Getty Images/iStockphoto
News brief: Hafnium, Scattered Spider hackers arrested
Check out the latest security news from the Informa TechTarget team.
This week, international cybersecurity law enforcement took action against headline-making cybercriminals and state-sponsored threat actors.
Italian authorities detained an individual for allegedly working as a contractor for China's Ministry of State Security. He is charged with stealing COVID-19 research and exploiting Microsoft Exchange Server vulnerabilities.
British police arrested four members of the Scattered Spider hacking group who allegedly partnered with the DragonForce ransomware group to conduct cyberattacks against major retailers.
Also this week, while not the direct result of a law enforcement takedown, two ransomware groups announced plans to shutter operations.
Read more about the week's takedowns and shutdowns.
U.K. authorities arrest suspects linked to Scattered Spider cyberattacks
The U.K.'s National Crime Agency arrested four individuals -- two 19-year-old males, one 17-year-old male and a 20-year-old female -- in connection with cyberattacks against retailers Marks & Spencer, Co-op and Harrods. Security experts believe the suspects are linked to Scattered Spider, the cybercrime collective previously responsible for attacks on MGM Resorts and Caesars Entertainment.
The suspects were apprehended in West Midlands and London on charges including Computer Misuse Act offenses, blackmail and money laundering.
Chinese hacker arrested for COVID-19 research theft, Exchange attacks
Italian authorities and the FBI arrested Xu Zewei, a 33-year-old Chinese national allegedly involved in the Hafnium hacking group's operations. Xu was charged with stealing COVID-19 research from American scientists and exploiting Microsoft Exchange Server vulnerabilities in 2020 and 2021, actions prosecutors claimed were directed by China's Ministry of State Security.
Arrested in Milan on July 3, Xu allegedly worked at Shanghai Powerock Network Co. Ltd., which prosecutors described as an "enabling" company for state-sponsored hacking. A second suspect, Zhang Yu, remains at large.
SatanLock announces sudden shutdown
SatanLock, a ransomware group that emerged in April, announced its shutdown on Telegram and its Dark Web leak site. The group removed all victim listings, leaving only a message that said, "SatanLock project will be shut down -- The files will all be leaked today."
Despite its brief existence, SatanLock compromised 67 organizations within weeks of appearing.
Hunters International shuts down, transitions to data theft operation
Hunters International, a ransomware group operating since 2023 as a Hive ransomware rebrand, announced its shutdown and said it will release free decryptors for all victims.
After targeting more 300 organizations using SharpRhino malware for initial access, the group has removed victim names from its leak site and posted a goodwill message offering free decryption software.
Research indicated the closure is part of a planned transition, with the group rebranding itself as "World Leaks," an extortion-only operation that began in early 2025.
Read the full story by Kristina Beek on Dark Reading.
Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.
Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.
