VYPR
breachPublished Jul 17, 2026· 1 source

Global Crackdown on Cybercrime: Sanctions Target Russian Actors, Bulletproof Hosting Dismantled

Authorities in the US, UK, and EU have intensified efforts against cybercriminals, sanctioning Russian GRU and FSB-linked entities, a VPN provider, and indicting operators of bulletproof hosting services.

In a significant week for international cybersecurity enforcement, multiple governments have taken coordinated action against cybercriminal infrastructure and actors. The European Union and the United Kingdom have jointly imposed sanctions on Russian individuals and entities with ties to the military intelligence (GRU) and the Federal Security Service (FSB). These sanctions are aimed at disrupting state-sponsored cyber operations that target government networks and critical infrastructure across Europe, with officials stating that these units are used to destabilize international partners.

Adding to these efforts, the U.S. Treasury Department sanctioned a VPN provider, First VPN Service (1VPNS), and its administrator, Dmytro Rashevskyi. The provider is accused of actively enabling ransomware attacks by allowing cybercriminals to obscure their identities and manage stolen data. The service, which was dismantled in May, notoriously ignored abuse complaints and maintained no user logs. Additionally, Yegeniy Silayev was sanctioned for developing cryptors designed to conceal malware, tools estimated to have facilitated billions of dollars in financial losses.

Further disrupting the cybercrime ecosystem, U.S. Federal prosecutors unsealed indictments against three Russian nationals for operating bulletproof hosting services. These services, identified as "Media Land" and "ML Cloud," allegedly provided essential infrastructure to prominent ransomware syndicates such as Lockbit, Play, and Blacksuit. By disregarding victim complaints and law enforcement requests, these platforms shielded cybercriminals. The U.S. State Department is offering a substantial $10 million reward for actionable intelligence regarding foreign government links to these hosting providers, signaling a strong commitment to dismantling such operations.

Beyond state-sponsored and infrastructure-level attacks, a financially-motivated Russian threat actor, tracked as UAT-11795, has been identified actively trojanizing popular remote user platforms. Since June 2025, this actor has been distributing malicious installers disguised as legitimate software, including WebEx, Zoom, MobaXterm, DBeaver, and FaceIT, primarily targeting users in the United States, Germany, Romania, and Venezuela. The infection chain typically begins with a victim executing a malicious HTA file, which then deploys a Python loader that establishes persistence and installs the Starland remote access trojan (RAT).

The Starland RAT is designed to harvest user credentials and cryptocurrency, and possesses extensive capabilities including capturing screenshots, executing arbitrary shell commands, and fetching secondary payloads. It can deploy information stealers like CastleStealer or remote access trojans like Remcos. To ensure resilient command and control (C2) communications, the malware queries a Polygon smart contract for fallback domains and utilizes Telegram bots for notifications, including victim machine fingerprints and cryptocurrency wallet inventories.

In parallel, researchers have uncovered nearly 300 imposter GitHub repositories used to distribute an information stealer from the BoryptGrab malware family. These repositories impersonated popular security products, cryptocurrency tools, and developer utilities, employing sophisticated social engineering tactics to lure victims. Upon download, a trojanized dynamic link library file is executed, which then loads the BoryptGrab payload directly into system memory.

This BoryptGrab variant is engineered for rapid data exfiltration, targeting passwords, payment details, and session cookies across numerous web browsers and cryptocurrency wallets, as well as messaging tokens from platforms like Discord, Steam, and Telegram. The malware bypasses Chrome's native App-Bound Encryption through direct code injection to maximize data collection. The coordinated efforts against state-backed cybercrime, infrastructure providers, and malware distributors highlight a multi-faceted approach to bolstering global cybersecurity.

This wave of enforcement actions, including sanctions and indictments, alongside the exposure of sophisticated malware distribution campaigns, underscores the persistent and evolving threat landscape. The focus on disrupting the tools and services that enable cybercrime, such as bulletproof hosting and VPNs, alongside the takedown of malware operations, represents a critical strategy in mitigating widespread digital harm.

Synthesized by Vypr AI