Every claim in this report traces back to one of 45 evidence records below. Each was captured passively during recon, hashed at capture for chain-of-custody, and graded per the Admiralty Scale (NATO STANAG 2511). Click any ev_xxx chip elsewhere in the report to jump straight to its source record.
ev_001 C-2 Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. It has been variously defined as 'a crime committed on a computer network, especially the Internet'. Cybercriminals may exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.
ev_002 C-2 Ransomware is a type of malware that encrypts the victim's personal data until a ransom is paid. Difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are commonly used for the ransoms, making tracing and prosecuting the perpetrators difficult.
ev_003 C-2 Ransomware as a service (RaaS) is a cybercrime business model, allowing ransomware developers to write and sell harmful code or malware to other hackers, often known as affiliates, for their own initiation of ransomware attacks through the use of their software. Affiliates typically do not need to have any technical skills of their own.
ev_004 C-2 A darknet market is a commercial website on the dark web that operates via darknets such as Tor and I2P. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products.
ev_005 C-2 The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
ev_006 C-2 The United Nations Convention against Cybercrime, also known as the Hanoi Convention, is a treaty to facilitate international cooperation in the enforcement of cybercrime laws. It was proposed by Russia in 2017 and adopted by the General Assembly in December 2024 amid resistance from human rights organizations.
ev_007 C-2 Phishing remains the most prevalent type of cybercrime globally. While the Federal Bureau of Investigation's Internet Crime Complaint Center historically ranked it at the top, the threat has intensified significantly due to the integration of generative AI, which enables attackers to launch highly convincing, automated, and hyper-targeted phishing campaigns at an unprecedented scale.
ev_008 C-2 LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.
ev_009 C-2 The Lazarus Group is a state-sponsored hacker group made up of unknown members, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since the 2010s.
ev_010 C-2 Conti is malware developed and first used by the Russia-based hacking group 'Wizard Spider' in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.
ev_011 C-2 REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
ev_012 C-2 The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the form of bitcoin cryptocurrency. It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Microsoft Windows systems.
ev_013 C-2 On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline.
ev_014 C-2 The European Cybercrime Centre is the body of the Police Office (Europol) of the European Union (EU), headquartered in The Hague, that coordinates cross-border law enforcement activities against computer crime and acts as a centre of technical expertise on the matter.
ev_015 C-2 The Internet Crime Complaint Center (IC3) is a division of the Federal Bureau of Investigation (FBI) concerning suspected Internet-facilitated criminal activity. The IC3 gives victims a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the Internet.
ev_016 C-2 The Cybersecurity and Infrastructure Security Agency (CISA), headquartered in Arlington, Virginia, is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.
ev_017 C-2 Initial access brokers are cyber threat actors who specialize in gaining unauthorized access to computer networks and systems and then selling that access to other threat actors such as ransomware. IABs are parts of ransomware as a service economy, also called 'cybercrime as a service economy'.
ev_018 C-2 Hydra was a Russian language dark web marketplace, founded in 2015, that facilitated trafficking of illegal drugs, financial services including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services. Hydra was shut down by American and German law enforcement action in April 2022, and its operator was sentenced to life in prison by a Russian court in December 2024.
ev_019 A-1 CISA KEV catalog version 2026.06.12: 1,619 entries total; 27 added in the last 30 days; 327 entries linked to known ransomware campaigns; top vendors by KEV count are Microsoft (377), Apple (93), Cisco (91), Adobe (79), Google (72), Oracle (44), Apache (39), Ivanti (35), Linux (26), D-Link (26), Fortinet (26), VMware (26).
ev_020 A-1 The 2024 Internet Crime Report combines information from 859,532 complaints of suspected Internet crime, with reported losses exceeding US$16.6 billion (later refined upward in 2025 reporting).
ev_021 A-1 The FBI Internet Crime Complaint Center 2025 Annual Report — 25th anniversary edition of IC3 — central hub for reporting cyber-enabled crime in the United States.
ev_022 C-3 Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching US$10.5 trillion USD annually by 2025.
ev_023 C-3 The total global cost of cybercrime is projected to reach US$1.2 trillion annually by the end of 2025. Unlike exaggerated claims of US$10+ trillion in cybercrime damages, this estimate is based on more rigorous methodology.
ev_024 B-2 Cybercrime losses jumped 26% to US$20.9 billion in 2025 according to the FBI's Internet Crime Complaint Center annual cybercrime report, reinforcing the steady multi-year escalation in reported direct losses.
ev_025 A-1 Main trends: threats against availability (DDoS) and ransomware. Landscape analyses 4,875 incidents over a period spanning from 1 July 2024 to 30 June 2025. DDoS attacks were the dominant incident type, accounting for 77% of reported incidents. The report notes the ongoing decentralisation of ransomware operations as criminal groups adapt to law enforcement actions by spreading their infrastructure.
ev_026 B-2 Crypto ransomware experienced significant changes in 2024 with total ransom payments decreasing 35.82% year-over-year — Chainalysis tracked US$812.55 million in 2024 payments, down from US$1.25 billion in 2023.
ev_027 B-2 Median ransomware payment increased 368%, from US$12,738 in 2024 to US$59,556 in 2025. This dynamic mirrors reports from incident responders — fewer, higher-value extortions as the affiliate pool consolidates.
ev_028 A-1 Law enforcement from 10 countries have disrupted the criminal operation of the LockBit ransomware group at every level, severely damaging their capability and credibility.
ev_029 A-1 U.S. and U.K. Disrupt LockBit Ransomware Variant. Tuesday, February 20, 2024. U.S. Indictment Charges Two Russian Nationals With Attacks Against Multiple US and Foreign Victims, Causing Hundreds of Millions of Dollars in Damages.
ev_030 A-1 Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol's headquarters, targeted droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot — the largest-ever operation against botnets.
ev_031 A-1 End of the game for cybercrime infrastructure: 1,025 servers taken down. Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated.
ev_032 A-1 Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant. Tuesday, December 19, 2023. With a decryption tool provided by the FBI to victims, the takedown disrupted what was the second-most prolific ransomware as a service group with more than 1,000 victims in 18 months and over US$300 million collected in ransoms.
ev_033 A-1 North Korea was responsible for the theft of approximately US$1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. The FBI attributes the activity to the DPRK-aligned TraderTraitor / Lazarus Group.
ev_034 A-1 Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
ev_035 B-2 Some analysts believe Scattered Spider is a subgroup of the ALPHV ransomware hacking outfit. Hackers say they stole six terabytes of data from casino giants MGM and Caesars.
ev_036 B-2 The attack was first claimed by hackers connected to a group called Scattered Spider, who then partnered with Russian ransomware gang BlackCat/ALPHV. MGM disclosed it cost the company US$100 million.
ev_037 A-2 Russia and Ukraine are highly technical cybercrime hubs, whereas Nigerian cybercriminals are engaged in less technical, more high-volume scam activity — peer-reviewed analysis using the World Cybercrime Index.
ev_038 B-2 Since 2005, thirty-four countries are suspected of sponsoring cyber operations. China, Russia, Iran, and North Korea sponsored 77 percent of all suspected operations.
ev_039 B-2 On February 21, 2025, Bybit, one of the world's largest cryptocurrency exchanges, suffered an unprecedented cyberattack, resulting in the theft of approximately US$1.5 billion — the largest crypto exploit in history.
ev_040 B-2 Hackers from the infamous Lazarus Group are in a cat-and-mouse game to launder their stolen funds from the Bybit heist.
ev_041 A-1 Ivanti Connect Secure, Policy Secure and ZTA Gateways stack-based buffer-overflow vulnerabilities (CVE-2025-22457, CVE-2025-0282) flagged with knownRansomwareCampaignUse 'Known' — VPN-edge exploits are a recurrent ransomware-affiliate access vector.
ev_042 C-2 The fraudsters used publicly available audio recordings of the CEO of the energy firm's parent company to launch the deepfake scam, defrauding the target of US$25 million.
ev_043 A-1 The 2025 ENISA Threat Landscape shows that threat groups are reusing tools and techniques, introducing new attack models — convergence of criminal and state-aligned activity is the dominant evolution.
ev_044 A-1 Today, after infiltrating the group's network, the NCA has taken control of LockBit's services, compromising their entire criminal enterprise.
ev_045 B-2 Deepfake vishing is a type of voice phishing scam where cybercriminals use AI to clone the voice of someone familiar — like a boss, colleague or family member — to manipulate the victim.
No evidence matches the current filters.