COLD ROOM · TEMP -18°C · 04:17:22 UTC VAULT // REYKJAVÍK.SUBL-02 SHELF 0xC7 · DRAWER 14
AES-256 · GPG SEAL SIG 0xF7A2 9C4E READ-ONLY
NULL/SECTOR / Vault / Cold Archive 0xC7

Cold/
archive

Twenty-one cases. A reader's index of the most consequential dark-web takedowns, ransomware campaigns, and state-grade intrusions of the last sixteen years — assembled from public filings, court documents, and our own source network.

Every file is mirrored on nine onion nodes and cryptographically sealed at 04:00 UTC daily.

▶ FILES SIGNED — 0xF7A2 9C4E · ED25519
Case files 021 indexed · 2010 — 2024
Estimated damages $26.4B aggregated · USD 2024-adj.
Records exposed 312M unique identities
Convictions 047 across 23 jurisdictions
▼ Filter
Sort · most recent
encrypted handsetCASE 00212024
FEB 19 · UK NCA × FBI × EUROPOL/Op. CRONOSTAKEDOWN

LockBit, seized at midnight.

A coordinated raid took thirty-four servers across three continents offline in a single night. Investigators reflashed LockBit's own leak portal into a countdown clock taunting the gang, then began publishing decryptors, affiliate lists, and the real-world identity of the administrator known as LockBitSupp.

Servers seized34
Attacks (lifetime)7,000
Ransom collected$120M
Affiliates ID'd194
Sealed
Lead investigatorNCA · LON
Open file
red interior lightCASE 00202023
SEP 10 · LAS VEGAS · US/Scattered Spider × ALPHVEXTORTION

A ten-minute phone call to the help desk.

A native-English speaking teenager phoned MGM's IT support, claimed to be a locked-out employee, and walked out with privileged credentials. Within hours slot machines, room keys, and reservation systems were offline across thirty-one properties. MGM refused to pay; the cleanup ran ten days and a hundred million dollars.

Loss$100M
Downtime10 days
Properties hit31
Entry vector1 call
Cold
Threat actorUNC-3944
Open file
binary streamCASE 00192023
MAY 27 · GLOBAL/Cl0p · CVE-2023-34362BREACH

MOVEit, in one silent weekend.

Over the US Memorial Day holiday Cl0p mass-exploited a SQL-injection zero-day in Progress Software's MOVEit Transfer appliance — the kind of boring B2B file-mover that quietly underpins payrolls and patient records. By the time anyone noticed, 2,700+ organisations and 95 million identities had been quietly emptied.

Orgs affected2,700+
Records95M
Zero-days1
Estimated cost$15B
Open
Class actions62 · ongoing
Open file
anonymous maskCASE 00182022
APR 05 · BERLIN · DE × US DOJ/Hydra MarketTAKEDOWN

Hydra, the 5-billion-dollar bazaar.

For seven years Hydra Market was the gravitational centre of the Russian-language dark web — a single platform handling drug sales, money laundering, and identity trade for nearly seventeen million customers. German federal police pulled the servers from a Frankfurt data centre at dawn and seized $25M in bitcoin.

Lifetime GMV$5.2B
Customers17M
BTC seized543
Lifespan7 yrs
Sealed
Lead investigatorBKA · WIESBADEN
Open file
terminal sessionCASE 00172022
MAR · LONDON · UK / SÃO PAULO · BR/DEV-0537EXTORTION

Lapsus$ — seven targets, average age 17.

A loose group of teenagers, organised on Telegram, SIM-swapped and social-engineered their way into NVIDIA, Samsung, Microsoft, Okta, Vodafone, Uber and Rockstar Games in the space of four months. Their Twitter polls — "who do we leak next?" — were the most-watched live feed in the security industry.

Major breaches7
Arrests7
Avg. age17
Source leaked1.6TB
Sealed
Verdict (lead)HMP RYE HILL
Open file
red binaryCASE 00162022
FEB 27 · ANON. INSIDER/"ContiLeaks"LEAK

Conti, leaked by one of their own.

Hours after the Conti ransomware crew publicly pledged loyalty to the Russian government, a Ukrainian member opened a Twitter account named @ContiLeaks and dumped sixty thousand internal Jabber messages, source code, training manuals and HR spreadsheets. The gang dissolved within four months.

Chats leaked60k
Files393
Members ID'd81
Gang fateDISSOLVED
Cold
Disclosed byUA INSIDER
Open file
server racksCASE 00152021
JUL 02 · MIAMI · US/REvil / SodinokibiRANSOMWARE

Kaseya VSA — one update, fifteen hundred victims.

REvil chained six previously unknown vulnerabilities in Kaseya's IT-management platform to ship ransomware down the trusted update channel to managed service providers. The downstream victims — Swedish supermarket chains, New Zealand schools — were collateral. The asking price: $70 million.

Victims~1,500
Demand$70M
Zero-days6
MSPs hit60
Sealed
Lead extraditionPOLAND · 2021
Open file
industrial valvesCASE 00142021
MAY 07 · HOUSTON · US/DarkSideRANSOMWARE

The Colonial Pipeline, halted by one leaked password.

A reused VPN password — for an account with no MFA — gave DarkSide affiliates the keys to a 5,500-mile fuel artery. Colonial paid $4.4 million in bitcoin within hours; the FBI later clawed back $2.3 million by following the wallet. The US East Coast went short on gasoline for five days.

Ransom paid$4.4M
Recovered$2.3M
Pipeline down5 days
Entry vector1 cred.
Cold
Gang fateREBRANDED
Open file
data center blueCASE 00132020
DEC 13 · AUSTIN · US/APT29 · "SUNBURST"STATE OP

SolarWinds — a poisoned software update.

For fourteen months, a backdoor signed with SolarWinds' own code-signing certificate rode the Orion auto-update channel into eighteen thousand networks, including nine US federal agencies and dozens of Fortune 500s. The actors triaged the victim list by hand and only escalated against the most useful hundred.

Orion downloads18,000
Active targets~100
Fed. agencies9
Dwell time14 mo.
Open
AttributionSVR · MOSCOW
Open file
dim workstationCASE 00122017
JUL 20 · NL × US × TH/Op. BAYONETTAKEDOWN

AlphaBay falls. Hansa is worn as a mask.

The FBI seized AlphaBay — ten times the size of the original Silk Road — then handed the Dutch police a perfectly-timed gift: refugees fleeing to the next-largest market, Hansa, walked into a server farm already controlled by law enforcement. For twenty-seven days the Dutch ran the market themselves, harvesting addresses.

AlphaBay users400k
Listings250k
Hansa undercover27 days
Admin fateDECEASED
Sealed
Lead jurisdictionFBI · SAC
Open file
late laptop workCASE 00112017
SEP 07 · ATLANTA · US/CVE-2017-5638BREACH

Equifax — 147 million Americans, on one unpatched server.

A two-month-old Apache Struts vulnerability sat unpatched on a public-facing Equifax web portal. Attackers wandered the internal network for seventy-six days before anyone noticed; what they took was almost the entire adult population of the United States: names, addresses, social security numbers, driver's license data.

Records lost147M
Dwell time76 days
Settlement$1.4B
Patch overdue63 days
Cold
RegulatorFTC · CFPB
Open file
city after darkCASE 00102017
JUN 27 · KYIV → GLOBAL/Sandworm / GRU 74455STATE OP

NotPetya — ransomware that never intended to decrypt.

Wearing the costume of ransomware, NotPetya was a wiper: launched through a poisoned update to a piece of Ukrainian tax software, it spread laterally and destroyed everything it touched. Maersk lost its global shipping network and rebuilt forty-five thousand endpoints in ten days. Total damages: ten billion dollars.

Damages$10B
Maersk endpoints45k
DecryptionNONE
AttributionGRU
Open
IndictmentDOJ · 2020
Open file
lightning stormCASE 00092017
MAY 12 · GLOBAL · 150 COUNTRIES/Lazarus · EternalBlueRANSOMWARE

WannaCry — the day the NHS went dark.

A North-Korean-attributed worm, riding a leaked NSA exploit, swept across 200,000 machines in 150 countries inside a weekend. British hospitals turned away ambulances; Spanish telecoms went home early; a 22-year-old researcher named MalwareTech registered a domain on a whim and accidentally pulled the kill switch.

Machines hit200k+
Countries150
Est. damage$4B
Kill-switch1 domain
Cold
AttributionDPRK · LAZARUS
Open file
vault coinsCASE 00082016
FEB 04 · DHAKA · BD → MANILA · PH/LazarusHEIST

The Bangladesh Bank heist, undone by a typo.

Attackers planted malware on the SWIFT terminal of Bangladesh's central bank and tried to wire $951 million from its Federal Reserve account into casinos in the Philippines. They got away with $81M — the rest was halted because the fifth transfer misspelled "foundation" as "fandation", and a routing bank decided to ask.

Stolen$81M
Attempted$951M
Recovered$18M
Saved by1 typo
Cold
AttributionDPRK · LAZARUS
Open file
ICS control panelCASE 00072015
DEC 23 · IVANO-FRANKIVSK · UA/Sandworm · BlackEnergySTATE OP

The first blackout caused by code.

At 3:35pm on December 23rd, mouse cursors began moving on operator workstations at three Ukrainian regional electricity companies — operators watched, helpless, as breakers opened across 30 substations. 230,000 people lost power on the shortest day of the year. It was the first documented cyberattack to take down a power grid.

Affected230k
Substations30
Outage6 hrs
Operators3
Cold
AttributionGRU · SANDWORM
Open file
dark mountain horizonCASE 00062015
JUL 19 · TORONTO · CA/"The Impact Team"BREACH

Ashley Madison — 32 million private confessions.

A group calling itself The Impact Team gave Avid Life Media thirty days to take Ashley Madison offline. The company refused. On the deadline, the attackers dumped 9.7 GB of customer records — emails, addresses, GPS coordinates, sexual preferences — onto the dark web. Two suicides were directly linked to the leak.

Records32M
Unique emails11M
.gov / .mil15,000
Suicides linked2
Cold
AttributionUNSOLVED
Open file
dark skyCASE 00052014
NOV 24 · CULVER CITY · US/"Guardians of Peace"STATE OP

Sony Pictures — a film studio punished by a state.

A group calling itself the Guardians of Peace wiped half of Sony Pictures' computers and exfiltrated roughly 100 terabytes — unreleased films, internal emails, executive salaries, and the social security numbers of 47,000 staff — in retaliation for a comedy about North Korea. The film was released anyway. The FBI named Pyongyang.

Data lost100TB
SSNs exposed47k
Cleanup$15M
Films leaked5
Cold
AttributionDPRK
Open file
keyboard at nightCASE 00042014
NOV 06 · 16 COUNTRIES/Op. ONYMOUSTAKEDOWN

Operation Onymous — 410 onions, one weekend.

A coordinated push by the FBI, Europol, and eleven European agencies seized 410 hidden services in 48 hours — including Silk Road 2.0, Cloud 9, and Hydra (the original). Seventeen arrests, including the new Silk Road administrator who had taken over from Ross Ulbricht a year before, almost to the day.

.onions seized410
Arrests17
Countries16
BTC seized$1M
Sealed
Lead jurisdictionEUROPOL · EC3
Open file
empty screenCASE 00032014
FEB 28 · TOKYO · JP/Mt. Gox · "MtGoxFraud"HEIST

Mt. Gox — 850,000 bitcoin, missing.

At its peak Mt. Gox handled 70% of all bitcoin trading on earth. Then, over years, attackers quietly drained its hot wallets while CEO Mark Karpelès kept rebalancing from cold storage to cover the holes. The 2014 collapse cost 24,750 creditors $450M — by 2024 prices, those coins would be worth more than $50B.

BTC missing850k
Value (2014)$450M
Value (2024)~$50B
Creditors24,750
Cold
CEO verdictSUSPENDED
Open file
library shelvesCASE 00022013
OCT 01 · SAN FRANCISCO · US/"Dread Pirate Roberts"MARKETPLACE

The Silk Road, sealed in a library.

Ross Ulbricht was arrested at a corner desk in the science-fiction section of Glen Park Library, San Francisco — laptop open, logged in as root to the Silk Road admin panel. The first true dark-web marketplace had handled 1.2 million transactions in just over two years. He is currently serving two consecutive life sentences.

Users957k
Lifetime GMV$1.2B
Transactions1.2M
Sentence2× LIFE
Sealed
VerdictUSP TUCSON
Open file
circuit boardCASE 00012010
JUN 17 · NATANZ · IR/"Olympic Games"STATE OP

Stuxnet — the first weapon made of code.

A 500-kilobyte worm chained four zero-day vulnerabilities to reach an air-gapped Iranian enrichment facility, then quietly instructed the centrifuges to spin themselves to pieces while reporting normal telemetry to their operators. A thousand machines destroyed; nobody officially claimed it. Every nation-state cyber programme since has been measured against it.

Zero-days4
Centrifuges~1,000
Payload size500KB
AttributionUNCLAIMED
Cold
SuspectedUS · IL
Open file
— NO FILES MATCH THE SELECTED CLASSIFICATION —