FACT SHEET: CCIPS Enforcement Actions to Combat Cybercrime

The Criminal Division’s Computer Crime & Intellectual Property Section (CCIPS) is a leader in the Department’s efforts to fight cybercrime, including criminal schemes involving ransomware, other malware, online criminal marketplaces, and cryptocurrency offenses.  Since 2021, CCIPS, working with U.S. Attorney’s Offices, the Federal Bureau of Investigation, and other domestic and international law enforcement partners, has:

• disrupted seven of the most prolific ransomware variants, including by seizing their infrastructure and distributing their decryption keys to victims—thereby saving victims from having to pay hundreds of millions of dollars in ransom payments;
• ended the operation of a malicious proxy service, three criminal cryptocurrency money laundering or transmitting services, two major hacker forums, and two online criminal marketplaces—thereby disrupting criminals who were using those services for narcotics trafficking, computer crimes, identity theft, and child exploitation;
• liberated more than 20 million computers from botnets or other forms of malicious software; and
• publicly announced the conviction of over 100 defendants in connection with schemes involving ransomware, malware, criminal marketplaces, and cryptocurrency.

Details are below:                       

Key Actions Against Ransomware Groups

• LockBit (D.N.J.): In 2024, the Department significantly degraded LockBit’s capacity to cause harm by seizing control of the group’s infrastructure, charging LockBit actors, including its alleged creator and administrator, Dmitry Yuryevich Khoroshev, and securing convictions of LockBit affiliates. LockBit, the most prolific ransomware group in the world at certain times, targeted over 2,000 victims and stole more than $100 million.
• Sodinokibi/Revil (N.D. Tex.): In May 2024, a member of the REvil group, Yaroslav Vasinskyi, was sentenced to more than 13 years in prison for his role in a scheme to launch thousands of Sodinokibi/Revil ransomware attacks, demanding over $700 million in ransom payments. Previously, the Department also charged another co-conspirator and seized millions in funds traceable to alleged ransom payments.
• AlphV/Blackcat (S.D. Fla.): In December 2023, the Department announced a disruption campaign against the Blackcat ransomware group—also known as AlphV or Noberus—and developed a decryption tool that saved multiple victims from ransom demands totaling approximately $68 million. At the time of the disruption operation, AlphV/Blackcat was the second most prolific group providing ransomware-as-a-service—that is, providing ransomware code and technical support for use by criminals.
• Conti (M.D. Tenn.): In September 2023, the Department announced charges against four Russian cybercrime actors involved in the Conti ransomware group.  Conti was used to attack more than 900 victims worldwide, including critical infrastructure victims.
• Hive (M.D. Fla.): In January 2023, the Department announced a months-long disruption campaign against the Hive ransomware group that targeted more than 1,500 victims, including hospitals, school districts, financial firms, and critical infrastructure. The operation, which involved penetrating Hive’s computer networks and capturing its decryption keys, prevented victims from having to pay $130 million in ransom demanded.
• NetWalker (M.D. Fla.): In October 2022, a member of the NetWalker ransomware group, Sebastian Vachon-Desjardins, was sentenced to 20 years in prison and ordered to forfeit $21.5 million. The prosecution followed the Department’s coordinated disruption of NetWalker’s criminal online infrastructure during the prior year.
• DarkSide (N.D. Cal.): In June 2021, the Department seized 63.7 bitcoins, then valued at approximately $2.3 million, representing the proceeds of the DarkSide ransomware attack targeting Colonial Pipeline, which had caused the disruption of critical infrastructure.

Key Actions Involving Malware, Darknet Marketplaces, and Cryptocurrency Offenses

Malware

• 911 S5 Botnet (E.D. Tex.): In May 2024, the Department announced the disruption of the 911 S5 botnet and arrest of its founder and administrator, YunHe Wang. The botnet had infected over 19 million IP addresses, enabled billions of dollars in fraud, and facilitated cyber-attacks, access to child exploitation materials, bomb threats, and export violations.
• Zeus (D. Neb.) and IcedID (E.D.N.C.): In February 2024, the Department secured the conviction of Vyacheslav Igorevich Penchukov, a leader of schemes involving the Zeus and IcedID malwares that caused tens of millions of dollars of losses. Both the Zeus and IcedID malwares enabled the theft of bank account information from compromised devices, and IcedID provided access to infected computers for ransomware, among other malware.
• IPStorm Botnet (D.P.R.):  In November 2023, the Department secured the guilty plea of Sergei Makinin, who developed and controlled the IPStorm botnet, which infected tens of thousands of computers and networked devices around the world, including Asia, Europe, North America, and South America. The Department simultaneously announced its dismantlement of the botnet.
• Qakbot (C.D. Cal.): In August 2023, the Department announced the coordinated disruption of a botnet and malware known as Qakbot that had infected more than 700,000 computers, facilitated ransomware, and caused hundreds of millions of dollars in damage.
• TrickBot (N.D. Ohio): In January 2024, Vladimir Dunaev was sentenced for providing specialized services and technical abilities in furtherance of the Trickbot malware scheme. Trickbot, which was taken down in 2022, was a suite of malware tools designed to steal money and facilitate the installation of ransomware, including Conti. Nine other Russian nationals have also been charged for their roles in the Trickbot scheme.

Online Criminal Marketplaces

• BreachForums (E.D. Va.): In July 2023, the Department secured the conviction of Conor Brian Fitzpatrick for creating and administering BreachForums, a data breach forum with 340,000 members that offered billions of stolen records. The conviction followed an international disruption operation that caused BreachForums to go offline in March 2023.
• Genesis Market (E.D. Wisc.): In April 2023, the Department announced the coordinated disruption of Genesis Market, a criminal online marketplace that advertised and sold packages of account access credentials—such as usernames and passwords for email, bank accounts, and social media—stolen from malware-infected computers around the world. Genesis Market offered access to data stolen from over 1.5 million compromised computers around the world containing over 80 million account access credentials.
• Hydra Market (N.D. Cal.): In April 2022, the Department announced the seizure of Hydra Market, the world’s largest and longest-running darknet market. In 2021, Hydra accounted for an estimated 80% of all darknet market-related cryptocurrency transactions, and since 2015, the marketplace had received approximately $5.2 billion in cryptocurrency.
• RaidForums (E.D. Va.): In February 2022, the Department announced the seizure of RaidForums,  the then-largest English-language forum for cybercriminals to buy and sell hacked data, and the arrest of RaidForums’ founder and chief administrator. At the time, RaidForums was one of the world’s largest data breach marketplaces.
• Emotet Botnet (M.D.N.C.): In January 2021, the Department announced the disruption of a botnet and malware known as Emotet that had infected more than 1.6 million victim computers and caused hundreds of millions of dollars in damage worldwide. Emotet targeted critical industries worldwide, including banking, e‑commerce, healthcare, academia, government, and technology.

Cryptocurrency Offenses

• BTC-e (N.D. Cal.): In May 2024, the Department secured the conviction of Alexander Vinnik, an operator of a criminal money laundering service—the cryptocurrency exchange BTC-e—that moved over $9 billion worth of transactions, served over one million users, and caused criminal losses in excess of $100 million. U.S. law enforcement successfully dismantled BTC-e in 2017.
• Bitcoin Fog (D.D.C.): In March 2024, the Department secured the conviction of Roman Sterlingov for offenses relating to his administration of Bitcoin Fog, the longest-running bitcoin money laundering service on the darknet. Bitcoin Fog moved over 1.2 million bitcoin (~$400 million at the time) that primarily came from darknet marketplaces and was tied to illegal narcotics, computer crimes, identity theft, and child exploitation materials.
• Bizlato (E.D.N.Y.): In December 2023, the Department secured the conviction of Anatoly Legkodymov for operating Bizlato as an unlicensed money transmitting business. Bizlato was a cryptocurrency exchange that was open for business to criminals and processed more than $700 million in illicit funds, including millions in ransomware proceeds.
• Bitfinex Hack (D.D.C.): In August 2023, the Department secured the convictions of a married couple for money laundering conspiracies arising from the theft and hack of approximately 120,000 bitcoin from Bitfinex, a global cryptocurrency exchange. As part of the prosecution, the government also seized more than $4 billion worth of bitcoin from wallets that were controlled by the defendants or that could be tied to the hack.