Article
Law Enforcement Actions Leave ALPHV/BlackCat Scrambling to Salvage Operations
Cyber Threats
Threat Actors
Combating Ransomware

Through a coordinated law enforcement effort spearheaded by the FBI, ALPHV/BlackCat infrastructure was disrupted on December 7, 2023, in an operation publicly announced on December 19, 2023. After terrorizing businesses and organizations for over two years, the notorious ransomware group may have finally met its match.
What happened to BlackCat’s Infrastructure?
On December 7, 2023, the data leak website for ALPHV/BlackCat went offline and remained offline for more than 30 hours. This is one of the most prolonged disruptions the group has faced, as it previously only experienced periodic outages due to technical hosting issues. The BlackCat data leak site came back online with all data from previous victims removed before apparently being taken down for good on December 19, 2023, when existing BlackCat branding was replaced by an FBI banner including a TOR-based tip line for information on BlackCat and its affiliates.

Figure 1: Law Enforcement Seizure Banner Displayed on Known ALPHV/BlackCat Data Leak Sites on December 19, 2023
The BlackCat Decryptor
Prior to the takedown of BlackCat’s infrastructure, law enforcement maintained access to the threat actor’s environment for months and was able to obtain victim-specific decryption keys to BlackCat’s ransomware executable by monitoring the environment. The FBI used these decryption keys to offer decryption to 500 BlackCat victims as the FBI neared publicizing the takedown. The FBI estimated they were able to save organizations a total of $68 million in ransom demands.
However, based on Arete data, this is likely a conservative number. With an average initial ransom demand of $2.28 million in 2023, BlackCat demands observed by Arete are significantly higher than the demands calculated by law enforcement. While ransom payments are often significantly discounted from the original $2.28 million demand following a negotiation process, it is possible that this action taken by law enforcement could have saved victim organizations as much as five times as what was assessed by the FBI. Alternatively, the gap between Arete and the FBI’s estimated ransom payments may indicate how many organizations had either already paid a ransom before the decryption keys were available or were able to recover without paying the ransom.
The After-Action Report
While the initial data leak site (DLS) disruption nearly two weeks ago caused BlackCat’s operations to decrease significantly, three new victims were posted to the DLS between when the site came back online and when it was finally seized by the FBI. In one of those postings, BlackCat claimed to have reported a new victim to the Securities and Exchange Commission (SEC). In the intervening period, Arete also responded to a BlackCat engagement in which the threat actors utilized an old BlackCat encryptor. Therefore, while the infrastructure takedown certainly disrupted the scale and speed of BlackCat operations, it did not stop the operations of all affiliates.
Shortly after the FBI announced the website seizure on December 19, 2023, ALPHV/BlackCat’s operators stood up a new data leak site and claimed their website was “unseized.” Security researchers assess that BlackCat operators maintained access to the keys used to sign the original data leak site but lost access to their original servers. After standing up the new data leak site, BlackCat made a new post about a victim and stated they will no longer give victims additional time to conduct negotiations. The operators also stated they will harass executive teams and their children, report companies to the SEC and US Department of Health and Human Services (HHS), and release a clearnet (regular internet) link to data on victims.

Figure 2 ALPHV/BlackCat Post Excerpt Uploaded December 19, 2023
With a lack of trust in their own infrastructure, BlackCat affiliates began communicating with victims directly via email rather than relying on typical communication methods. While attempting to continue operations to the best of their ability, BlackCat operators reportedly later discovered that law enforcement gained access to a compromised domain controller and issued a concerning statement to their affiliates, giving them permission to “take the gloves off” in future operations.
The statement shared that all previously observed rules, minus the inability to target CIS* countries, no longer apply to BlackCat affiliates, and an increased percentage of ransom payments, now 90%, will go to affiliates. Additionally, several targets that were reportedly previously forbidden, such as hospitals and nuclear power plants, are now fair game for affiliates to target with the BlackCat encryptor. Finally, BlackCat stated they will no longer accept discounts from the original ransom demand. With an average negotiated discount of 63% off the original ransom demand observed by Arete, the inability to negotiate could cost BlackCat victims millions of dollars if they choose to make ransom payments.
Who is ALPHV/BlackCat?
ALPHV/BlackCat is a ransomware-as-a-service (RaaS) group that first emerged in November 2021. The group operates by providing ransomware software and infrastructure to other cybercriminals, who then use it to launch attacks on various targets. The group takes a cut of the ransom payments and leaks the stolen data of its victims on its Dark Web site. The group is also known for its unique extortion methods, which include reporting its victims to the SEC and creating false domains to impersonate victims and leak data.
Since its inception, ALPHV/BlackCat listed over 650 companies on its data leak site, making it one of the most prolific and dangerous ransomware groups active today. Throughout 2023, BlackCat was the most frequently observed ransomware group in Arete’s industry data. Among 56 different ransomware and extortion groups observed in 2023, BlackCat accounted for nearly a quarter of Arete’s overall engagements.

Figure 3: Visual from Arete’s Q3 2023 Crimeware Report
Affiliates of ALPHV/BlackCat include Scattered Spider, the ransomware group behind the brazen cyberattacks against MGM Resorts, Caesars, and more. The FBI and CISA issued a joint advisory about Scattered Spider in November 2023, warning of their use of ALPHV/BlackCat ransomware.
What are the implications of this takedown?
While the full implications of this takedown are currently unknown, it could have significant implications for the ransomware landscape. The takedown may disrupt the activities of many affiliates relying on ALPHV/BlackCat’s ransomware encryptor and infrastructure, likely forcing existing affiliates to move on to other ransomware programs or develop their own. Notably, LockBit ransomware quickly seized the opportunity to advertise that BlackCat affiliates could continue their current operations under LockBit’s RaaS operation. Additionally, this could lead to the emergence of new ransomware variants and groups, with affiliates bringing experience from previous programs. This happened before when law enforcement actions against other ransomware groups, such as DarkSide and REvil, resulted in the formation of new groups, like BlackMatter and Haron. Even before the FBI takedown, Arete observed a splintering of BlackCat affiliates, with groups like Scattered Spider conducting solo operations alongside operations using the BlackCat encryptor.
While the takedown of ALPHV/BlackCat’s websites is a positive development in the fight against ransomware, it is not a definitive victory. Ransomware remains a persistent and evolving threat that requires constant vigilance and collaboration from all stakeholders, including governments, businesses, and individuals.
BlackCat has been a widely impactful ransomware group, in part because it relied on affiliates with diverse means of compromising victims. Arete observed a wide variety of initial access measures in engagements involving ALPHV/BlackCat affiliates, including a sophisticated capability to exploit software and hardware vulnerabilities. Preventing BlackCat attacks and future ransomware attacks from affiliates that escape law enforcement requires a strong patch management program that prioritizes vulnerabilities with publicly released exploit code. Additionally, managing remote management tools in an environment is critical in preventing similar attacks. Arete identified third-party remote access tools as the initial intrusion method in more than eight percent of ALPHV/BlackCat engagements, but analysis of the full lifecycle of an ALPHV/BlackCat engagement showed those tools being used throughout the attacks to enable attacker operations. Neither method is unique to BlackCat operators and remains an important focus for defenders.
Footnotes
*The Commonwealth of Independent States (CIS) is a regional intergovernmental organization formed following the dissolution of the Soviet Union, including Russia, Belarus, Kazakhstan, Moldova, Armenia, Tajikistan, Uzbekistan, Kyrgyzstan, Azerbaijan, and Turkmenistan.
Sources
Back to Blog Posts
Article
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations.
What’s Notable and Unique
Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities.
Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group.
The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.
Mitigations
Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.
Analyst Comments
The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.
Sources
Is FortiBleed Linked to INC and Lynx Ransomware?
FortiBleed credential-theft campaign linked to Lynx ransomware
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal
Article
Update on FortiBleed Credential Exposure
Last week, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. The campaign relies heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation.
Attackers first scan for exposed FortiGate devices and rank targets based on revenue. SSH brute-force attacks are used against admin accounts to gain initial access.
Following initial access, operators deploy stealthy packet-sniffing capabilities and establish external listening posts to receive harvested credentials and session data in near real time.
Observed post-exploitation activity strongly indicates pre-positioning for broader enterprise compromise, including lateral movement and potential ransomware deployment.
The scale of exposure and attack activity has been significant and globally distributed. The campaign has been ongoing since at least February 2026, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 nations.
How Arete Can Help
Arete continues to monitor this campaign, utilizing our extensive experience in detection, threat hunting, and attack surface review to look for indications of unauthorized activity related to this database exposure. Additional information regarding important considerations, containment and credential compromise mitigation actions, and additional hardening recommendations can be found in Arete’s FortiBleed Advisory.
Sources
FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
Article
Europol Disrupts AudiA6 Crypto Laundering Service
European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.
What’s Notable and Unique
Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.
On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms.
Analyst Comments
Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.
Sources
Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline



