Lizzie Clark

June 17th – This Week’s Top Cybersecurity and Dark Web Stories

This week’s cybersecurity and dark web news stories discuss Police seizing 336M euro crypto laundry, dark web market vendor receiving 26 years for selling drugs, and an ex-IT employee jailed for hacks on former employee.

Police Seize €336M Crypto Laundry

On June 10, 2026, an eleven-nation operation dismantled the AudiA6 cryptocurrency laundering service.

AudiA6 was a Russian cryptocurrency mixing platform that processed more than €336 million in illicit funds between 2022 and 2025. It was marketed on underground forums as a professional service offering anonymity and speed, charging flat fees of 3 percent to 5.5 percent per transaction, and it became a central hub for ransomware groups, dark web market operators, and scammers seeking to launder stolen digital assets. Europol linked the platform to more than 15 international cybercrime investigations. Among the laundering flows traced through it were stolen proceeds from the 2022 LastPass breach and a fake Ledger Live app campaign in early 2026, which drained roughly $9.5 million from around 50 victims.

The takedown, coordinated by Europol and Eurojust with the US Secret Service, IRS Criminal Investigation, and Polish law enforcement, resulted in the arrest of two suspected administrators – a Ukrainian and a Russian national – in Batumi, Georgia. More than 30 servers were seized, 25 domains taken down, 80 vehicles confiscated in Georgia, and around €778,000 in cryptocurrency frozen. The operators are also suspected of running Dark2Web, a dark web marketplace used to broker illicit services between criminal networks.

Searchlight Cyber supported the investigation noted that disrupting mixer infrastructure serves a dual purpose. It denies criminals a laundering capability while simultaneously surfacing intelligence about the broader networks that relied on it. AudiA6 joins ChipMixer and several other major mixing services taken down in recent years, with each enforcement action shortening the list of reliable options available to ransomware groups trying to cash out.

Dark Web Drug Dealer Gets 26 Years

A dark-web drug vendor was sentenced to more than 26 years in federal prison for selling methamphetamine and fentanyl through the Nemesis Market marketplace

Darren Hughes, a 39-year-old from San Jose, California, sold the agent methamphetamine and fentanyl pills on five separate occasions in 2023, accepting cryptocurrency as payment. When the Redwood City Police Department arrested him in June 2023 after arranging another undercover purchase, they found approximately 672 grams of methamphetamine and a loaded 9mm “ghost gun” bearing no serial number in his vehicle. He was convicted on drug trafficking charges in November 2025 and sentenced on May 26, 2026 to more than 26 years in federal prison.

The fentanyl he was distributing, through a platform that at its peak processed over 17,000 orders for opioids including heroin, fentanyl, and oxycodone, is a drug that kills tens of thousands of Americans every year. The court clearly concluded that the scale and nature of what he was selling warranted the kind of sentence typically reserved for serious violent offenders.

Nemesis Market itself was seized by German and American authorities in March 2024, following an investigation that began in late 2022 and involved the FBI, DEA, and IRS Criminal Investigation. At its peak it hosted more than 150,000 user accounts, 1,100 seller accounts, and had processed over 400,000 orders. Hughes is among the first of its vendors to face a US sentencing, and prosecutors are likely to use this outcome as a signal to others still operating on successor platforms.

Ex-school IT Employee Jailed for Hacks on Former Employer 

A former IT employee for a US school district has been sentenced to 21 months in prison.

Ezekiel Dean Potter, 34, worked as a senior IT support specialist at the district from May 2022 through April 2023. After his employment ended, he retained his access credentials and used them repeatedly over the following 21 months to cause as much disruption as he could. The attacks were petty in execution but real in impact. He deleted the school district’s Facebook page. He targeted the Apple School Manager account, deleting user accounts, passwords, billing information, and device management server data, effectively locking district staff out of the platform and disabling management of MacBooks and iPads for roughly a week. He accessed the Schoology learning management system and deleted an IT employee’s account, disrupting teacher access for around two hours. A week later he deleted nine Gmail accounts belonging to district employees including the IT director and superintendent.

What makes the case particularly striking is that Potter was carrying out this campaign from his next employer’s office. Investigators eventually traced some of the activity to IP addresses associated with Casey’s Store Support Center and The Printer Inc., where Potter worked after leaving the school district. After departing the latter in early 2025, he asked a former colleague to retrieve and wipe a USB drive from his desk. The colleague handed it to investigators instead. On it were spreadsheets containing usernames and passwords for Saydel School District accounts.

Potter pleaded guilty in January 2026 and was sentenced on June 11 to 21 months in prison, three years of supervised release with computer monitoring restrictions, and $59,668.81 in restitution. The US government’s sentencing memorandum described him as a “plague” on the school district. The lesson for every organisation managing an IT team is blunt: credential revocation at offboarding is not optional, and the cost of neglecting it, in this case, tens of thousands of dollars and nearly two years of recurring disruption, consistently dwarfs the effort required to do it right.

Related Content

What are supply chain attacks?
Post

14 Months of Warning: What Preemptive Threat Intelligence Reveals about the ShinyHunters Supply Chain Breaches

Cyber Risk Supply Chain Threat Intelligence Uncategorized
Read
Post

Targeting Illicit Crypto Flows: Searchlight Cyber Supports Law Enforcement Takedown of AudiA6 Crypto-Mixer

News
Read
Attack Surface Management FAQ: Expert Answers to Common Security Questions
Post

Attack Surface Management FAQ: Expert Answers to Common Security Questions

ASM
Read
Post

June 10th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
Preemptive Threat Exposure Management in the Age of AI
Post

Preemptive Threat Exposure Management in the Age of AI

AI
Read
Now, every asset in your inventory comes with a clear chain of ownership – so your team can stop investigating where an asset came from and start acting on what to do about it.
Post

Unknown assets explained with Asset Attribution Visualization

Product Updates
Read
Post

June 3rd – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
What Is Continuous Attack Surface Management and Why Does It Matter?
Post

What Is Continuous Attack Surface Management and How Does It Protect Your Business?

ASM
Read
Post

May 27th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read