Media Coverage

The U.S. Justice Department today announced court-authorized actions taken to disrupt some of the world’s leading Distributed Denial of Service (DDoS) Internet of Things (IoT) botnet services. DDoS services, such as those named in this action, allegedly attacked a wide array of victims in the United States and abroad, including schools, government agencies, gaming platforms, critical infrastructure, including Department of War resources, and millions of people.

This law enforcement action was taken in conjunction with Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructures worldwide, and holding accountable the administrators and users of these illegal services. Principal partners in Operation PowerOFF include EUROPOL; the U.S. Attorney’s Offices for the District of Alaska and Central District of California; DCIS; FBI’s Anchorage Field Office; HSI’s Columbus Field Office; the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and International Computer Hacking and Intellectual Property (ICHIP) attorney advisor, who is based at Eurojust in The Hague; Germany’s Bundeskriminalamt (BKA); Netherlands Police; Polish Central Cybercrime Bureau; Japan’s National Police Agency, France’s Police Nationale, and many others.

Assistance was provided by Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Epieos, Google, Hydrolix, PayPal, Registrar of Last Resort and The ShadowServer Foundation, The University of Cambridge and Unit 221B.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. Internet security watchdog group Shadowserver currently tracks nearly 2,000 FortiClient EMS instances exposed online, with more than 1,400 IPs in the United States and in Europe. However, there are no details on how many have already been patched or have vulnerable configurations.

Over 14,000 F5 BIG-IP APM instances remain exposed online, with attackers actively exploiting the critical remote code execution vulnerability CVE-2025-53521 (CVSS ver. 3.1 score of 9.8), the nonprofit security organization Shadowserver warns. Shadowserver now reports tracking over 14,100 IPs with F5 BIG-IP APM fingerprints exposed online, most of them are in the US (5138), Europe (4750), and Asia (2689).

Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution. Researchers from watchTowr said there were about 30,000 instances visible on the internet, while more targeted analysis from Shadowserver Foundation showed 784 unique IPs were exposed.  The U.S. and Germany are the most widely exposed geographic locations, according to Shadowserver data.

Security researchers at The Shadowserver Foundation have identified a massive internet-facing attack surface, discovering more than 511,000 End-of-Life Microsoft Internet Information Services (IIS) instances currently active online. Shadowserver has made this telemetry available to network owners and national Computer Emergency Response Teams to facilitate targeted remediation efforts. Security professionals can track this data through Shadowserver’s live dashboard maps. The dashboards provide a stark visual representation of both the standard EOL servers and the more critically exposed EOS instances that have exceeded their extended lifecycle

The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.

The operation was conducted simultaneously to law enforcement actions conducted in Canada (Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP) and Sûreté du Québec (SQ)) and Germany (Bundeskriminalamt (BKA) Cyber and Public Prosecutor’s Office in Cologne (ZAC NRW)) which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.

DoDIG DCIS is investigating the case, with assistance from the FBI Anchorage Field Office. Additionally, the U.S. Justice Department thanks Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Okta, Oracle, PayPal, Registrar of Last Resort, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and Netherlands Politie and EUROPOL’s PowerOFF team for their assistance provided during this investigation and operation.

The Cyber Security Agency (CSA) has organised a capacity-building workshop for members of Vice-Chancellors’ Ghana (VCG) in Accra to strengthen cybersecurity leadership and resilience within Ghana’s tertiary education sector. It was organised in partnership with the Shadowserver Foundation and the Forum of Incident Response and Security Teams (FIRST) to enhance understanding of the evolving cybersecurity landscape affecting higher education institutions.

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case. Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries: Austria, Bulgaria, France, Germany, Hungary, Netherlands and Romania.

Additionally, the Department of Justice offers its thanks to Lumen’s Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.

The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3). Law enforcement authorities: Latvia: State Police, Lithuania: Criminal Police Bureau, Portugal: Judicial Police, Poland: Central Cybercrime Bureau, Spain: National Police and Guardia Civil, United Kingdom: National Crime Agency. Private partners engaged through Europol: Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, Trend Micro.

The Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes. This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.