Arrested development: top hacker busts of 2024


While it’s true that every year is scarred by major hacking events, 2024 has given many reasons for law enforcement to celebrate.

Whether we like it or not, every year marks a new anti-record for ransomed organizations, disrupted hospitals, and leaked user data. However, law enforcement agencies around the world don’t sit idle.

2024 has arguably seen some of the most intense and consequential operations combating cybercrime. To better understand which actions were the most important, we’ve asked the opinions of some cybersecurity pros.

ADVERTISEMENT
Konstancija Gasaityte profile Niamh Ancell BW Ernestas Naprys justinasv
Don’t miss our latest stories on Google News

Operation Cronos

The months-long international operation, aptly named after an ancient Greek time deity, was a strong year’s kick-off for law enforcement. Led by the UK National Crime Agency (NCA), the operation targeted the largest and most prolific ransomware cartel of recent times, LockBit.

Not only did the operation severely hit LockBit’s infrastructure, but law enforcement publicized its findings in a somewhat novel way. Virtually all new information about the action was published via LockBit’s dark web blogs, hurting the group leader’s somewhat cocky persona as well as trust in the gang’s operational security practices.

According to Jon Miller, CEO and co-founder of Halcyon's, Cronos showcased the effectiveness of international cooperation against ransomware groups that often reign with a sense of immunity.

“[Operation Cronos] marked a significant blow to one of the most dominant ransomware-as-a-service operations, which has been responsible for thousands of attacks globally,” Miller said.

Meanwhile, Malachi Walker, the security advisor at DomainTools, believes that Cronos was the best example of authorities’ ballooning capabilities in disrupting the cybercrime-as-a-service ecosystem.

“Law enforcement gained access to information on initial access, pre-contract forums, and other activity by infiltrating the underground forums where members of the threat group shared information that helped compromise LockBit members and the leader, Dmitry Yuryevich Khoroshev,” Walker explained.

ADVERTISEMENT

Exposing Khoroshev, also known as LockbitSupp, was a particularly juicy development. Not only because the hacker ring leader often bragged about Bondian hiding techniques, such as using Starlink to avoid detection.

Khoroshev’s exposure allowed US authorities to add the cybercrook to the Specially Designated Nationals and Blocked Persons list ("SDN List"). According to Grayson North, the principal consultant at GuidePoint Security, even though Khoroshev remains at large, his life under US sanctions has surely become a lot more difficult.

“Following the imposition of sanctions by the US, UK, and Australian governments, the group remains sparsely active but otherwise appears to be operating at a fraction of its peak, likely representing a departure of skilled affiliates now unable to obtain ransoms from US-based victims,” North said.

“While Wazawaka is only one individual, his high-profile arrest on Russian soil could cause other Russia-based threat actors to begin looking over their shoulders and disrupt the sense of immunity that cybercriminals have long enjoyed in the region.”

Grayson North

Mikhail Pavlovich Matveev, a.k.a Wazawaka

One of the reasons combating ransomware gangs is extremely difficult is the international nature of the crime. For example, countries like Russia often turn a blind eye to organized cybercrime as long as threat actors don’t touch organizations operating in its claimed sphere of influence.

“The protection and safe harbor historically provided by Russian authorities is one of the key blockers to success for US and international law enforcement and very often prevents full dismantlement of the most prolific cybercrime groups,” Austin Berglas, the Global head of professional services at BlueVoyant, said.

Take Mikhail Matveev, who also goes by the online aliases Wazawaka, m1x, Boriselcin, and Uhodiransomwar. The US charged the Kaliningrad resident back in 2023 for using ransomware to extort numerous American organizations.

Knowing fully well that Moscow won’t extradite him to the States, Matveev started selling t-shirts with a screenshot from his “wanted” page on the FBI’s website. According to Berglas that’s why recent news of Matveev’s arrest in Russia was met with raised eyebrows in the infosec world.

“There has always been an unwritten rule of cybercrime in Russia that cybercriminals will not be arrested as long as they concentrate on Western targets and do not hack or extort Russian citizens or entities,” Berglas said.

ADVERTISEMENT

While it’s unlikely Russia will extradite Matveev to the US, as he’s been charged with crimes against Russia-based entities, North believes the arrest could send a message to Russia’s cyber underworld.

“While Wazawaka is only one individual, his high-profile arrest on Russian soil could cause other Russia-based threat actors to begin looking over their shoulders and disrupt the sense of immunity that cybercriminals have long enjoyed in the region,” North said.

Shattering Scattered Spider

The gang of cyber arachnids has become a household name in recent years after the group's widely publicized attacks against Okta, MGM and Caesars. Large-scale attacks, however, summoned the attention of American and international law enforcement agencies, leading to arrests of multiple gang members.

Four US residents, Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, and Joel Martin Evans, as well as one UK resident, Tyler Robert Buchanan, face allegations of wire fraud, conspiracy and aggravated identity theft. If convicted, the defendants face up to two decades behind bars.

According to North, the indictment and subsequent arrests confirm the true identities behind the group, which has long been assessed to be at least in part by young men residing in English-speaking Western countries.

“It is not unusual for United States law enforcement to arrest US citizens in response to other forms of cybercrime, but the ransomware space has long been dominated by eastern European operators reluctant to welcome outsiders, which has likely hindered significant Western involvement prior to Scattered Spider,” North said.

While it’s unlikely that all of the group’s members have been identified, North claims that Scattered Spider’s post-arrest activities have been much more decentralized. This suggests that the arrests have forced the group to hit the “pause” button at the very least.

“[Operation Cronos] marked a significant blow to one of the most dominant ransomware-as-a-service operations, which has been responsible for thousands of attacks globally.”

Jon Miller

Operation Endgame

ADVERTISEMENT

Another major law enforcement operation of 2024 targeted one of the key pillars of the cybercrime underworld – botnets. These are often utilized as malware-distribution platforms that enable threat actors to deploy malicious software on target computers.

According to Europol, Endgame was “the largest ever operation against botnets, which play a major role in the deployment of ransomware,” which led to multiple arrests and the seizure of hundreds of servers.

Moreover, in the months after the attack, authorities succeeded in arresting cyberbandits, responsible for high profile attacks, related to the now-defunct Conti ransomware group. According to Miller, the operation has struck directly into the first line of ransomware deployment.

“This unprecedented takedown dealt a direct hit to the ransomware-as-a-service (RaaS) ecosystem, which fuels ransomware operations by facilitating initial compromise, lateral movement, and payload delivery. By crippling these platforms, Europol temporarily weakened ransomware groups' ability to scale attacks,” Miller explained.

Snowflake hackers

Snowflake-related attacks have been a headache for hundreds of companies after attackers breached at least 165 accounts of the cloud storage service. Market behemoths such as Ticketmaster, AT&T, Santander Bank, and Advance Auto Parts suffered as a result, with the Ticketmaster breach alone exposing over half a billion individuals.

However, as the Scattered Spider gang has learned earlier, high-profile attacks invite high-profile attention. In early November, Alexander Connor Moucka, allegedly responsible for penetrating multiple Snowflake cloud storage accounts, was arrested in Canada.

Only a week later, the US government officially charged Moucka and John Binns for the Snowflake attacks. According to Richard Bird, the chief security officer at Traceable AI, the arrests are particularly interesting as Moucka had very little digital print outside channels like Discord.

According to Bird, the Snowflake attacks shine a “harsh light on the reality of the lip service that so many companies have paid security.” That’s because one of the key reasons Snowflake attacks were possible in the first place was that organizations had no multi-factor authentication protections for accounts, storing data of hundreds of millions.

However, the Snowflake hacker story’s not over as the US government arrested 20-year-old Cameron John Wagenius, as US Army soldier believed to be behind the Kiberphant0m alias. Kiberphant0m was reportedly connected with Moucka and has admitted to hacking dozens of telecommunications firms, including AT&T.

ADVERTISEMENT

However, Wagenius’ indictment doesn’t mention Snowflake attacks and focuses on him being involved in a hacking scheme, aiming to sell and distribute stolen phone records. In November, Kiberphant0m shared alleged call logs for President-elect Donald Trump and Vice President Kamala Harris.