CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Global Law Enforcement Disrupts Black Axe Cybercrime Operations

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A coordinated international law enforcement operation led by Europol has resulted in the arrest of 34 individuals associated with the Black Axe cybercrime gang. The operation, conducted with the support of the Spanish National Police and the Bavarian State Criminal Police Office, targeted key members of the group across Spain. The arrests and seizures have caused significant disruptions to Black Axe's operations, which include business email compromise (BEC) attacks, romance scams, phishing campaigns, and other forms of online fraud. The group is believed to generate billions annually, with the Spanish branch alone responsible for nearly €5.93 million in damages. Black Axe is a hierarchical criminal group that originated in Nigeria in 1977 and has spread to dozens of countries across the world, with about 30,000 registered members and other affiliates such as money mules and facilitators. The group specialized in man-in-the-middle (MITM) scams, including business email compromise (BEC). The damages caused by the cybercriminals in the last 15 years exceed $6 million, with $3.5 million linked to this operation. Four main suspects have been put into pretrial detention facing charges of aggravated continuous fraud, membership in a criminal organization, money laundering, document forgery, and obstruction of justice. The investigation is ongoing, and more arrests may follow.

Timeline

  1. 09.01.2026 15:01 3 articles · 2d ago

    Europol-Led Operation Disrupts Black Axe Cybercrime Gang

    A coordinated international law enforcement operation led by Europol resulted in the arrest of 34 individuals associated with the Black Axe cybercrime gang. The operation, conducted with the support of the Spanish National Police and the Bavarian State Criminal Police Office, targeted key members of the group across Spain. The arrests and seizures have caused significant disruptions to Black Axe's operations, which include business email compromise (BEC) attacks, romance scams, phishing campaigns, and other forms of online fraud. The group is believed to generate billions annually, with the Spanish branch alone responsible for nearly €5.93 million in damages. Black Axe is a hierarchical criminal group that originated in Nigeria in 1977 and has spread to dozens of countries across the world, with about 30,000 registered members and other affiliates such as money mules and facilitators. The group specialized in man-in-the-middle (MITM) scams, including business email compromise (BEC). The damages caused by the cybercriminals in the last 15 years exceed $6 million, with $3.5 million linked to this operation. Four main suspects have been put into pretrial detention facing charges of aggravated continuous fraud, membership in a criminal organization, money laundering, document forgery, and obstruction of justice. The investigation is ongoing, and more arrests may follow.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GXC Team CaaS Platform Dismantled in Spain

Spanish authorities have dismantled the GXC Team, a crime-as-a-service (CaaS) operation. The group offered AI-powered phishing kits, Android malware, and voice-scam tools. The leader, a 25-year-old Brazilian known as “GoogleXcoder,” was arrested in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain. The group targeted banks, transport, and e-commerce entities in multiple countries. The operation involved coordinated raids across seven Spanish regions, seizing electronic devices and cryptocurrency. The investigation is ongoing, with potential further arrests. The GXC Team's leader, known as GoogleXcoder, lived as a digital nomad, relocating between multiple homes in different Spanish provinces. The police identified six other individuals allegedly associated with the CaaS operation. The GXC Team's Telegram channels were deactivated, and digital evidence is being examined to identify other suspects. The CaaS operation emerged in 2023, offering advanced phishing kits, an SMS-stealing Android trojan, and tools for AI-supported voice scams.

Open in new tab

Interpol-led Operation HAECHI VI Seizes $439 Million in Global Cybercrime Crackdown

Interpol and 40 countries' law enforcement agencies seized $439 million in cash and cryptocurrency during Operation HAECHI VI, a five-month operation targeting cyber-enabled financial crimes. The operation, conducted between April and August 2025, involved a wide range of criminal activities, including voice phishing, investment fraud, e-commerce fraud, online sextortion, business email compromise, romance scams, and money laundering. The operation resulted in the seizure of 400 cryptocurrency wallets, blocking of 68,000 bank accounts, and the arrest of 45 suspects in Portugal. Additionally, Thai police seized $6.6 million transferred by a Japanese corporation into accounts controlled by a transnational organized crime group. This operation is part of a series of global efforts to combat cyber-enabled financial crimes, with previous operations HAECHI V and HAECHI IV also resulting in significant seizures and arrests.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Open in new tab