Мировые киберугрозы: арест крупных мошенников, провалы безопасности Лувра и новые санкции против КНДР Headline: Global Cyber Threats: Arrest of Major Scammers, Louvre Security Failures, and New Sanctions Against North Korea

We’ve compiled the week’s most significant updates from the realm of cybersecurity.

European law enforcement agencies apprehended nine alleged members of a network responsible for stealing over 600 million euros from victims across various countries. This information was detailed in a press release by Eurojust.

The scammers established counterfeit investment platforms that were superficially similar to legitimate cryptocurrency services, promising their «clients» high returns. Victims were lured through social media, phone calls, and advertisements. After transferring their funds, users found themselves unable to access their cryptocurrency.

The operation took place on October 27 and 29 in Spain, Germany, and Cyprus. Those arrested face charges related to money laundering stemming from fraudulent activities. During the searches, authorities seized 800,000 euros from bank accounts, 415,000 euros in cryptocurrency, and 300,000 euros in cash.

On November 4, the U.S. Treasury announced sanctions against global financial institutions linked to North Korea and associated individuals.

They were accused of laundering revenue generated from illegal activities, including cybercrime and fraud. Authorities believe these funds directly support programs for the development of weapons of mass destruction and ballistic missile production.

The list includes two North Korean bankers who assisted in managing assets, including approximately $5.3 million in cryptocurrency, via Cheil Credit Bank. Additionally, OFAC imposed sanctions on foreign representatives of North Korean banks, including senior officials from Koryo Commercial Bank, Ryugyong Commercial Bank, Foreign Trade Bank, and the Central Bank of North Korea.

Some of these individuals are linked to a group engaged in ransomware activities that targeted American companies and laundered profits through overseas IT workers.

According to TRM Labs, the 53 cryptocurrency addresses on the sanctions list collectively hold more than $5.4 million. The majority of the funds in USDT were frozen as part of a massive crackdown carried out by Tether in April-May 2025.

Addresses associated with Cheil Bank show regular transactions resembling salary transfers, likely reflecting the income of IT specialists working abroad under fictitious identities. Between June 2023 and May 2025, Cheil-controlled wallets received over $12.7 million.

The U.S. Treasury reports that in the past three years, North Korea has stolen more than $3 billion, primarily in cryptocurrency, using sophisticated cyberattacks. TRM Labs estimates that in 2025 alone, hackers linked to North Korea stole $2.7 billion, mainly due to the record-breaking hack of Bybit exchange in February.

Hong Kong authorities have charged 16 individuals, including former lawyer and influencer Joseph Lam, in connection with the scandal surrounding the JPEX cryptocurrency exchange. This was reported by South China Morning Post.

In April 2024, 72 individuals were arrested on suspicion of fraud related to the trading platform. JPEX operated a cryptocurrency trading platform without a license, misleading clients and presenting itself as a legitimate exchange.

According to the investigation, the platform’s management deceived over 2,700 investors out of a total of 1.6 billion Hong Kong dollars (approximately $205.8 million).

Media reports suggest this is the largest financial fraud case in Hong Kong’s history. Six of the accused were key members of the JPEX team, while seven, including Lam, were influencers or operators of over-the-counter cryptocurrency trading. Interpol issued «red» notices for three fugitives who allegedly played central roles in the scheme.

As stated by Europol, an international operation dismantled three fraudulent networks. Their activities aimed at stealing funds from credit cards and laundering money, totaling around $344 million.

On November 4, investigators from nine countries conducted a joint operation targeting 44 suspects, including alleged network operators, payment service providers, intermediaries, and a risk manager. Eighteen individuals were arrested, including five executives from four German companies.

The investigation believes that between 2016 and 2021, the perpetrators used stolen data to create over 19 million fake subscriptions for adult websites, dating services, and streaming platforms. The charges on the cards were relatively small—about $58 monthly—and were accompanied by vague descriptions.

To conceal their operations, the fraudsters utilized numerous shell companies, primarily registered in the UK and Cyprus, leveraging Crime-as-a-Service infrastructure. As a result, over 4.3 million users in 193 countries were affected.

Following 29 search operations in Germany, items valued at over $40 million were seized, including luxury vehicles, cryptocurrency, laptops, and mobile phones.

The Louvre’s cybersecurity was found to be inadequate, and significant system failures had gone unaddressed for years, potentially allowing participants in a recent heist to take advantage. This was revealed in an investigation by the French newspaper Libération.

Journalists claim that as early as 2014, specialists from the National Cybersecurity Agency identified vulnerabilities in the museum’s security.

During an audit, experts managed to penetrate the Louvre’s network using simple office computers. This allowed them to remotely damage the surveillance system and alter access rights on passes.

The passwords of security systems also facilitated the breach. Journalists learned that in 2014, accessing the server controlling the surveillance required entering the password Louvre.

In 2015, the museum conducted a follow-up audit that lasted a year and a half. The report, classified as «confidential» and reviewed by journalists, was prepared in 2017. Like the previous audit, experts gave an unsatisfactory rating regarding the museum’s security. The Louvre management was advised to change passwords more frequently and not neglect antivirus updates.

After reviewing technical documents provided by the museum from 2019 to 2025, investigators emphasized that some issues had not been resolved for eight years. This concerns at least eight programs managing surveillance, access control, and servers. A document from 2021 also noted that the Sathi software operated on the Windows Server 2003 operating system, support for which Microsoft ended in 2015.

According to Libération, in early 2025, the Paris police began a new safety audit of the museum and, in particular, its control centers. Neither the Louvre, the police prefecture, nor the French Ministry of Culture commented on the investigation.