer that the Victim was in the United States. By making a false statement, Waleed Abughanem concealed that Victim 1 had been kidnapped and was being involuntarily held in Yemen.
Khaled and Adham Abughanem were previously convicted by a federal jury at trial and are awaiting sentencing.
Waleed Abughanem’s sentencing is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the U.S. Department of State’s Diplomatic Security Service, under the direction of Diplomatic Security Director Carlos Matus and Deputy Assistant Secretary Paul Houston. Additional assistance was provided by the Lackawanna Police Department, under the direction of Chief Mark Packard, Customs and Border Protection, under the direction of Director of Field Operations Rose Brophy, and CPB in Boston, Massachusetts.