Новые меры против кибермошенничества: изъятие серверов и утечка данных в Китае Translation: New measures against cyber fraud: server seizures and data leak in China

We have compiled the most significant news from the world of cybersecurity over the past week.

On November 12, the United States announced the formation of the Scam Center Strike Force aimed at combating cryptocurrency fraud originating from Southeast Asia. This was reported in a press release from the Department of Justice.

In addition to the Department, the initiative involves the FBI, the Secret Service, and other agencies. The Strike Force is concentrating on key leaders, including members of Chinese criminal organizations operating in Cambodia, Laos, and Myanmar. American companies have been urged to join in blocking the infrastructure used by these criminals.

According to law enforcement, Chinese syndicates are reaching out to Americans through social media and SMS, building trust, and persuading them to invest in cryptocurrency. Victims then transfer funds to counterfeit investment websites hosted on American servers. The scammers quickly launder the money and transfer it out of the U.S.

Many «operators» involved in these schemes in Southeast Asia are effectively victims of human traffickers and work under the control of armed groups. In Cambodia and Laos, the profits from these schemes account for nearly half of the GDP. American losses from such schemes exceed $10 billion annually, according to the Department of Justice.

The press release highlights the achievements of the newly established group:

Law enforcement agencies from nine countries, in collaboration with Europol and Eurojust, conducted another phase of the Endgame operation aimed at tackling major cyber threats.

From November 10 to 14, authorities shut down 1,025 servers linked to malicious campaigns by the info-stealer Rhadamanthys, VenomRAT, and the Elysium botnet. They seized 20 domains and carried out searches in Germany, Greece, and the Netherlands.

The malware infrastructure consisted of hundreds of thousands of infected computers harboring several million stolen accounts. Many victims were unaware of the attacks on their systems.

The operation received support from private industry players, including Cryptolaemus, Shadowserver, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, and others.

During this phase, a key suspect associated with the VenomRAT remote access trojan was arrested. Investigators found that he had access to more than 100,000 victims’ cryptocurrency wallets, the potential value of which is in the millions of euros.

A massive data breach at the Chinese company Knownsec has unveiled the infrastructure of Beijing’s global cyber espionage network, as noted in a post on Mrxn’s Blog. Experts have labeled the incident one of the most significant leaks in the history of state-sponsored hacking.

Over 12,000 confidential files uploaded to GitHub revealed the close connections between commercial contractors like Knownsec and Chinese intelligence structures. Among the clients supported by tech giant Tencent are government agencies, banks, and operators of critical infrastructure.

According to researchers, the leak contains descriptions of a vast toolkit for attacks, including Remote Access Trojans (RATs) for all popular operating systems that collect conversations, contacts, and user geolocation. Hardware backdoors were also discovered, such as a modified power bank charger capable of stealthily extracting data from connected devices.

Internal Knownsec documents indicate the scale of the stolen data:

Beijing has traditionally denied acknowledgment of the incident, merely stating that it «opposes all forms of cyber attacks.»

Richard Bleach, the head of software development company XSOC CORP, commented to Resilience Media that the leak demonstrates China’s new doctrine — a shift from direct hacking to AI analysis of encrypted data.

«This is a cognitive war — not about breaking into systems, but about training models that understand systems, even when data is encrypted,» he noted.

The expert warned that such AI systems are capable of predicting adversaries’ actions based on metadata and telemetry, making traditional defense methods less effective.

The FBI has issued a subpoena to Canadian domain registrar Tucows, requiring the disclosure of the identity of the owner of the web archiving service Archive.today and its mirrors, including Archive.is.

The document states that the requested information «is related to a federal criminal investigation being conducted by the FBI,» although details are not disclosed.

The identity and location of the owner of Archive.is have remained unknown since the project’s launch in 2012. It is suspected that the owner may be a resident of Prague operating under the pseudonym Denis Petrov.