Ransomware: An Exposé  —  New Analyst Edition

True-Crime Narrative Edition  |  v1.0  |  Based on EDP Framework  |  April 2026  |  INTERAGENCY
Prologue
It Started With a Phone Call
The ransomware ecosystem is not a shadowy hacker in a basement. It is an organized crime enterprise with departments, franchises, suppliers, and money launderers. Here is how it actually works.
Las Vegas, September 2023

A young man made a phone call to the MGM Resorts IT helpdesk. He introduced himself as an employee who had lost access to his multi-factor authentication device. Standard procedure. The helpdesk representative followed protocol, verified some basic account information, and reset the credentials. Within hours, MGM Resorts' casino floors were dark. Slot machines showed error screens. Hotel guests could not check in digitally. The reservation system was down.

The eventual damage would exceed $100 million. The attacker was 19 years old. He was a member of Scattered Spider, a loosely organized group of English-speaking hackers who had discovered that the most sophisticated security infrastructure in the world could be bypassed with a convincing phone manner and access to LinkedIn.

The malware — ALPHV/BlackCat ransomware — was not theirs. They had rented it. The credentials that got them into MGM's systems had been purchased. The infrastructure they used to encrypt files had been provided by someone else entirely. The ransom, if paid, would have been laundered through a chain of cryptocurrency services, brokers, and human networks before arriving as clean money in someone's Moscow bank account.

At no point in that entire chain did any single person need to do everything. That is the point. That is why this is hard.

Modern ransomware is not a threat actor. It is a supply chain. A network of specialized criminal service markets, each contributing a component, connected by underground marketplaces, governed by reputation systems, and protected by Russian state tolerance that ranges from passive to active depending on how useful any given operator happens to be.

This primer is a map of that supply chain — its structure, its key players, its financial flows, and the specific levers that Western law enforcement and intelligence agencies can pull to degrade it. It is written for analysts who are encountering this ecosystem for the first time and need a foundation that does not obscure the complexity behind jargon.

$813M
Confirmed ransomware payments in 2025 (Chainalysis) — down ~35% from 2024 peak estimates
7,500+
Victims publicly named on data leak sites in 2024 — a single-year record
35%
Payment decline in 2024 — the strongest signal that financial disruption is working
70%+
Non-payment rate when victims receive professional incident response support
$130M
In victim payments avoided by FBI's 7-month covert Hive operation alone
Chapter One
The Organization
Nine floors of operation. Fifteen specialist services. One criminal enterprise larger than most Fortune 500 companies.

Forget the image of the lone hacker. The ransomware ecosystem that produced the Colonial Pipeline attack, the MGM breach, the MOVEit campaign, and seven thousand four hundred and sixty publicly named victims in 2024 operates like a mature organized crime enterprise. There are bosses, middle management, specialists, and foot soldiers. There are vendors, suppliers, and service providers who may have no idea — or may not care — whose operations they are supporting.

The diagram below shows how it is organized. Think of it as a nine-story building. The foundation is the infrastructure — the physical hosting that everything else depends on. At the top is the money: the OTC brokers and exchanges and mule networks that convert crypto proceeds into real-world wealth. In the middle, on the fifth floor, is the boardroom — the RaaS groups that run the operation. Every other floor exists to either supply the boardroom or process its outputs.

THE CRIMINAL ENTERPRISE — NINE FLOORS OF OPERATION Floor 9 — The LaundryMoney Launderers & Exchanges (13) · Mule Networks (14)PHASE A Floor 8 — The CashierOTC Brokers (12) — Moscow back offices, no questions askedPHASE A Floor 7 — The WashroomCrypto Mixers (11) — Blender, Chipmixer, Tornado CashPHASE B Floor 6 — The Press RoomLeak Sites (8) · Negotiators (15) — The shaming and the bargainingPHASE C Floor 5 — The Boardroom ★RaaS Groups (7) — The franchise headquarters. Everything serves this floor.PHASE C Floor 4 — The MarketplaceIABs (5) · Exploit Brokers (6) · Underground Forums (10)PHASE B Floor 3 — The Intelligence BureauStealers (1) · Loaders (2) — Harvesting credentials and delivering payloadsPHASE B Floor 2 — The Con ArtistsCrypters (3) · Callers & Spammers (4) — Disguise and deceptionCROSS-CUT Floor 1 — The Real Estate (Foundation)Bulletproof Hosting (9) — The building that ignores the policePHASE A

The Three Disruption Phases

Western law enforcement and intelligence agencies have developed a three-phase framework for attacking this structure. The logic is sequential: attack the financial infrastructure first, because it takes longest to rebuild and degrades the economic incentive to reconstitute when operational pressure follows. Attack market infrastructure second. Attack operational infrastructure last — when the financial and market layers are already degraded.

Phase A: Cut the Money

Target the financial rails before anything else. When OTC brokers and exchanges are disrupted, criminal proceeds have nowhere to go. Reconstitution becomes economically painful, not just operationally inconvenient.

  • OTC Brokers (Module 12)
  • Exchanges / Launderers (Module 13)
  • Bulletproof Hosting (Module 09)

Phase B: Degrade the Markets

While financial pressure applies, attack the trust and market infrastructure. When forums are infiltrated and IAB trust mechanisms are compromised, transaction costs rise for everyone in the ecosystem.

  • IAB Markets (Module 05)
  • Underground Forums (Module 10)
  • Crypto Mixers (Module 11)

Phase C: Hit the Operations

Direct operator action — the most visible and most satisfying — is also the least durable without Phases A and B already in place. With financial and market pressure applied, brand reconstitution becomes expensive and slow rather than trivial.

  • RaaS Core Teams (Module 07)
  • Leak Sites (Module 08)
  • Loaders / Stealers (01, 02)
Chapter Two
The Job
Following a ransomware operation from the first phone call to the last dollar laundered — with the cast of characters at each step.
📧 LURE Callers /SpammersMod 04 DELIVER Loaders /CryptersMod 02-03 🔑 HARVEST Stealers /Log MarketsMod 01 🚪 SELL ACCESS IAB /Exploit BrokerMod 05-06 💣 DETONATE RaaS GroupsModule 07 › › › › › › 📢 EXTORT Leak Sites /NegotiatorsMod 08+15 🔀 WASH CryptoMixersMod 11 💱 CASH OUT OTC /ExchangesMod 12-13 🏠 INTEGRATE MuleNetworksMod 14

Act One: Getting In

The entry point varies, but it almost always involves one of three routes: someone was tricked (a phishing email, a phone call, a malicious advertisement); a credential was already for sale (an IAB listing from a stealer-harvested log); or a vulnerability was already known and exploited (an n-day in a VPN appliance, a zero-day in a file transfer platform).

The caller or spammer is often the first human contact. Their job is deception — convincing an IT helpdesk employee that a password reset is legitimate, getting a finance employee to open an attachment, manufacturing the moment of trust that every subsequent technical step depends on. In the Scattered Spider model, this is a phone call. In the BazarCall model, it is an email that prompts the victim to call the attacker. In the AI vishing model, it is an automated system with a cloned voice that sounds like the victim's actual colleague.

The loader executes on the victim's machine and calls home. It does not carry the ransomware itself — that comes later. First, it establishes persistence. It identifies the environment. It downloads a stealer to harvest credentials. It begins the slow, methodical process of understanding the network it has just entered. This phase can last hours. In sophisticated operations, it lasts weeks.

"The time between initial access and ransomware deployment — the 'dwell time' — has dropped from an average of 16 days in 2021 to under 24 hours in some 2024 campaigns. Operators are getting faster. Defenders have less time to find them."

— Multiple incident response firm reports, 2024

Act Two: The Sale

In many operations, the affiliate who eventually deploys the ransomware was not involved in any of the above. They bought access. An Initial Access Broker listed the corporate VPN credentials on a dark web forum — documented, priced, and waiting for a buyer. The affiliate purchased them, verified the access, and began planning the deployment. The broker never interacted with the victim. Never knew what the affiliate would do. Never faced meaningful legal risk.

This is the division of labor that made ransomware scalable. Compromising a network is skilled work. Deploying ransomware across a complex enterprise is different skilled work. Laundering the proceeds is yet another specialized skill. The RaaS model fragments these specializations deliberately — each actor knows only their piece, reducing risk and allowing each function to be optimized independently.

Act Three: The Detonation

The RaaS affiliate has been inside the network for some time before they move. They escalate privileges. They identify domain controllers. They find the backup systems — and quietly delete or encrypt them first. They exfiltrate the most sensitive data available: financial records, patient files, legal documents, personnel records. Then they detonate.

On a Tuesday morning in an organization somewhere, hundreds of employees arrive at workstations showing identical ransom notes. The note has a URL, a Bitcoin address, and a countdown clock. It is professionally formatted. It includes the organization's name and a sample of stolen data to demonstrate the exfiltration is real. The negotiations are about to begin.

Act Four: The Money

If payment occurs — and in 35% of cases, it does not — the cryptocurrency moves through a well-established chain. Mixing first: the payment goes through Chipmixer, or Tornado Cash, or CoinJoin, or a cross-chain bridge. The traceability chain breaks. Then OTC brokers in Moscow convert large positions to fiat in bilateral meetings — no paperwork, no KYC, a fee of 1-5%, an understanding of what is not discussed. Then exchanges process volume. Then mule networks layer the fiat through account chains, real estate purchases, and shell company transactions, until it is indistinguishable from legitimate wealth.

TRM Labs confirmed in 2024 that more than half of mule-linked funds exit within one hour of receipt. By the time the victim has finished calling their cyber insurance carrier, the money is already in a Moscow apartment.

Chapter Three
The Dossiers
Fifteen criminal service markets, each explained as what it actually is. Click any dossier to open it.
01
The Pickpocket Factory
Stealers — Module 01
Phase B HIGH
Scene

On a server farm somewhere east of Moscow, an automated system is processing 400,000 stolen credential packages an hour. Each package — called a 'log' — contains the usernames, passwords, banking session tokens, and cryptocurrency keys scraped from one infected computer. A forum operator is pricing them. Corporate logins go for $50. A login to a healthcare network's VPN? $3,000. It's sold before breakfast.

How It Works

Infostealer malware runs silently on infected machines, vacuuming up everything of value and shipping it home. The malware itself is rented — LummaC2, RedLine, Vidar — subscription services starting around $200/month. The output is sold on log markets (Russian Market, 2easy) that operate like commodity exchanges for stolen identity.

Why It Matters

This is the raw material layer. Every credential the ransomware affiliate uses to walk into a victim's network started here. Stealers are the agricultural sector of the criminal economy — they grow the crop that the rest of the supply chain processes.

What the Record Shows
  • Microsoft DCU seized 2,300+ LummaC2 domains in May 2025 — the largest single infrastructure strike against any stealer family to date
  • Genesis Market seizure (2023): FBI notified 920,000 victims. Volume shifted to Russian Market within weeks — the infrastructure was gone, the market was not
  • The tactical shift of 2024: session token theft now prioritized over static passwords as enterprises adopt MFA. Operators adapt faster than defenders patch.
The credential factory that produces the raw material for every access-based ransomware attack.
02
The Delivery Drivers
Loaders — Module 02
Phase B HIGH
Scene

'QakBot is down.' In the summer of 2023, that message circulated through criminal forums within hours of the FBI seizing QakBot's command-and-control infrastructure. By the time the FBI was issuing press releases, QakBot's operators were already standing up Pikabot. When Pikabot got swept up in Operation Endgame in 2024 alongside IcedID, Bumblebee, and SmokeLoader, their successor — Latrodectus — was already in testing. This is what reconstitution looks like in real time.

How It Works

Loaders are the delivery trucks of the malware ecosystem. Their job is simple: get onto a machine and execute whatever the operator sends next. They are rented by the week or month — Loader-as-a-Service, $100-$1,000 depending on the infrastructure quality and the delivery vector. Raspberry Robin spreads through USB drives and infected IoT devices. Gootloader hijacks search engine results for legal document searches. Bumblebee pretended to be software installers.

Why It Matters

Without loaders, ransomware groups either need to handle initial access themselves (expensive, slow) or buy access from IABs. Loaders industrialize the front door of every attack.

What the Record Shows
  • Operation Endgame (May 2024): Europol and FBI simultaneously seized infrastructure for IcedID, Bumblebee, SmokeLoader, and Pikabot. Called the largest loader operation on record. Latrodectus was in active deployment within three months
  • Operation Duck Hunt (2023): FBI sinkholed QakBot's C2, notifying 700,000 victims. QakBot operators had Pikabot ready before the press conference was over
  • The lesson from Endgame: single-family takedowns produce rapid migration. Simultaneous multi-family action forces operators to rebuild from scratch rather than pivot to a ready alternative
The delivery trucks that get malware inside the building — rented by the month, replaced within weeks of disruption.
03
The Disguise Artists
Crypters — Module 03
Cross-Cut MEDIUM
Scene

A researcher at a major antivirus company discovered something interesting in 2024: on the major criminal forums, three sellers were responsible for the majority of all obfuscation sales. Three people, providing the invisibility cloak for the majority of malware targeting Western organizations. None of them had ever faced a law enforcement action. None of them ever have.

How It Works

Crypter-as-a-Service provides the obfuscation layer that makes malware undetectable to antivirus scanners at delivery. FUD — Fully Undetectable — is the product. It burns fast: AV vendors detect and signature the new stubs within days, so operators repurchase constantly. The market runs through criminal forums and automated Telegram bots. Open all day, every day. Accepts crypto.

Why It Matters

Every piece of malware in the delivery chain — stealers, loaders, ransomware payloads — needs to survive endpoint detection on arrival. Crypters are the last line of offense before the defender's first line of defense.

What the Record Shows
  • No major law enforcement action against any CaaS operator as of April 2026. This is the most significant gap in the enforcement record
  • Market concentration creates a paradox and an opportunity: 1-3 sellers dominate volume on each major forum, meaning a single prosecution disrupts supply for hundreds of downstream operators simultaneously
  • AV/EDR coordination (CISA) is the primary counter-measure available: accelerating signature deployment compresses the FUD validity window from weeks to hours
The invisibility cloaks — the obfuscation services that let malware walk past your antivirus scanner undetected.
04
The Con Artists
Callers and Spammers — Module 04
Cross-Cut MEDIUM
Scene

In September 2023, a teenager called the MGM Resorts IT helpdesk. He claimed to be an employee who had lost access to his account. The helpdesk representative — following standard procedure — reset his credentials. Within hours, MGM Resorts' operations were locked. The casino floors went dark. Slot machines stopped paying out. The eventual damage: $100 million, plus remediation. The teenager was 19 years old and a member of Scattered Spider.

How It Works

Social engineering operators bridge the gap between technical malware delivery and human vulnerability. The BazarCall model sends phishing emails that prompt victims to call attacker-controlled numbers; trained operators on the other end convince IT staff to install 'remote support' tools. AI vishing platforms (Vishing-as-a-Service, such as PlugValley) now provide real-time call scripts, voice modulation, and enterprise org charts to operators who may not even speak English as a first language.

Why It Matters

Social engineering attacks bypass every technical control. Firewalls, EDR, MFA — none of it matters if a trained operator can convince an IT administrator to disable it themselves.

What the Record Shows
  • Scattered Spider prosecutions (2023-2024): UK and US arrested multiple members, demonstrating that English-speaking operators are identifiable and prosecutable
  • Victim-side hardening: mandatory out-of-band verification for all helpdesk credential resets eliminates the BazarCall attack surface entirely — no law enforcement action required
  • The AI vishing frontier: PlugValley and similar platforms let a non-English speaker run a convincing IT helpdesk impersonation in any accent. The skill floor is dropping to zero
The con artists who convince IT helpdesks to hand over the keys — technically the lowest-cost, highest-impact initial access vector in the ecosystem.
05
The Real Estate Agents
Initial Access Brokers — Module 05
Phase B HIGH
Scene

On RAMP forum, the listing reads: 'Domain Admin access — Fortune 500 healthcare company, US, 40,000 seats. VPN access confirmed. AV identified, evasion possible. Asking $8,500.' Below it, another: 'US logistics firm, 12,000 seats, domain admin. $3,200 OBO.' The broker who listed them compromised both networks last week. He will never deploy ransomware himself. That's someone else's job.

How It Works

Initial Access Brokers are specialists who compromise networks and sell the access rather than exploiting it themselves. The division of labor that made ransomware scalable. Two tiers: bulk IABs use automated scanning tools and sell commodity access ($500-$1,000); boutique IABs target specific sectors, document privileged access, and sell curated packages to discerning buyers ($2,700-$10,000+). Rapid7 found 71.4% of observed listings include domain admin or equivalent — not just a foothold, a kingdom.

Why It Matters

IABs decoupled the compromise function from the ransomware deployment function. RaaS groups no longer need to find victims — they shop for them. This is why ransomware scaled so rapidly after 2019.

What the Record Shows
  • OFAC financial designation of boutique IABs: targets trust relationships, not just infrastructure — higher durability than server seizure
  • FBI Raspberry Robin C2 sinkholing: disrupts the automated pipeline that feeds bulk IABs at scale
  • The market is migrating away from public forum listings toward private channels — LE visibility is declining as security culture among IABs improves post-2022
The brokers who sell pre-compromised corporate network access, making network intrusion a commodity that ransomware groups can simply purchase.
06
The Arms Dealers
Exploit Brokers — Module 06
Phase B CRITICAL
Scene

In May 2023, CL0p had a zero-day. It was a vulnerability in MOVEit, a file transfer software used by thousands of enterprises for HR and payroll data. CL0p didn't just hit one target — they hit all of them simultaneously. Over the following weeks, 2,000+ organizations across 60 countries discovered their data was already gone. The ransom demands began arriving by letter, addressed to executives by name. The exploit itself had probably cost CL0p under $1 million. The extortion proceeds are estimated at over $100 million.

How It Works

Exploit brokers occupy the highest-value, lowest-visibility position in the supply chain. They acquire software vulnerabilities — often zero-days, often in widely-used enterprise platforms — and sell exploitation capability to whoever pays. The economics are grotesque: vendors pay $50,000 for a critical vulnerability report; criminal markets pay $500,000-$2,000,000 for the same information held privately. When researchers make that choice, the math is the math.

Why It Matters

A single quality zero-day enables simultaneous mass-scale attacks against every unpatched instance globally. It is qualitatively different from any other access method — not one victim, but thousands.

What the Record Shows
  • Bug bounty price parity is the structural fix: when vendor programs pay at criminal-market rates, researchers have no rational incentive to sell to criminals. No law enforcement required, no Russian cooperation required
  • Rapid patch deployment (CISA coordination) compresses the exploitation window from weeks to days — not eliminating zero-day risk but significantly limiting its reach
  • CL0p's MOVEit campaign is the benchmark: one exploit, 2,000+ victims, $100M+ proceeds. The calculus for investing in zero-day capability is now clearly established among top-tier criminal operators
The arms dealers who sell software vulnerabilities, enabling mass-scale attacks against thousands of organizations from a single exploit.
07
The Franchise Headquarters
RaaS Groups — Module 07
Phase C CRITICAL
Scene

At its peak, Conti had an org chart. There were departments: development, HR, negotiations, infrastructure, OSINT. There were performance reviews. Employees had salaries — junior developers earned around $1,500/month; senior operators earned multiples of that plus bonuses for successful deployments. There was a training program for new affiliates. When a researcher embedded in Conti's operations leaked 60,000 internal messages to journalists in 2022, the world got its first clear look at what a $180 million criminal enterprise's internal culture actually looks like. It looked like a startup.

How It Works

RaaS (Ransomware-as-a-Service) groups are the franchise headquarters of the criminal ecosystem. Core teams of 5-20 members develop and maintain the ransomware code, negotiation infrastructure, and victim-facing leak sites. Affiliates — sometimes hundreds of them — rent the tools, deploy against victims, and take 70-80% of proceeds. The core team takes 20-30% for doing none of the dangerous work. In 2025: 7,500+ victim organizations on DLS (record, up 50% YoY); $813M in confirmed payments (Chainalysis); LockBit claimed responsibility for 25% of all ransomware incidents at its peak.

Why It Matters

RaaS groups are the revenue engine that the entire ecosystem exists to serve. Every other module — stealers, IABs, BPH, mixers, OTC brokers — either feeds them inputs or processes their outputs.

What the Record Shows
  • Operation Cronos (Feb 2024): LockBit infrastructure seized; 34 servers taken; 1,000+ decryption keys recovered; affiliates exposed by name. RansomHub absorbed LockBit's affiliates within 60-90 days
  • FBI Hive infiltration (2022-2023): 7-month covert access; $130M in avoided victim payments; 300+ victims received decryption keys before seizure. Hive never reconstituted — the only documented case
  • 72% victim non-payment rate in 2025 (record; 28% paid): the compound result of financial-layer enforcement, improved IR, and growing non-payment advocacy. Attack volume rose 50% but total payments held at ~$813M — the ecosystem is running harder for the same revenue
The franchise headquarters that runs the ransomware brand, takes 20-30% of all proceeds, and provides the tools and infrastructure that affiliates use to attack victims.
08
The Public Shaming Board
Leak Site Ops — Module 08
Phase C HIGH
Scene

In December 2024, 621 organizations found their names on ransomware data leak sites in a single month — a record. Each listing was accompanied by a sample of stolen data, a countdown clock, and a message: pay, or the rest goes public. The targets included hospitals, utilities, law firms, and school districts. Some paid. Most did not. The data went up regardless.

How It Works

Data Leak Sites are the extortion infrastructure of double-extortion ransomware. When victims refuse to pay, operators publish stolen data — triggering regulatory investigations, notifying customers, and permanently damaging reputations. The DLS ecosystem has evolved: multi-tenant platforms now host multiple ransomware brands on shared infrastructure, meaning single-brand takedowns no longer take down the platform. They just remove one tenant.

Why It Matters

The DLS model permanently transformed ransomware. Even organizations with perfect backup practices now face a separate, independent extortion vector that has nothing to do with their ability to restore their systems.

What the Record Shows
  • FBI Hive covert infiltration: 7 months of covert DLS access; $130M in avoided payments; 300+ victims received decryption keys BEFORE seizure. The key finding: covert access that helps victims is worth more than seizure that just removes the platform
  • Operation Cronos LockBit DLS seizure: FBI reversed the countdown timers to taunt operators — maximum psychological impact; tactical brilliance
  • Multi-tenant platforms are the evolution: RansomHub DLS hosts multiple groups. One seizure, multiple tenants disrupted simultaneously — but also one platform survives the disruption of any individual brand
The public shaming board that publishes stolen victim data to coerce payment — the extortion mechanism that works even against organizations with good backups.
09
The Criminal Landlord
Bulletproof Hosting — Module 09
Phase A CRITICAL
Scene

On February 11, 2024, the US Treasury designated Zservers and Media Land LLC. The press release was unusually specific: Zservers' CEO had publicly stated that Russian state agencies were aware of his operations. He was not making a complaint. He was making a guarantee. The designation froze Western financial access. His servers kept running.

How It Works

Bulletproof Hosting providers are the criminal landlords — they rent server space with an explicit, advertised guarantee: no cooperation with law enforcement, no logs provided, no response to abuse complaints. They charge a premium for this guarantee. Zservers, Aeza, BEARHOST, Media Land — these companies operate with the full knowledge of Russian authorities and the full protection that entails. A Sophos investigation in 2025 identified a single virtual machine template image underlying over 7,000 active ransomware-linked servers.

Why It Matters

BPH is the physical foundation of the entire ecosystem. Every leak site, every C2 server, every loader delivery platform, every forum runs on BPH somewhere in its infrastructure. Disrupting BPH is the only single action that simultaneously degrades all dependent modules.

What the Record Shows
  • Upstream ISP depeering (McColo model, 2008): Hurricane Electric cut McColo's internet access; global spam dropped 75% within hours. McColo never recovered. This is the gold standard and it requires only carrier cooperation — not Russian state cooperation
  • Zservers/Media Land joint designation (2024): most significant BPH enforcement action in history. Aeza and BEARHOST absorbed the displaced clients within months — the market did not contract, it redistributed
  • Sophos VM template fingerprint: 7,000+ ransomware-linked servers sharing a single underlying image. A detection opportunity that has not yet been exploited at scale
The criminal landlords who provide the untouchable hosting that every other module depends on — operating with Russian state awareness and protection.
10
The Criminal Stock Exchange
Underground Forums — Module 10
Phase B HIGH
Scene

When Conti's internal messages leaked in 2022, the most damaging thing wasn't what they revealed about Conti. It was what they revealed about the forum identities linked to Conti operators. On the forums where criminal transactions happen, reputation is everything. Those handles — built over years, verified through thousands of transactions — were burned overnight. The intelligence operation that produced the leak caused more sustained damage to the ecosystem's trust infrastructure than any server seizure in the period.

How It Works

Underground forums are the governance layer of the criminal economy. They are not just marketplaces — they are the institution that makes criminal commerce possible: reputation systems where operators build years of verified transaction history; escrow services where funds are held during deals; dispute resolution where trusted forum moderators adjudicate contract violations; recruitment boards where RaaS groups post affiliate job listings. Exploit.in and XSS.is have operated continuously since approximately 2010-2012 with no law enforcement action.

Why It Matters

Without forums, criminal transactions cannot be trusted. IAB sales require escrow. Affiliate recruitment requires reputation. Service procurement requires verified seller histories. Destroy the trust infrastructure and you raise transaction costs for every actor in the ecosystem simultaneously.

What the Record Shows
  • Trust manipulation > seizure: the Conti leak simultaneously burned handles, destroyed verified transaction histories, and collapsed trust in Conti-linked forum identities. No server seizure achieves that
  • BreachForums was seized three times (v1 2023, v2 2024) and reconstituted within weeks each time — forum URLs are not the target; administrator identification and trust destruction are
  • Forum infiltration and manipulation: implanting false reputation data, operating as a trusted escrow service, or exposing transaction records destroys what took operators years to build
The criminal stock exchange that provides the trust infrastructure making all transactions in the ecosystem possible — operating continuously with no law enforcement action for over a decade.
11
The Money Laundromat
Crypto Mixers — Module 11
Phase B HIGH
Scene

When the FBI seized Chipmixer's servers in March 2023, they found 7 servers and $46 million in cryptocurrency. What they did not find was the $3 billion that had already passed through. Chipmixer had processed ransomware proceeds, darknet market funds, and North Korean state-sanctioned crypto theft for years. It charged between 1-3% for its services and ran entirely without KYC. The operators were known pseudonymously to the criminal community. Their service was essential. When it went down, the ecosystem shifted to Sinbad.io within weeks. Sinbad was seized nine months later. The ecosystem shifted again.

How It Works

Cryptocurrency mixing services pool funds from multiple criminal and (sometimes unwitting) legitimate sources and return equivalent amounts, breaking the blockchain traceability chain. Custodial mixers take physical possession of funds. Decentralized mixers (Tornado Cash, CoinJoin protocols) use smart contracts with no central operator — harder to seize, harder to prosecute, harder to disrupt.

Why It Matters

Without mixing, every ransom payment is a public blockchain transaction traceable from the victim's wallet to the criminal's wallet. Mixing is the technical mechanism that makes crypto criminally useful.

What the Record Shows
  • Tornado Cash designation (Aug 2022): first-ever OFAC designation of a smart contract. Partial operational impact — the protocol kept running, but fiat on/off ramps for US-nexus actors were severed
  • Chipmixer seizure (Mar 2023): $3B+ in criminal proceeds traced. 7 servers. Largest single mixer enforcement. Ecosystem shifted to decentralized alternatives within weeks
  • 72% non-payment rate in 2025 (28% paid, record low) correlates with sustained financial-layer enforcement. Attacks up 50% YoY; payments held flat at ~$813M. Strongest available evidence that financial-layer disruption changes the ecosystem's economics
The money laundromat that makes ransomware crypto untraceable — and the enforcement of which, along with exchanges, correlates with the record-low 28% victim payment rate in 2025.
12
The Moscow Back Office
OTC Brokers — Module 12
Phase A CRITICAL
Scene

Garantex operated out of a Moscow office tower. After the US Treasury designated it in April 2022, it kept operating out of the same office tower. For three years, it processed hundreds of millions of dollars in criminal cryptocurrency proceeds from that building, under that designation, with full knowledge of Russian authorities. It took until March 2025 — 1,064 days after designation — for Europol and the US DOJ to coordinate the physical seizure of its servers and the arrest of its administrators. Three years. The designation was not the disruption. The arrest was the disruption.

How It Works

OTC brokers provide bilateral, personalized cryptocurrency-to-fiat conversion for large holdings — no KYC, no reporting, no questions. High-volume criminal OTC is concentrated in Russia, particularly Moscow and St. Petersburg, where brokers operate with physical offices and in-person settlement. Fees run 1-5%. SUEX, Chatex, Garantex, and Cryptex represent the documented enforcement sequence from 2021-2024.

Why It Matters

OTC brokers are the primary mechanism for converting large ransomware payments into spendable fiat currency. Without them, the money exists only as cryptocurrency that cannot safely enter the legitimate economy.

What the Record Shows
  • SUEX designation (Sep 2021): first cryptocurrency exchange designation; processed hundreds of millions in ransomware proceeds; established the OTC enforcement playbook
  • Garantex lesson: designated April 2022, seized March 2025. Three years of continued operation under designation. The gap between designation and physical enforcement is the primary vulnerability of the designation model
  • Tether T3 real-time USDT freeze: Tether has demonstrated willingness to freeze USDT at specific addresses. Using this at wallet identification — not post-enforcement — is the underused lever that no one has fully exploited yet
The Moscow back offices that convert criminal cryptocurrency to spendable fiat — operating under US sanctions for three years before anyone physically closed the door.
13
The Corrupt Banks
Exchanges and Launderers — Module 13
Phase A CRITICAL
Scene

BTC-e processed four billion dollars in criminal proceeds. Its operator, Alexander Vinnik, was a Russian national who made the mistake of vacationing in Greece in 2017. US and Greek authorities arrested him on the beach. He subsequently spent years fighting extradition to multiple countries simultaneously — France, Greece, the US, Russia — in a jurisdictional battle that itself illustrates how difficult it is to pursue even identified, arrested criminal operators in this ecosystem. He was eventually extradited to the United States in 2022.

How It Works

Non-compliant exchanges process criminal cryptocurrency at volume, converting it to fiat through automated systems rather than bilateral personal relationships. They are the industrial-scale version of OTC brokers — less personalized, higher throughput. BTC-e ($4B seized 2017), Bitzlato ($700M seized 2023), and Garantex (designated 2022, seized 2025) are the documented examples. Tether (USDT) has become the dominant currency at this layer — replacing Bitcoin as the preferred ransomware payment vehicle because of its price stability.

Why It Matters

Exchanges are the scaling mechanism for criminal cash-out. OTC handles large single transactions; exchanges handle volume. Both layers are required for the full proceeds to reach the real economy.

What the Record Shows
  • Coordinated OTC-plus-exchange action in the same enforcement window: this has not been done at scale. Each time one is designated, proceeds migrate to the other. Simultaneous action prevents displacement
  • Tether T3 real-time freeze: USDT freeze upon wallet identification, not post-enforcement, would eliminate the gap between when funds move and when enforcement catches up
  • The Bitzlato prosecution was the first use of FinCEN's 'special measures' authority against a virtual currency exchange — a new enforcement tool whose potential has not been fully exploited
The corrupt exchange infrastructure that converts ransomware proceeds to fiat at scale — and whose disruption, coordinated with OTC enforcement, produced the 2024 payment decline.
14
The Human Chain
Mule Networks — Module 14
Phase C MEDIUM
Scene

The mule recruiter posted on LinkedIn. The job description mentioned 'financial transaction processing' and 'remote work.' The pay was $3,000 a month. Thousands of people applied. The recruiter selected carefully: people with clean banking histories, no criminal record, plausible professional backgrounds. Their job was to receive wire transfers, withdraw cash, and send it somewhere else. Most of them had no idea they were moving ransomware proceeds. TRM Labs confirmed in 2024 that more than half of the funds entering mule accounts exit within one hour of arrival.

How It Works

Mule networks are the human chain that converts criminal fiat into real-world untraceable assets. Three tiers operate simultaneously. Professional herder operators manage networks of mule accounts and understand exactly what they are doing. Semi-witting recruits — hired through fake job ads — move money believing it is legitimate employment. The integration layer converts the proceeds into real estate, luxury goods, shell company capitalization, and financial instruments.

Why It Matters

Without mule networks, criminal proceeds remain traceable to cryptocurrency wallets or bank accounts subject to seizure. Mule networks complete the conversion to real-world wealth that cannot be easily recovered.

What the Record Shows
  • Herder-tier prosecution disrupts ransomware, fraud, and business email compromise simultaneously — the same networks serve multiple crime types. A single herder takedown has cross-ecosystem value
  • Integration-stage enforcement operates entirely within Western jurisdiction: real estate registries, beneficial ownership disclosure requirements, luxury goods AML. No Russian cooperation required
  • 50%+ of funds exit within 1 hour: the implication is that post-receipt recovery requires real-time bank-to-bank freeze capability, pre-negotiated and ready to activate. It is not a future capability problem — it is a process problem
The human chain that converts cryptocurrency proceeds into real estate, cash, and luxury goods — and whose disruption requires no Russian cooperation.
15
The Negotiation Table
Negotiation Services — Module 15
Cross-Cut MEDIUM
Scene

The incident response firm got the call at 2am. The hospital's systems were down. Patient records inaccessible. The ransom note, found on every workstation, demanded $4.5 million in Bitcoin within 72 hours. The IR firm's lead negotiator began typing. She had been in this exact situation hundreds of times. She knew the group's negotiation patterns — how fast they move, where they flex, what they will accept. She also knew that 70% of the time, she would find a way through this without the hospital paying a dollar. She was right.

How It Works

The negotiation module has two sides that operate simultaneously. Criminal side: RaaS core teams field dedicated internal negotiation teams who manage victim communications, apply DLS pressure, process payments. Some rogue recovery firms deceptively accept victim fees while secretly paying ransoms, claiming to have 'decrypted' data through proprietary means. Defender side: legitimate IR firms (Coveware, GuidePoint, CyberSecOp) negotiate professionally, achieving 70%+ non-payment rates for professionally managed incidents versus an estimated 30-40% without support.

Why It Matters

The payment decision occurs at this node. Everything else in the ecosystem is prologue to this moment. Scaling professional access to this node is the single highest-ROI disruption action that requires no Russian cooperation, no law enforcement action, and no technical capability.

What the Record Shows
  • Every percentage point of non-payment rate growth at ecosystem scale represents hundreds of millions in avoided payments. 72% ecosystem-wide in 2025 (record; 28% paid). 80%+ for professionally managed incidents. The gap has narrowed but the absolute dollar value of each percentage point remains enormous
  • Rogue recovery operator enforcement (FTC, SEC): firms that secretly pay ransoms while claiming to decrypt data commit fraud on victims AND provide economic support to criminal operators. Both problems are addressable in Western jurisdiction
  • Scaling professional IR access to SMBs and critical infrastructure sectors is a policy lever, not a technical one — it requires CISA/NCSC coordination and potentially subsidized access programs for under-resourced sectors
The negotiation table where the ransom is either paid or avoided — and where professional support achieves 70%+ non-payment, the most powerful disruption lever not requiring Russian cooperation.
Chapter Four
Follow the Money
From the moment a victim sends Bitcoin to the moment it becomes a Moscow apartment — and the specific points where Western enforcement can intercept it.

Every ransomware payment begins as cryptocurrency and ends as real-world wealth. Between those two points, it passes through a series of criminal service providers who each take a cut, add a layer of obfuscation, and hand it to the next person in the chain. The chain is fast — in some cases, funds reach the real economy within hours of the victim paying. Here is how it moves.

Step 1 — Victim Pays

Cryptocurrency (increasingly USDT rather than Bitcoin, for price stability) sent to attacker-controlled wallets. Average payment: approximately $2.7M for large enterprise victims in 2024. 72% of victims declined to pay in 2025 — record high non-payment rate (28% paid). Each declined payment is a dollar the ecosystem does not receive, regardless of brand.

Step 2 — The Split

Within minutes, the RaaS core team splits the payment: 70-80% to the affiliate who deployed the ransomware; 20-30% retained by the core team who built and maintained the tools. The affiliate takes the operational risk. The core team takes the safe money. This is the franchise model that makes RaaS economically rational for all parties.

Step 3 — The Wash (Module 11)

Funds enter mixing services to break the blockchain traceability chain. Chipmixer processed over $3 billion before its seizure in 2023. Its successors — Sinbad.io, and then decentralized alternatives like CoinJoin and cross-chain bridges — handle the next generation of proceeds. Custodial mixers can be seized. Decentralized protocols cannot. The ecosystem has noticed.

Step 4 — The Moscow Cashier (Module 12)

Large positions converted through OTC brokers in physical offices in Moscow and St. Petersburg. No KYC. No paper trail. A fee of 1-5% and an understanding that certain questions are not asked. SUEX (2021), Chatex (2021), Garantex (2022-2025), and Cryptex (2024) represent the documented enforcement sequence. The Garantex lesson: designated in April 2022, continued operating from the same Moscow address until March 2025. Designation is not seizure.

Step 5 — The Exchange (Module 13)

Volume conversion through non-compliant exchanges. BTC-e ($4 billion, seized 2017). Bitzlato ($700 million, seized 2023). Garantex again, at this layer too. Tether's T3 unit can freeze USDT in real time at specific wallet addresses — but this capability is used post-enforcement rather than at wallet identification, a gap that significantly reduces its impact.

Step 6 — The Human Chain (Module 14)

Fiat layered through mule account chains. Professional herder operators manage networks of recruited mules who move funds through bank accounts, believing they are doing legitimate financial processing work. Over 50% of mule-linked funds exit within one hour of receipt. Recovery at this stage requires real-time bank-to-bank freeze capability that is pre-negotiated and ready to activate — not a future capability problem, a current process problem.

Step 7 — Real Economy Integration

Proceeds enter the legitimate economy: real estate purchases, luxury goods, shell company capitalization, financial instruments. Conti's internal messages, leaked in 2022, documented Wizard Spider's property portfolio and shell company network in specific detail. Integration-stage action operates entirely within Western jurisdiction — no Russian cooperation required. Beneficial ownership registries, real estate AML requirements, and luxury goods reporting are the tools.

The Untested High-Value Action

Coordinated OTC-plus-exchange designation in the same enforcement window — simultaneous, not sequential — has not been done at scale. Each time one layer is designated, proceeds migrate to the other. Both layers depend on Russian jurisdiction for their physical operations. Both can be designated simultaneously. The Garantex lesson applies to both: physical enforcement must follow designation within 12-18 months, or the gap allows continued operation. The Tether T3 real-time freeze, applied at wallet identification rather than post-enforcement, is the single most underused lever available today.

Chapter Five
The Roof
Why Russian jurisdiction matters, what the FSB actually provides, and what Western actors can do without asking Moscow's permission.

The Russian word for it is krysha — roof. In organized crime, it means protection provided by a more powerful party. In the ransomware context, it describes the relationship between RaaS operators and the Russian state apparatus: FSB officers are aware of ransomware operations targeting Western victims, do not enforce against them, and in some cases benefit from them through intelligence access or plausible deniability cover for state-directed operations.

This is not the same as the Russian state directing ransomware attacks. Most ransomware operations are financially motivated criminal enterprises that happen to operate in a jurisdiction that protects them from Western law enforcement. The FSB's interest is primarily intelligence collection and the strategic advantage of deniable capability that criminal ransomware operators provide. The operators' interest is a quiet life in a country that will not extradite them.

"The CEO of Zservers — one of the most significant bulletproof hosting providers supporting ransomware infrastructure — publicly stated that Russian state agencies were aware of his operations. He was not making a complaint. He was offering a guarantee to prospective clients."

— OFAC Designation Documentation, February 2024

What the Protection Actually Provides

The Krysha model offers operators four concrete things:

  • A domestic non-prosecution guarantee. No Russian court will pursue a ransomware operator for crimes against Western victims. This has held without exception across the entire documented history of the ecosystem.
  • An extradition shield. Russia's constitution prohibits the extradition of Russian citizens. Every Russian-national ransomware operator who remains inside Russia is unreachable by Western prosecution, regardless of the quality of the evidence.
  • Physical infrastructure protection. BPH providers, OTC brokers, and exchanges that operate physically within Russia can continue operating even after Western financial designation. Garantex proved this for 1,064 days.
  • Reconstitution freedom. When a brand is disrupted, core team members can regroup, relaunch, and recruit new affiliates without fear of domestic interference. Conti dissolved into six successor groups in 90 days. All operated from Russia. All continued operating.

What the Protection Does Not Provide

The protection is not absolute, and its limits are important:

  • FSB arrests are possible when politically motivated. REvil was briefly arrested in January 2022 after US diplomatic pressure following Colonial Pipeline and Kaseya. The arrests lasted months. The charges were subsequently dropped. This was not law enforcement — it was political signaling, and both sides understood it as such.
  • Operators arrested outside Russia face prosecution. Alexander Vinnik (BTC-e) was arrested in Greece. Mikhail Vasinskyi (REvil/Kaseya) was arrested in Poland. The protection only covers the geography. Operators who travel to non-cooperative third countries become vulnerable.
  • Western-nexus financial assets are seizable. OFAC designations, Tether freezes, and exchange seizures work on assets with Western financial connections regardless of where the operators physically are.

What Works Without Russian Cooperation

A substantial proportion of the most effective disruption tools available require zero Russian cooperation. This is underappreciated in the policy conversation:

  • Upstream ISP depeering of BPH providers. Requires only Tier-1 carrier cooperation — which is entirely within Western jurisdiction. McColo depeering (2008) remains the gold standard: 75% global spam reduction within hours.
  • OFAC designation and Tether T3 freeze. Severs Western financial access and freezes USDT at specific wallet addresses. Works regardless of operator location.
  • Non-payment advocacy and professional IR scaling. Operates entirely on the victim side. 70% non-payment rate for professionally managed incidents versus 35% ecosystem-wide. Scaling access to under-resourced organizations is a policy lever, not a technical one.
  • Integration-stage AML enforcement. Real estate registries, beneficial ownership requirements, luxury goods reporting — all entirely within Western jurisdiction.
  • Forum infiltration and trust manipulation. Intelligence operations. The Conti leak burned the Conti ecosystem more effectively than any technical action in the period — and it required human intelligence penetration, not law enforcement cooperation.
Chapter Six
How to Take Them Down
What has worked, what hasn't, and the specific actions that degrade the ecosystem durably rather than temporarily.

The Hive Model — The Gold Standard

In the summer of 2022, the FBI quietly obtained access to Hive ransomware's infrastructure. For seven months, they watched. They collected decryption keys. They identified victims. And when victims contacted Hive to negotiate ransom payments, the FBI quietly provided them with decryption keys — before anyone paid. By the time the FBI publicly seized Hive's servers in January 2023, the operation had provided decryption keys to more than 300 victims and avoided an estimated $130 million in ransom payments.

Hive never reconstituted. It is the only major RaaS brand in the historical record that was disrupted and did not come back. The reason is not the server seizure — server seizures produce 30-90 day disruptions, reliably. The reason is that the FBI had seven months to identify and warn operators and victims in ways that permanently disrupted the trust relationships that made Hive functional. The operational intelligence collected during those seven months informed subsequent operations against affiliated actors.

"We hacked the hackers." — FBI Director Christopher Wray, January 2023

— Department of Justice Press Release, January 26, 2023

The Cronos Model — Effective But Not Durable

Operation Cronos (February 2024) took down LockBit. Thirty-four servers seized. One thousand decryption keys recovered. Affiliates exposed by name on the seized leak site. The countdown timers on LockBit's victim listings were reversed to count down to the revelation of LockBit's administrator's identity — a piece of psychological warfare that deserves recognition.

Within sixty to ninety days, LockBit's affiliates had largely migrated to RansomHub. LockBit itself attempted a relaunch with diminished capacity. The brand was severely damaged. The ecosystem absorbed the disruption. This is the pattern for brand-level takedowns without Phase A/B financial pressure: significant short-term impact, limited long-term durability.

The Garantex Lesson — Designation Is Not Enough

On April 5, 2022, OFAC designated Garantex. On March 6, 2025, Europol and the DOJ finally seized Garantex's servers and arrested its administrators. In between: 1,064 days of continued operation from the same Moscow office building, processing hundreds of millions of dollars in criminal proceeds, under active sanctions, with the full knowledge of Russian authorities.

The lesson is structural, not specific to Garantex: financial designation without physical enforcement within 12-18 months does not stop operations. It inconveniences them. Every currently-designated entity that remains physically operational is an open gap in the enforcement record.

The Numbers That Matter

The 72% victim non-payment rate in 2025 (28% paid, record low) is the most important data point in the recent history of ransomware disruption. It correlates with sustained financial-layer enforcement — mixer and exchange actions, OTC designation — and growing non-payment advocacy and professional IR access. Attack volume rose 50% in 2025 while total payments held flat at ~$813M: the ecosystem is running harder for the same revenue. Causation is not proven, but the direction and magnitude are consistent with financial-layer enforcement producing ecosystem-level behavioral change, not just brand-level disruption that reconstitutes in 90 days.

The Five Actions That Matter Most

  • Scale professional IR access to under-resourced organizations. 70%+ non-payment rate for professionally managed incidents. 35% ecosystem-wide. That gap is the opportunity. CISA/NCSC coordination. Subsidized access programs for healthcare, education, and critical infrastructure sectors. No Russian cooperation required.
  • Pursue simultaneous OTC-plus-exchange enforcement. When one is designated, proceeds migrate to the other. Both require physical enforcement within 12-18 months of designation, not years later.
  • Deploy the Tether T3 freeze proactively. USDT freeze at wallet identification, not post-enforcement. The tool exists. The cooperation exists. The protocol for proactive use has not been fully developed.
  • Exploit the Sophos VM template fingerprint. A single image underlying 7,000+ ransomware-linked servers. Proactive detection at scale. The infrastructure identification is done. The enforcement action is not.
  • Pursue covert access before seizure. The Hive model. Seven months of victim support is worth more than a press release. Every decryption key distributed before seizure is a payment avoided, an operator's leverage destroyed, and a victim who does not contribute to the ecosystem's revenue.
Reference
The Criminal Dictionary
Terms you will encounter. Defined without euphemism.
RaaS
Ransomware-as-a-Service. A franchise model: core developers provide the tools; affiliates deploy them against victims and pay a 20-30% royalty on proceeds.
Affiliate
The field operator in the RaaS model. Does the actual network compromise and ransomware deployment. Keeps 70-80% of ransom proceeds.
IAB
Initial Access Broker. A specialist who compromises networks and sells the access to others rather than exploiting it directly.
BPH
Bulletproof Hosting. Infrastructure providers who guarantee non-cooperation with law enforcement and are explicitly marketed to criminal clients.
OTC Broker
Over-the-Counter cryptocurrency broker. Converts large positions to fiat without KYC. Concentrated in Moscow.
MaaS
Malware-as-a-Service. Any malware sold as a rental product — stealers, loaders, ransomware itself.
Double Extortion
The model introduced by Maze in 2019: encrypt data AND steal it, threatening publication to coerce payment even from organizations with good backups.
DLS
Data Leak Site. Dark web infrastructure where operators post stolen victim data as extortion pressure.
Krysha
Russian criminal slang for 'roof' — protection provided by state actors (FSB) through awareness and non-enforcement, not active direction.
Log
A package of stolen data from one infected machine — credentials, session tokens, system info — sold on dark web markets.
FUD
Fully Undetectable. Malware that has been obfuscated to evade antivirus and EDR at delivery. Burns quickly as AV vendors update signatures.
OFAC
Office of Foreign Assets Control. US Treasury division that administers sanctions. Cryptocurrency designations are the primary financial enforcement tool.
Mule
A person (witting or unwitting) who moves criminal proceeds through their bank accounts as part of a layering chain.
Vishing
Voice phishing. Phone calls — increasingly AI-generated — used to socially engineer victims into providing credentials or installing tools.
Depeering
Upstream carrier action cutting a downstream provider's internet access entirely. The McColo model. The gold standard for infrastructure disruption.
Dwell Time
The period between initial access and ransomware detonation. Has fallen from an average 16 days in 2021 to under 24 hours in some 2024 campaigns.
Non-payment Rate
Percentage of victims who decline to pay. 35% ecosystem-wide in 2024. 70%+ for professionally managed incidents.
Phase A/B/C
The three-phase disruption sequence: financial infrastructure (A), market infrastructure (B), operational infrastructure (C). Sequence is critical.
Reference
Fast Facts
The numbers, the operations, and the things that actually matter for a briefing.

The Numbers

$813M
Confirmed 2025 ransom payments (Chainalysis)
72%
Non-payment rate 2025 — record high (28% paid)
7,500+
Victims named on DLS platforms in 2024
70%+
Non-payment rate with professional IR
$3B+
Criminal proceeds through Chipmixer (seized 2023)
$100M+
MGM Resorts loss from one vishing call

Operations That Defined the Period

OperationTargetYearThe Real Outcome
FBI Hive InfiltrationHive RaaS2022-237-month covert access. $130M in avoided payments. Hive did not reconstitute — the only documented case. The model to replicate.
Operation CronosLockBit202434 servers. 1,000+ keys. Affiliates exposed. RansomHub absorbed them in 60-90 days. Effective disruption, not durable disruption.
Operation EndgameIcedID, Bumblebee, SmokeLoader, Pikabot2024Largest loader takedown on record. Latrodectus was deployed within months. Demonstrated the value of simultaneous multi-family action.
Garantex SeizureGarantex OTC/Exchange2025Seized 1,064 days after designation. Defines the gap problem. Designation without enforcement is inconvenience, not disruption.
Chipmixer SeizureChipmixer2023$3B+ in criminal proceeds. 7 servers. Largest mixer action. Ecosystem shifted to decentralized alternatives within weeks.
Zservers DesignationZservers BPH2024Most significant BPH designation in history. Physical servers still in Russia. The designation is not the seizure.
LummaC2 Domain SeizureLummaC2 stealer20252,300+ domains. Microsoft DCU civil action. Largest stealer infrastructure action. Operations disrupted, reconstituting.

Five Things to Know Before Any Briefing

  • Non-payment is the most powerful lever available. 70% non-payment for professionally managed incidents. 35% ecosystem-wide. Scaling access to professional IR is a policy decision, not a technical one, and it requires no Russian cooperation.
  • Brand disruptions produce 30-90 day gaps, not permanent disruptions. The brand is a label. The affiliates, the infrastructure, the criminal relationships — those persist. Durable disruption requires financial and market layer pressure before and during operational actions.
  • Designation without physical enforcement within 12-18 months does not stop operations. Garantex. Three years. Every currently-designated entity that remains physically operational is an open gap.
  • The financial layer correlates with the record-low 72% non-payment rate in 2025 (28% paid). The strongest signal available that financial disruption changes ecosystem economics. Coordinated OTC-plus-exchange enforcement in the same window, with proactive Tether freezes, is the untested high-value action.
  • The target is the ecosystem, not the brand. Attributing an attack to LockBit or RansomHub is less analytically useful than identifying which infrastructure nodes enabled it and which are actionable. Brands change. The nodes persist.