SUBJECT PROFILE
On June 9, 2026, the FBI's Cyber Division announced Operation Riptide — a coordinated, 60-day international law enforcement campaign targeting the full criminal ecosystem supporting cyber-enabled crime, including infrastructure, tools, communications platforms, and financial networks. The first major action under Riptide was the international takedown of 'First VPN Service' (active 2014–2026, 27 countries), used by at least 25 ransomware groups including Avaddon; concurrently, on June 10, Europol dismantled the AudiA6 Russian cryptocurrency mixing service — linked to over €336M ($389M) in laundered ransomware proceeds since 2021 — and its associated Dark2Web cybercrime forum. Additional actions by FBI, France's DNPJ, Dutch National Police, and partners across Ukraine, UK, Switzerland, and Luxembourg have included arrests, indictments, cryptocurrency seizures, and server confiscations; further actions are expected through August 2026.
Criminal infrastructure — bulletproof VPN services, crypto-laundering, and dark web forum administration enabling ransomware operations
OPERATIONAL HISTORY
Criminal enablement services: T1090.003 (Multi-hop Proxy — bulletproof VPN anonymization), T1583 (Acquire Infrastructure — bulletproof hosting), T1531 (Account Access Removal — mixer obfuscation), T1020 (Automated Exfiltration — AudiA6 crypto mixing pipeline), T1567 (Exfiltration to Dark2Web forum for data sales)
KNOWN INFRASTRUCTURE
First VPN Service — 27-country node network (SEIZED June 9, 2026); AudiA6 crypto mixer — €336M+ laundered since 2021 (SEIZED June 10, 2026); Dark2Web cybercrime forum (TAKEN DOWN June 10, 2026); multiple dark web forum servers; cryptocurrency wallets (partially seized)