In 2025, law enforcement agencies disrupted the infrastructure and operations of established cybercriminal groups. These groups shift across borders, and the agencies pursuing them are adjusting to that.
International operations target cybercrime rings worldwide
US investigators carried out one of the biggest seizures to date. They took about $15 billion in Bitcoin tied to Prince Group, accused of running forced-labor scam centers and various crypto fraud schemes. These operations target the fraud networks and also work to free the workers, who are mostly victims of the same criminals. They are often pulled in by false promises of legitimate work and later pressured to carry out tasks through various forms of coercion.
In recent years, Southeast Asia has turned into a hub for scam compounds, driven by links between criminal groups and private companies, widespread corruption, and weak rule of law.
Growing pressure on governments in the region has led to more actions against the centers. A recent example is the Myanmar junta’s crackdown on online scam hubs along the border with Thailand, where about 1,590 foreign nationals were arrested. Still, observers question whether there is genuine willingness to address the problem, seeing the actions as a public display and an effort to improve their standing with the international community.
In Africa, police arrested 1,209 people in an INTERPOL-led crackdown that targeted close to 88,000 potential victims. During the operation, investigators dismantled 11,432 malicious infrastructures and recovered $97 million tied to cybercriminal activity.
The operation brought together agencies from 18 African countries and the UK, focusing on threats such as ransomware, online scams, and BEC. Private companies contributed by sharing intelligence, training investigators, and providing technical support, helping law enforcement track and disrupt these groups.
Across the EU, law enforcement agencies have dealt a major blow to multiple criminal networks this year. European authorities shut down a large crypto-fraud network in 2025. Nine suspects were arrested in Cyprus, Spain, and Germany. The group ran fake investment platforms that drew in victims through ads, calls, and fabricated endorsements.
Another joint action led by Eurojust resulted in 18 arrests tied to a €300 million credit card scheme that used fake subscription services for dating, pornography, and streaming sites.
Authorities also disrupted the Rhadamanthys infostealer during a phase of Operation Endgame. They took down more than a thousand servers and several domains tied to the malware, and arrested a suspect linked to the case. Rhadamanthys had infected a large pool of devices worldwide and pulled sensitive data, so its removal cut off an important tool used by cybercrime groups.
Why intelligence sharing matters for security teams
These successes matter for security teams and organizations because they give them room to strengthen their defensive mechanisms. Reports on techniques and infrastructure used in these operations help them see how attacks are put together. When defenders learn more about how these groups work, criminals often have to change their infrastructure, which costs them time and money.
That exchange works both ways. When companies share data with law enforcement, investigators can link information from separate events and build a broader view of the activity behind them.
“Organizations should establish internal guidelines and standard operating procedures for sharing intelligence with private-sector groups and law enforcement,” said Jason Passwaters, CEO of Intel 471.
For example, in May 2025 a globally coordinated takedown disrupted Lumma Stealer, a widely used “malware-as-a-service” tool. This operation disabled a platform that had infected hundreds of thousands of Windows computers worldwide.
As William Lyne, Deputy Director of the UK’s National Crime Agency, puts it: “Collaboration and intelligence sharing is at the heart of our approach to tackling the threat within the NCA, and we enjoy relationships with partners across the public and private sector both nationally and internationally.”
This approach showed its impact in 2024 during Operation Cronos, when the NCA took control of LockBit’s infrastructure.
The UN has also joined this effort by introducing the first global Convention against Cybercrime, a framework designed to help countries coordinate investigations and share electronic evidence.
Ongoing resilience of cybercrime networks
Although these groups have taken significant hits in recent years, they are unlikely to withdraw. When larger ransomware groups break apart, they often split into smaller ones that continue operating.
The same pattern appears with scam centers, as some are shut down but new ones keep emerging. This is especially common in developing countries, where laws and institutional capacity do not match the standards of more developed states.