Top 10 Cybercrime Law Enforcement Operations of 2025

This report highlights a set of major law enforcement operations from 2025 that we selected for their substantial CTI value. Like last year’s review of global takedowns and enforcement actions (see Year of Takedowns: Law Enforcement Operations of 2024), these cases reveal key details about cybercriminal infrastructure, actor roles, tooling, and money flows. Many other successful operations occurred throughout 2025, but the ones included here may offer insights that help analysts track threat actor behaviour and response patterns.

The list follows a chronological order only. The numbers do not indicate impact, size or severity. This structure makes the timeline easy to follow and shows how activity evolved over the year. SOCRadar’s CTI work benefits from these actions, as each event adds new data and visibility into criminal ecosystems.

Operation Talent (28–30 January 2025)

Operation Talent was a joint action by Europol, the FBI, and several national police forces. The goal was to shut down the Cracked and Nulled forums, two major hubs for stolen data, hacking tools, and illegal services.

Police searched homes, seized servers, and removed more than ten linked domains. An administrator in Spain was arrested, and other suspects were identified. Both forums went offline during the action days.

This takedown disrupted a significant portion of the cybercrime scene, as many groups relied on these forums to trade tools and exchange victim data. It also provided investigators with valuable logs and user details that support follow-up cases.

Operation Phobos Aetor (10 February 2025)

Operation Phobos Aetor targeted the Phobos/8Base ransomware network, which had carried out more than a thousand attacks worldwide. Thai police arrested four suspects linked to 8Base, while U.S. authorities charged two Russian operators tied to Phobos. Their leak site was also seized, and parts of their infrastructure were removed.

This action hit both the operators and the systems they relied on. It reduced the group’s ability to launch new attacks and exposed useful details about their tools and payment methods.

Zservers / LockBit Sanctions (11 February 2025)

The United States, the United Kingdom, and Australia issued coordinated sanctions against Zservers, a Russia-based hosting provider that supported the LockBit Ransomware. They also sanctioned two Russian administrators linked to the service.

The action targeted the hosting platforms that LockBit used to run command servers, store stolen data, and manage its operations. By blocking financial access and imposing travel and business restrictions on the individuals behind Zservers, the three countries severed a key part of LockBit’s infrastructure.

These sanctions weakened a major ransomware network and exposed the support services that helped it operate at scale.

LummaC2 Takedown (21 May 2025)

In May, Authorities in the United States, working with Microsoft and several security partners, disrupted the LummaC2 infostealer service. A court order allowed the seizure of key domains that controlled Lumma’s user panels. At the same time, industry partners removed thousands of related malicious domains linked to the malware.

Lumma had enabled large-scale theft of credentials, browser data, and crypto keys. Removing its main control systems forced the operators offline and blocked many criminal groups that depended on the service.

Operation Eastwood (14–17 July 2025)

Operation Eastwood targeted NoName057(16), a pro-Russian hacktivist group known for large DDoS campaigns against European and Ukrainian-aligned targets. Police in many countries seized over one hundred servers, conducted searches, and arrested two suspects. Several European arrest warrants were also issued.

The group had coordinated thousands of DDoS attacks through shared tools and a volunteer model. By removing its key systems and identifying operators, law enforcement compromised its ability to run new campaigns and exposed the network’s operational structure.

Operation Checkmate – BlackSuit Ransomware (24 July 2025)

Operation Checkmate focused on the BlackSuit Ransomware, a successor to earlier Conti and Royal crews. Law enforcement seized the group’s main Tor sites, including their leak page and negotiation portals. They also removed several supporting servers and captured cryptocurrency linked to ransom payments.

BlackSuit had attacked more than 100 organisations across various sectors. Taking down its core sites blocked ongoing extortion attempts and limited the group’s ability to manage new victims.

Operation Serengeti 2.0 (July–August 2025)

Operation Serengeti 2.0 was a large cybercrime sweep across 18 African countries, coordinated by Interpol with support from partners like the UK NCA and several private companies. Police arrested more than a thousand suspects linked to online fraud, investment scams, Business Email Compromise (BEC) scams, and other cybercrimes. They also took down thousands of malicious websites and servers, and recovered tens of millions of dollars in criminal proceeds.

The operation exposed how regional scam networks worked, including crypto investment schemes, illegal mining farms, and large-scale social engineering. It provided law enforcement with fresh insight into their payment channels and infrastructure, removing many active threats at the same time.

Prince Group Bitcoin Seizure (14 October 2025)

On 14 October 2025, the U.S. Department of Justice charged Chen Zhi and the Prince Group for running forced-labour scam compounds in Cambodia that pushed large-scale crypto fraud. At the same time, U.S. authorities moved to seize approximately 127,000 Bitcoin, worth roughly $ 15 billion at the time of the action, from wallets linked to the network.

The case impacted both the leadership and the funding behind a massive pig-butchering and romance scam ecosystem. Freezing this volume of cryptocurrency cut a significant funding source for related fraud operations and created a rich set of financial data on how the group moved and laundered funds.

Operation Endgame 3.0 (10–13 November 2025)

This action was a later phase of the broader Operation Endgame campaign, which has targeted large cybercrime infrastructures over multiple stages. The November 2025 phase focused on systems used by Rhadamanthys, VenomRAT, and the Elysium botnet.

During these action days, police in ten countries seized or disabled more than 1,000 servers and took control of several domains associated with these malware families. These systems had supported credential theft, remote access, and botnet operations. Taking them down broke active infections and limited new attacks, while also providing fresh insight into the tools and operators behind them.

Operation Red Circus (9 December 2025)

Operation Red Circus is a response to Russian state-linked hacktivist activity. On December 9, 2025, the U.S. Department of Justice announced charges related to CyberArmyofRussia_Reborn (CARR) and NoName057(16). One key defendant, a Ukrainian national, faced indictments for helping both groups run campaigns against critical infrastructure and government targets.

The case describes attacks on critical services, including water systems, election infrastructure, and other key networks. It formally links these hacktivist brands to Russian state interests. For CTI, it can provides detailed, public documentation of tools, targets, and roles inside both groups, which supports tracking and attribution across future activity.

Conclusion

The cases in this blog demonstrate the expansion of cybercrime enforcement in 2025. Law enforcement agencies continued to target ransomware groups, fraud networks, and malware services, while also acting against state-linked and politically motivated hacktivist groups. This trend illustrates how politics and cyberspace are now increasingly intertwined. Some groups can trigger international law enforcement action even when their goal is not financial gain.

Other notable operations this year include actions against PlugX, the Manipulaters phishing service, SIMCARTEL’s SIM-box network, a 600-million-euro crypto investment ring, and a 300-million-euro credit card scheme, along with several other successful actions that we could not cover in this blog post.