INTERPOL-led operation takes down prolific cybercrime ring

5 November 2021
Major gang members in handcuffs, assets seized

SEOUL, Korea - A 30-month transcontinental investigation and operation has resulted in arrests and Red Notices for suspects believed to be behind a global malware crime network.

Two Red Notices, which are internationally wanted persons alerts, have been circulated to INTERPOL’s 194 member countries following a request by Korea’s cybercrime investigation division via INTERPOL’s National Central Bureau in Seoul.

The Notices follow the Ukraine arrest of six members of a notorious ransomware family during a global operation coordinated by INTERPOL with Korean, Ukrainian and US law enforcement authorities in June.

The global strike – codenamed Operation Cyclone – follows global police investigations into attacks against Korean companies and US academic institutions by the Cl0p ransomware threat group.

Cl0p malware operators in Ukraine allegedly attacked private and business targets in Korea and the US by blocking access to their computer files and networks, and then demanded extortionate ransoms for restoring access.

The suspects are thought to have facilitated the transfer and cash-out of assets on behalf of the ransomware group whilst also threatening to make sensitive data public if additional payments were not made.

Intelligence-led operation

Operation Cyclone was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

The resulting intelligence enabled Ukrainian police to search more than 20 houses, businesses and vehicles, confiscate property and computers, and seize USD 185,000 in cash assets, as well as to make the six arrests.

“Despite spiralling global ransomware attacks, this police-private sector coalition saw one of global law enforcement’s first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly,” said INTERPOL’s Director of Cybercrime Craig Jones.

INTERPOL deployed Operation Cyclone with the assistance of information provided by its private partners Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB through INTERPOL’s Gateway project.

Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Further illustrating the power of private sector cooperation in cybercrime investigations, two Korea-based cyber threat companies – S2W LAB and KFSI – also provided INTERPOL with valuable dark web data analysis throughout the operation.

Operation Cyclone continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency.

Significant security threat

The six suspects are believed to be tightly linked to a Russian-language cybercriminal gang known for naming-and-shaming its victims on a Tor leak site, and for moving more than USD 500 million in funds linked to multiple ransomware activities.

Their attacks target key infrastructure, such as transportation and logistics, education, manufacturing, energy, financial, aerospace, telecommunications, healthcare and high-tech sectors worldwide.

If convicted, the six suspects face up to eight years in prison.