CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Three Dutch Teens Involved in Russian Cyber Espionage Probe

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

Three Dutch teenagers, aged 17, are suspected of providing services to a foreign power, with one having ties to a Russian-government affiliated hacker group. One of the suspects instructed the others to map WiFi networks in The Hague for digital espionage and cyber-attacks. The investigation, led by the State Interference Team of the National Investigation and Interventions Unit, began after a report from the Military Intelligence and Security Service (MIVD). The first two suspects were arrested on September 22, while a third suspect was interviewed and had data devices confiscated but was not arrested due to his limited role. The Netherlands updated its Criminal Code in May 2025 to include penalties for digital espionage, with a maximum sentence of eight years, extendable to 12 years in serious cases. On September 23, 2025, two Dutch teenagers were arrested for attempting to spy on Europol and other targets in The Hague using WiFi sniffer devices. The teens were recruited via Telegram and were acting on behalf of Russian interests. The incident involved reconnaissance activities near Europol, Eurojust, and the Canadian embassy. Europol confirmed the incident but stated there were no signs of a compromise on their systems. One of the teens was placed on home bail with an ankle monitor, while the other remained in custody. Investigators seized electronic equipment from the teen's home. The teen's father reported that his son has a part-time job, is a heavy gamer, and is computer savvy with a fascination for hacking. Similar incidents involving individuals recruited by Russian hackers were recently reported in Germany and Ukraine. Dutch Prime Minister Dick Schoof noted that the incident fits a pattern of a type of hybrid attack conducted by Russia against Europe. The news illustrates what may be a rising trend of Russian threat actors utilizing the youth of foreign countries to do their dirty work. The alleged use of a simple Wi-Fi sniffer emphasizes how nation-state actors can outsource reconnaissance to impressionable youth via social media, propaganda, and ultimately shield themselves from attribution.

Timeline

  1. 17.10.2025 17:45 1 articles · 23h ago

    Third Teenager Interviewed and Devices Confiscated

    A third suspect, also a minor, was recently interviewed by the police and had data carrying devices confiscated. This person was not arrested because of his 'limited role' in the case.

    Show sources
    Open in new tab
  2. 27.09.2025 17:17 4 articles · 21d ago

    Dutch Teens Arrested for Attempting to Spy on Europol for Russia

    The investigation is being conducted by the State Interference Team of the National Investigation and Interventions Unit. It started after an official report from the Military Intelligence and Security Service (MIVD). The first two suspects were arrested on September 22. A third suspect, also a minor, was recently interviewed by the police, and had data carrying devices confiscated. This person was not arrested because of his 'limited role' in the case. The Netherlands updated its Criminal Code in May 2025 to include penalties for digital espionage, with a maximum sentence of eight years, extendable to 12 years in serious cases.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Europol Conference Highlights Data Access Challenges in Cybercrime Investigations

Europol's 4th Annual Cybercrime Conference 2025 convened in The Hague, focusing on the critical challenge of balancing data access for investigations with privacy and digital rights. The event underscored the need for stronger data laws and international cooperation to combat cybercrime. The conference, attended by 500 participants, emphasized the rapid exploitation of encryption and anonymization technologies by criminals, outpacing regulatory and law enforcement adaptations. Key themes included the need for updated laws, improved cross-border data sharing, and enhanced cyber diplomacy. The event also highlighted successful operations like Operation Eastwood and Operation Ratatouille, demonstrating the impact of coordinated efforts in disrupting cybercrime activities.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

Jaguar Land Rover (JLR) has confirmed a data breach following a recent cyberattack that disrupted its operations. The attack, which forced JLR to shut down systems and instruct staff not to report to work, involved data theft. The company is collaborating with the U.K. National Cyber Security Centre (NCSC) to investigate the incident. A group called 'Scattered Lapsus$ Hunters', associated with Lapsus$, Scattered Spider, and ShinyHunters, has claimed responsibility for the breach, sharing screenshots of an internal JLR SAP system and claiming ransomware deployment. This attack is part of a broader pattern of Salesforce data theft attacks, which have impacted numerous organizations this year. The FBI has issued a flash alert on UNC6040 and UNC6395, groups targeting Salesforce platforms, exploiting OAuth tokens and using vishing campaigns. The group 'Scattered Lapsus$ Hunters 4.0' announced it is shutting down on September 12, 2025, possibly to avoid law enforcement attention. However, cybersecurity researchers believe the group will continue conducting attacks quietly despite their claims of going dark. ShinyHunters and Scattered Spider, two distinct cybercrime groups, have been collaborating on attacks, leveraging each other's strengths in large-scale data theft and social engineering. This collaboration has targeted major companies across multiple sectors, including retail, insurance, and aviation. The groups have used tactics such as vishing, domain spoofing, and VPN obfuscation for data exfiltration. Recent attacks have impacted Farmers Insurance, with 1.1 million customers affected by a breach involving a third-party vendor's Salesforce database. The group 'Scattered Lapsus$ Hunters' claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement to gain access to sensitive user data. Google confirmed the creation of a fraudulent account in its LERS platform but stated that no data was accessed. The groups have been observed using similar domain formats and registry characteristics, suggesting a coordinated effort. This collaboration poses a significant threat to organizations, requiring a shift in defensive strategies to focus on behavioral patterns and proactive detection measures. The groups are now targeting Salesforce customers and may expand to financial services and technology providers. A new Telegram channel emerged, conflating ShinyHunters, Scattered Spider, and LAPSUS$, claiming to develop a ransomware-as-a-service solution. BreachForums has been commandeered by international law enforcement and turned into a honeypot. Workday confirmed a breach involving a third-party CRM system, likely linked to ShinyHunters' Salesforce attacks. Attackers used social engineering to impersonate Workday's HR department, gaining access to business contact information. Workday quickly blocked access to the compromised system and adopted additional internal security measures. The attack on Allianz Life involved the theft of personal information of 1.1 million individuals, impacting nearly 1.4 million customers. The stolen data includes email addresses, names, genders, dates of birth, phone numbers, and physical addresses. The attackers used a malicious OAuth app to gain access to Salesforce instances, and the extortion demands were signed as coming from ShinyHunters, a known extortion group. The breach was first reported by TechCrunch and confirmed by Allianz Life on July 16. The compromised data was hosted on a Salesforce database, affecting multiple companies. Scattered Spider has resumed attacks targeting the financial sector, despite previous claims of going 'dark'. The group gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management. They accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. The group attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories. Their recent activity undercuts claims of ceasing operations, suggesting a strategic move to evade law enforcement pressure. Scattered Spider is part of a broader online entity called The Com and shares significant overlap with ShinyHunters and LAPSUS$. The group's retirement claims are likely a strategic retreat to reassess practices, refine tradecraft, and evade ongoing efforts to disrupt their activities. Scattered Spider may regroup or rebrand under a different alias in the future, similar to ransomware groups. The group's farewell letter is viewed as a strategic retreat to complicate attribution efforts and evade law enforcement. Scattered Spider's recent activity includes targeted intrusions against a U.S. banking organization, using sophisticated tactics to evade detection. The UK National Crime Agency (NCA) has arrested two teenagers, Owen Flowers and Thalha Jubair, linked to the Scattered Spider hacking collective. Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, are scheduled to appear at Westminster Magistrates Court. Flowers was previously arrested in September 2024 for his alleged involvement in the Transport for London (TfL) attack and was released on bail. Additional evidence links Flowers to attacks against U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health. Thalha Jubair was charged with conspiracies to commit computer fraud, money laundering, and wire fraud, affecting at least 47 U.S. organizations. Jubair and his accomplices have received at least $115 million in ransom payments from victims. The TfL cyberattack in August 2024 disrupted internal systems and online services, and compromised customer data including names, contact details, and addresses. TfL provides transportation services to over 8.4 million Londoners through its surface, underground, and Crossrail transport systems. In May 2023, TfL experienced another security breach when the Clop ransomware gang stole data from one of its suppliers' MOVEit Managed File Transfer (MFT) servers. A member of the notorious cybercrime group Scattered Spider has turned himself in to authorities in Las Vegas. The suspect, identified by the FBI's Las Vegas Cyber Task Force, faces charges including extortion and computer-related crimes. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult. Meanwhile, two other suspected members, Thalha Jubair and Owen Flowers, were arrested in the UK for their involvement in the Transport for London (TfL) hack. Despite the group's announcement of shutting down operations, security researchers remain skeptical, pointing to evidence of continued activity. Three members of Scattered Spider were arrested in September 2025, following their announcement of shutting down operations. Noah Urban, a key member of Scattered Spider, was sentenced to ten years in prison for his role in SIM-swapping and cybercrime activities. Urban's role involved social engineering to gain access to sensitive systems, using tactics such as SIM-swapping and phishing. Urban's activities included breaching T-Mobile's customer service portal and exploiting a Twilio employee's credentials. The group 0ktapus, which includes Scattered Spider members, was involved in high-profile breaches, including the theft of personal information from Gemini Trust. A man from West Sussex was arrested in connection with a ransomware attack that disrupted operations at several European airports, including Heathrow. The ransomware variant used in the attack was identified as HardBit, described as an "incredibly basic" variant. The attack affected Collins Aerospace baggage and check-in software, causing flight delays at multiple airports. The Co-operative Group in the U.K. reported a loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack caused a revenue reduction of £206 million ($277 million) and additional losses of £20 million ($27 million) expected for the second half of 2025. The Co-op Group operates 2,300 food retail stores and 59 franchise stores. The cyberattack forced the Co-op to shut down parts of its IT systems, causing disruptions to back-office and call-center services. Scattered Spider affiliates were responsible for the Co-op cyberattack, stealing personal data of 6.5 million members. The Co-op had to rebuild its Windows domain controllers and extend system unavailability due to the attack. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response to the attack prevented encryption but resulted in significant financial impact and operational disruptions. The Co-op implemented manual processes, rerouted items, and offered discounts to mitigate the impact of the cyberattack. The Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco, due to the cyberattack. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

Open in new tab