June 3rd – This Week’s Top Cybersecurity and Dark Web Stories

Admins of Bulletproof Hosting Used by Russian Hackers Arrested

On May 18, Dutch fiscal crime investigators from the FIOD arrested two men, a 57-year-old from Amsterdam and a 39-year-old from The Hague and seized more than 800 servers across five locations in Enschede, Almere, Dronten, and Schiphol-Rijk. The infrastructure at the centre of the investigation was Stark Industries, a hosting firm founded on February 10, 2022, exactly two weeks before Russia’s full-scale invasion of Ukraine, a timing investigators have described as almost certainly deliberate.

Stark became the shared backbone for a range of Russian-aligned cyber operations. The hacktivist group NoName057(16), known for DDoS attacks on European government websites, relied on it heavily. Gambit Security and others traced its servers to disinformation campaigns, foreign interference operations, and disruptive attacks against EU targets, including what authorities say was an attempt to interfere in a Danish election.

The evasion strategy, once EU sanctions hit, was methodical. The Moldovan brothers who owned Stark reportedly received advance notice of the sanctions through leaked documents in Moldovan media, giving them a twelve-day window to quietly restructure. Assets were transferred to WorkTitans BV, a Dutch firm based in Enschede that resold server space without publicly disclosing its clientele. Internet connectivity for the rebranded operation was provided by MIRhosting, run by the man now arrested in Amsterdam.

The operation looks like a win. But one detail casts a shadow over it: after the servers were seized, the scanning didn’t stop. Researchers who had been monitoring the network’s activity found that the IP address space remained active. Infrastructure operations of this scale tend to have redundancy built in and the cybercriminals who relied on Stark’s services will simply be shopping for the next layer of cover.

LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

In mid-March 2026, the Los Angeles County Metropolitan Transportation Authority discovered something was wrong on its network. By the time the breach was fully understood, hundreds of servers had to be manually inspected before they could be brought back online. A hacktivist group calling itself Ababil of Minab claimed responsibility, posting videos of themselves deleting virtual machines from inside LA Metro’s own management console, announcing they had wiped hundreds of terabytes and exfiltrated more than a terabyte of files. Rail and bus services kept running, but arrival screens went dark and the TAP Mobile fare app stopped loading.

Israeli firm Gambit Security published a report this week linking the attack directly to Black Shadow, a group attributed by the Israel National Cyber Directorate to Iran’s Ministry of Intelligence and Security. The connection emerged after Gambit analysts discovered 700 gigabytes of stolen LA Metro data – emails, backups, internal files – inadvertently left exposed on a publicly reachable server. Following configuration fingerprints from that server, they traced it back to infrastructure previously identified in Iranian state-sponsored operations.

Ababil of Minab is not a new, independent activist collective. It is, according to Gambit, the same playbook Iran has been running for years: create a fake hacktivist persona, claim credit for state-directed attacks, and maintain plausible deniability. The most recent comparable example is Handala Hack Team, which the US Justice Department confirmed was operating under Iranian government direction after it breached medical technology giant Stryker earlier this year.

The timing adds another dimension. Los Angeles is one of the host cities for the FIFA 2026 World Cup, which begins June 11. Researchers have been warning for months that the tournament represents a high-value target for state-linked actors seeking visibility and disruption. Ababil has since claimed additional breaches, including South Florida’s Tri-Rail commuter system, vehicle tracking company Vyncs, and Saudi infrastructure firm Unimac. The FBI and CISA have not yet made a public attribution.

First VPN Dismantled in Takedown Over Use by 25 Ransomware Groups

Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks.

Operation Saffron, led by France and the Netherlands and supported by 17 other nations including the UK, US, Canada, Germany, and Ukraine, took down 33 servers across 27 countries, seized the associated domains, conducted a house search in Ukraine, and interviewed the service’s administrator. First VPN is gone.

The operation was coordinated by Europol and Eurojust, with Romania’s Bitdefender contributing intelligence on 506 individual users. Those users have now been notified that their identities are known to authorities, a warning that carries weight beyond the individual takedown.

What made First VPN particularly useful to criminals was a combination of technical features specifically marketed for evasion. Beyond standard VPN protocols, it offered VLESS and Reality, which disguise VPN traffic as ordinary HTTPS connections over common web ports, making the traffic much harder to detect or filter. Technical support was provided via a self-hosted Jabber server and Telegram. The service accepted Bitcoin, Perfect Money, Webmoney, and other payment methods designed to minimise financial traceability.

The verdict from Bitdefender is realistic about what comes next: new anonymisation services will emerge to fill the gap. But each successful takedown shortens the operational window of whatever replaces it, and raises the barrier slightly higher for actors who depend on ready-made tools for cover. Every criminal operator now evaluating the next “no-logs, no jurisdiction” VPN knows the same risk exists. That gradual erosion of trust in criminal infrastructure is, arguably, the most valuable outcome of operations like Saffron.