ImmuniWeb Cybercrime Digest: Tech-Support Fraud 2026

Telecom executives convicted, criminal VPN dismantled, and 200+ arrested: May 2026 brought a wave of global cybercrime enforcement actions that every CISO and IT director must understand.

Cybercrime accountability is accelerating. In a single week in May 2026, US prosecutors secured guilty pleas from telecom executives who knowingly enabled tech-support fraud, European authorities dismantled a VPN used by ransomware gangs, Interpol arrested 201 suspects across the MENA region, and South Korean police took down a massive SMS phishing operation. Each of these cases carries direct lessons for enterprises managing third-party risk, supply chain security, and regulatory compliance.

What was announced

Adam Young and Harrison Gevirtz, former executives of a US telecommunications services company, pleaded guilty to misprision of a felony for knowingly providing phone numbers, call routing, tracking, and forwarding services to international tech-support fraud operations. Prosecutors allege the pair were aware of criminal activity as early as 2017 yet advised clients on avoiding complaints and facilitated introductions to other service providers supporting illegal operations. Sentencing is scheduled for June 16, 2026.

Separately, French and Dutch authorities, supported by Eurojust and Europol, shut down First VPN — a criminal VPN service that appeared in nearly every major cybercrime investigation handled by Europol. Thirty-three servers were seized and multiple domain names were taken offline. Users of the service have been notified that they have been identified.

Operation Ramz, a coordinated Interpol action spanning 13 MENA countries and running from October 2025 to February 2026, resulted in 201 arrests, 382 additional suspects identified, 3,867 victims found, and 53 servers seized. In Jordan, authorities discovered 15 victims of human trafficking forced to participate in fraud schemes. In Algeria, a phishing-as-a-service (PhaaS) operation was dismantled.

In South Korea, 36 individuals were arrested for sending more than 580 million fraudulent SMS messages over 15 months, causing losses exceeding $6.8 million across voice-phishing and SMS phishing campaigns. Police executed 62 search and seizure operations and secured court approval to confiscate approximately $6.5 million in criminal proceeds.

Finally, Ukrainian police detained an 18-year-old in Odesa connected to an international scheme that compromised nearly 30,000 accounts of a California-based retailer, resulting in $721,000 in unauthorized purchases and over $250,000 in losses.

Why this matters

For CISOs and IT directors in the CEE region, these enforcement actions highlight three critical risk areas. First, third-party and supply chain exposure: the telecom executive case shows that service providers — not just end attackers — face criminal liability when they fail to act on known misuse. Organizations must scrutinize their vendor due diligence processes.

Second, VPN and anonymization infrastructure risk: the takedown of First VPN confirms that criminal infrastructure is actively monitored. Enterprises relying on unvetted anonymization tools for any business purpose must reassess those choices.

Third, phishing at scale: 580 million fraudulent SMS messages in 15 months demonstrates the operational scale of modern phishing campaigns. Caller ID spoofing and PhaaS platforms lower the technical barrier for attackers significantly, making employee awareness and technical filtering controls more important than ever.

Technical details

• Attack vector used in telecom fraud: VoIP call routing, caller ID spoofing, and remote access to victims' computers by fraudulent call centers.
• First VPN infrastructure: 33 servers seized; domains including 1vpns[.]com, 1vpns[.]net, 1vpns[.]org and associated onion domains taken down; service advertised on criminal forums promising no-log policy and no cooperation with law enforcement.
• Operation Ramz scope: 13 MENA countries, October 2025–February 2026, 201 arrests, 382 suspects identified, 3,867 victims, 53 servers seized.
• South Korea SMS campaign: 580 million+ fraudulent messages over 15 months; 18 companies involved; caller ID manipulated to impersonate banks and telecoms; losses of approximately $13.4 million combined across two campaigns.
• Ukraine e-commerce breach: Info-stealing malware used to harvest credentials and session data; 30,000 accounts compromised; stolen data sold via online platforms and Telegram channels; $721,000 in unauthorized purchases.
• PhaaS (phishing-as-a-service): Identified in Algeria during Operation Ramz; hosted phishing tools and scripts on dedicated servers dismantled by police.
• Human trafficking element: 15 individuals from Asian countries recruited under false pretenses and forced to operate fraud schemes in Jordan.

Softprom and ImmuniWeb

Softprom is the official distributor of ImmuniWeb in the CEE region. ImmuniWeb provides AI-powered attack surface management, dark web monitoring, and application security testing — capabilities that are directly relevant to detecting compromised credentials, exposed infrastructure, and third-party risk signals of the type described in these enforcement cases.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.