This week’s cybersecurity and dark web news stories discuss Polish authorities arresting suspects in sim-swapping scheme, Operation Endgame targeting SocGholish, and the Russian intelligence services continue to target messaging apps.
Poland Arrests Four in SIM-Swapping Crypto Theft Ring
Poland’s Cybercrime Bureau (CBZC), working with the FBI and US Homeland Security Investigations, has arrested four members of an organised criminal group responsible for stealing millions of dollars in cryptocurrency through SIM-swapping attacks.
The group’s method was methodical: using specialised software and social engineering, suspects gained unauthorised access to the backend infrastructure of telecoms operators and hijacked employee email accounts. That access gave them the data they needed to illegally clone victims’ phone numbers, intercept SMS verification codes and email communications, and take over accounts at cryptocurrency exchanges. Stolen funds were then laundered through multiple bank accounts across several countries and digital wallets.
Polish authorities estimate laundered proceeds exceed tens of millions of złoty, equivalent to at least $5 million at current exchange rates, though investigators believe the true figure is significantly higher given the group’s scale of operation. All four suspects are in pre-trial detention and face charges including participation in an organised criminal group, unauthorised access to computer systems, and money laundering, carrying a maximum sentence of 25 years. On-chain investigator ZachXBT publicly identified one of the arrested suspects as Wojtek Kulisz, known online as “Merry,” based on images released from the police raid.
Operation Endgame Dismantles SocGholish
Law enforcement agencies from six countries and a coalition of private-sector partners have dealt a major blow to the infrastructure powering ransomware, financial fraud, and critical infrastructure attacks worldwide, taking down 326 servers, seizing 142 domains, recovering nearly 27 million stolen login credentials, and freezing over €41 million ($47 million) in criminal cryptocurrency.
The latest phase of Operation Endgame, coordinated by Europol and Eurojust with agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, targeted three malware families that form the opening stages of most large-scale cyberattacks. SocGholish, linked to the Russian group Evil Corp and distributed through fake browser update prompts on compromised websites, provides the victim traffic. Amadey, a loader-dropper service running since 2018, gets a foothold on infected machines and deploys whatever payload the buyer wants next. StealC, a credential-harvesting infostealer sold since 2023, cleans out everything it can find: browser passwords, cookies, session tokens, cryptocurrency wallet files, and Discord and Telegram credentials. Microsoft’s data put the combined reach of Amadey and StealC at over 140,000 infected computers worldwide in just the first two weeks of May 2026 alone.
A notable development in the operation: Microsoft’s Digital Crimes Unit used AI, including Copilot, to analyse the malware infrastructure and discovered that Amadey and StealC, though built by entirely separate criminal groups, ran on shared command-and-control infrastructure. That finding allowed Microsoft’s lawyers to treat both families as a single criminal conspiracy under the RICO Act, enabling a unified civil action that simultaneously disrupted more than 200 C2 servers. Researchers at Proofpoint and IBM X-Force also identified and exploited a directory traversal vulnerability in the StealC backend during the investigation, uploading a web shell to assist disruption operations.
Russian Intelligence Is Still Hunting Signal and WhatsApp Accounts
The FBI and CISA have issued an updated public service announcement warning that Russian intelligence services are continuing a targeted campaign to compromise the messaging app accounts of high-value individuals, and that their tactics have grown more sophisticated since the first advisory in March 2026.
The campaign, attributed to FSB-linked clusters tracked as UNC5792 and UNC4221, targets current and former US and international government officials, military personnel, political figures, journalists, and officials working in or connected to Ukraine. The attackers are not breaking the apps’ encryption, they are impersonating automated support accounts within the apps themselves, sending official-looking messages that walk targets through handing over verification codes, account PINs, and, in the most damaging cases, Backup Recovery Keys.
The recovery key angle is what makes this update particularly significant. If a target is tricked into setting up an app backup and then sharing their recovery key with what they believe is a legitimate support request, the attacker gains access to the account’s complete message history, past and future. Critically, the key remains valid even if the victim later creates a new account using the same phone number, meaning the attacker’s access persists until the user deliberately generates a replacement key in Settings.
The FBI’s guidance is clear: legitimate messaging app support services will never contact users inside the app asking for verification codes or recovery keys. Any message that does so is a social engineering attempt. Users who believe they may have been compromised should immediately generate a new Backup Recovery Key via Settings, which invalidates the old one going forward, but will not undo any backup downloads the attacker may have already made.