CyberSip™ — Issue 62 — June 13, 2026

Today’s picture

Europol and the FBI announced on June 12 the dismantling of AudiA6, a cryptocurrency laundering service linked to at least 15 ransomware operations that processed more than €336 million in illicit funds since 2021. Two administrators were arrested in Georgia, 25 domains and more than 30 servers were seized, and DOJ unsealed charges in Pennsylvania. Lumen’s Black Lotus Labs published research on June 10 confirming that the JDY botnet, linked to Volt Typhoon and first observed in late 2023, has more than doubled to over 1,500 compromised SOHO and IoT devices. The botnet does not attack targets directly; it scans and fingerprints exposed services, focuses its attention on US military networks, and begins scanning for newly disclosed vulnerabilities within hours of public disclosure. Google patched a fifth Chrome zero-day this year on June 8, CVE-2026-11645, an exploited V8 out-of-bounds memory flaw. CISA added it to KEV with a June 23 remediation deadline.

Threat snapshot

3 active items · 2 monitoring

AudiA6 dismantled / ransomware laundromat / EUR 336M JDY botnet / Volt Typhoon / US military targeting Chrome CVE-2026-11645 / V8 zero-day / CISA June 23 3 items this issue

June 12Europol + FBIDismantled

AudiA6 cryptocurrency laundering service dismantled. Linked to 15+ ransomware operations and EUR 336M in illicit funds since 2021. Two administrators arrested in Georgia. 25 domains and 30+ servers seized.

AudiA6 marketed itself as a mixing service that delivered clean funds within an hour, charging fees of 3% to 10%. Its operators also ran Dark2Web, a dark web forum connecting ransomware groups with service providers. The operation built on a Polish police arrest of a Ukrainian suspect in September 2025 whose devices gave investigators the network.

June 10JDY / Volt TyphoonChina Nexus

Volt Typhoon JDY botnet doubles to 1,500+ nodes. Scans for new vulnerabilities within hours of disclosure. Primary targets are US military networks. Black Lotus Labs confirms sustained growth.

JDY survived the FBI takedown of its parent KV-botnet in early 2024 and has grown independently. It is a reconnaissance network, not an exploitation framework: it fingerprints exposed services and feeds intelligence to follow-on actors. Infected devices include Cisco, Ubiquiti, DrayTek, Hikvision, and Linksys hardware on MIPS architectures.

June 8Chrome V8Actively ExploitedKEV June 23

Chrome CVE-2026-11645 CVSS 8.8: fifth Chrome zero-day exploited in 2026. Out-of-bounds memory access in V8 allows remote code execution via a crafted HTML page. Patch is available.

Fixed in Chrome 149.0.7827.102/.103 for Windows and macOS, 149.0.7827.102 for Linux. Also affects Edge and Opera. CISA deadline June 23. Verify Chrome has restarted into the patched version on managed endpoints; an installed update is not the same as a running update.

Detailed intelligence

Full analysis

01 Europol + FBI Dismantled

AudiA6 dismantled: the cryptocurrency laundering service behind 15 ransomware operations. EUR 336M processed since 2021. Two arrests, 25 domains, 30+ servers seized.

AudiA6 · June 12, 2026

Europol and Eurojust, coordinated with the US Secret Service, IRS Criminal Investigation, and Polish Police, carried out the operation on June 10. Europol linked AudiA6 to more than 15 international ransomware investigations and described it as a central financial hub for groups seeking to convert stolen cryptocurrency into clean funds.

Executive Impact

The takedown does not eliminate the ransomware groups that used AudiA6 to launder proceeds. It removes one of the more trusted laundering channels those groups relied on, increasing friction and cost for them. The practical effect for organisations is indirect: disrupting laundering infrastructure over time degrades ransomware economics. No immediate action required, but this reinforces the case for not paying ransoms, as proceeds flow through exactly these kinds of infrastructure nodes.

Don’t Miss

AudiA6 operated an associated dark web forum, Dark2Web, where ransomware operators could advertise services and connect with affiliates and tooling providers across the criminal ecosystem. The simultaneous seizure of both the laundering service and its associated forum disrupts two layers of the ransomware supply chain at once: the financial offloading layer and the recruitment and service marketplace. The investigation started with a single device seized from a Ukrainian suspect in Poland in September 2025. The ledger and communications on that device gave investigators nine months of work that led to the full infrastructure takedown. Operational security failures in financial records are consistently the thread that unravels criminal infrastructure.

CyberSip Take

The DOJ Disruption Week in Issue 54, Operation Saffron in Issue 43, the Dutch botnet seizure in Issue 51, and now AudiA6. Four significant law enforcement infrastructure takedowns in six weeks. Each one degrades attacker capacity without eliminating the underlying criminal organisations. The cumulative effect across multiple operations is meaningful, and the AudiA6 operation in particular cuts across at least 15 ransomware groups simultaneously rather than targeting one group specifically.

What happened

Europol announced on June 12 the dismantling of AudiA6, a cryptocurrency laundering service that marketed itself to ransomware gangs and other cybercriminals as a fast, reliable way to convert stolen cryptocurrency into clean funds. The service, operational since 2021, processed more than €336 million across approximately 10,333 bitcoin deposited. Fees charged to customers ranged from 3% to 10%, with clean funds delivered within approximately one hour. AudiA6 used thousands of fraudulent exchange accounts created with stolen or purchased identities to move funds through the laundering chain.

The coordinated action took place on June 10, 2026. Two alleged administrators, Ruslan Igorevich Tkachuk, 37, a Ukrainian national, and Alexander Vladimirovich Ledenev, 25, a Russian national, were arrested in Georgia. Authorities seized more than 30 servers and 25 domains, froze €692,000 in cryptocurrency, and seized a further €86,000 in cryptocurrency. Telegram accounts used by the network were also blocked. The US Department of Justice unsealed charges in the Eastern District of Pennsylvania against both individuals for conspiracy to launder monetary instruments and sting money laundering, each carrying a maximum sentence of 20 years.

The investigation began with the September 2025 arrest in Poland of a separate Ukrainian suspect linked to the network. Analysis of devices seized at that arrest gave investigators the broader network. Europol’s analysis linked AudiA6 to more than 15 ransomware operations and major cryptocurrency theft schemes. The operators also ran Dark2Web, a dark web forum used to connect ransomware groups with affiliates and service providers across the criminal ecosystem. Both services were simultaneously taken down.

Recommended actions

No immediate technical action. Internally, use this as a reference point in board-level discussions about ransomware payment decisions. Ransom payments flow through exactly this kind of laundering infrastructure, and law enforcement's growing ability to trace and seize those funds is an additional argument against payment.

Derived from The Hacker News, Help Net Security, Infosecurity Magazine, and Europol press release on AudiA6, June 12, 2026.

02 JDY Botnet Volt Typhoon

Volt Typhoon JDY botnet doubles to 1,500+ nodes. Scans for newly disclosed vulnerabilities within hours. Primary targeting is US military networks. Survived the 2024 FBI KV-botnet takedown and has grown independently.

JDY · Black Lotus Labs · June 10

Black Lotus Labs at Lumen published a detailed analysis on June 10. JDY is a distributed reconnaissance network, not a conventional exploitation botnet. It scans, fingerprints, and maps exposed services at scale, feeding intelligence to Chinese nation-state groups for targeted follow-on exploitation. Of the IP addresses JDY scanned, the largest share belonged to US military and associated networks.

Executive Impact

JDY’s primary value to its operators is intelligence gathering: knowing which organisations are running which vulnerable software before those organisations have patched. For organisations in the defence industrial base, government contracting, or military-adjacent sectors, this means that unpatched SOHO routers, edge devices, and internet-facing infrastructure are being actively inventoried by a persistent nation-state reconnaissance capability. The practical response is the same as for any internet-exposed asset: apply critical patches within hours of disclosure, not days.

Don’t Miss

Black Lotus Labs observed JDY scanning Fortinet devices for CVE-2026-35616 within hours of its public disclosure on April 5, 2026. JDY does not wait for a patch window. It starts mapping exposure the same day a flaw becomes known. That operational speed means the window between disclosure and detection-by-attacker is measured in hours, not days. For defenders, the implication is that internet-exposed network infrastructure needs to be patched to critical vulnerabilities before the end of the disclosure day, not within the standard 30-day cycle. The devices most commonly compromised by JDY, SOHO routers and IoT hardware from Cisco, Ubiquiti, DrayTek, and others, are also frequently outside standard enterprise patch management programs because they sit at the network edge and are managed by ISPs or procurement rather than the security team.

CyberSip Take

JDY survived the FBI takedown of KV-botnet in early 2024 and doubled in size in the two years since. The network targets the US military and scans for new vulnerabilities the day they are disclosed. The devices it compromises sit in home offices and small businesses, where firmware updates are rarely applied and monitoring is minimal. Network edge devices need to be in scope for vulnerability management. If your organisation does not know what firmware version is running on the routers and cameras connecting your remote workers, JDY is part of the reason to find out.

What happened

Lumen’s Black Lotus Labs published a detailed analysis of the JDY botnet on June 10, documenting its growth from approximately 650 active nodes in January 2024 to over 1,500 compromised devices today. JDY was first identified in December 2023 as a cluster within KV-botnet, the network used by Volt Typhoon and disrupted by the FBI in early 2024. JDY survived that takedown, adapted, and has since operated as an independent capability.

The botnet compromises SOHO and IoT devices including hardware from Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys across MIPS and MIPSEL architectures. Once compromised, devices are used as distributed scanning and fingerprinting nodes rather than as direct exploitation tools. JDY conducts service discovery, banner grabbing, TLS certificate harvesting, and protocol fingerprinting at scale. The scanning output is collected and analysed centrally, with command and control managed through hidden Tor services. In some cases, compromised devices are also managed using the open-source Platypus reverse shell framework.

The botnet’s primary focus is the United States. Of the IP addresses JDY scanned, the largest share belonged to networks operated by the US military and associated entities. Black Lotus Labs observed a sharp increase in scanning of Fortinet devices within hours of the public disclosure of CVE-2026-35616 on April 5, 2026, confirming the botnet’s near-real-time responsiveness to new vulnerability disclosures. Black Lotus Labs assesses that JDY continues to support multiple China-nexus APT actors based on its victimology patterns and historic links to KV-botnet.

Recommended actions

Audit network edge devices in your environment: routers, cameras, and IoT hardware from Cisco, Ubiquiti, DrayTek, Hikvision, and similar vendors. Verify firmware is current and compare against Black Lotus Labs’ published IOCs for JDY-compromised device indicators.
For internet-facing edge infrastructure, establish a same-day patch target for critical vulnerabilities at the network perimeter. JDY scanning begins within hours of disclosure; the patch window is shorter than the standard enterprise cycle.
Review whether SOHO and IoT devices in your environment are in scope for your existing vulnerability management programme. If they are not, this is the case for including them.

Derived from Black Lotus Labs, BleepingComputer, and The Next Web reporting on JDY botnet, June 10–12, 2026.

03 Chrome V8 Actively Exploited CISA June 23

Chrome CVE-2026-11645 CVSS 8.8: fifth actively exploited Chrome zero-day this year. Out-of-bounds memory access in V8 allows code execution via a crafted HTML page. Patch available. CISA deadline June 23.

CVE-2026-11645 · CVSS 8.8

Google patched the flaw on June 8 in Chrome 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux. CISA added it to KEV on June 9 with a June 23 remediation deadline. The flaw also affects Chromium-based browsers including Microsoft Edge and Opera. Google has not disclosed the specific exploit chain or attributed the attacks.

Executive Impact

A crafted HTML page is sufficient to trigger the vulnerability, meaning drive-by exploitation via a malicious web page or phishing link is the primary delivery mechanism. Any managed endpoint running Chrome prior to 149.0.7827.102 is at risk until the update is applied and the browser has been restarted. Push the Chrome update through endpoint management and verify running versions, not just installed versions, as Chrome updates take effect on browser restart rather than install.

Don’t Miss

CVE-2026-11645 is the fifth actively exploited Chrome zero-day patched in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Five exploited Chrome zero-days in 13 weeks is a higher rate than any year since 2021. V8, Chrome’s JavaScript engine, is the specific target of both CVE-2026-11645 and two of the prior four: CVE-2026-3909 and CVE-2026-3910. Memory corruption in V8 is the class of vulnerability that browser security researchers and sophisticated threat actors are investing in most heavily, because a V8 exploit can be delivered through any web page and provides initial code execution within the browser sandbox, from which a sandbox escape can lead to full system compromise.

CyberSip Take

Five exploited Chrome zero-days this year with a particular focus on V8. The CISA deadline is June 23. Push the update and verify running versions across managed endpoints before then. For Edge deployments, verify Microsoft has shipped the corresponding patch for the Chromium engine version it uses and that it has been applied. The update being installed is not the same as the browser running the updated version.

What happened

Google released an emergency Chrome stable channel update on June 8, 2026, addressing 74 security vulnerabilities including CVE-2026-11645, a high-severity out-of-bounds read and write vulnerability in V8, Chrome’s JavaScript and WebAssembly engine. Google confirmed that an exploit for the vulnerability exists in the wild. A security researcher known as 303f06e3 reported the flaw on April 27, 2026, and received a $55,000 bug bounty for the discovery.

The vulnerability allows a remote attacker to execute arbitrary code within the browser’s sandbox by convincing a user to visit a specially crafted HTML page. Google has not disclosed the specific attacker, campaign, delivery infrastructure, or exploit chain, a standard practice when actively exploited browser vulnerabilities are being patched to limit information available to attackers while updates propagate. CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9 and directed federal agencies to remediate by June 23.

The flaw affects Chrome versions prior to 149.0.7827.103 on Windows and macOS, and prior to 149.0.7827.102 on Linux. Because Chromium forms the foundation for several other browsers, including Microsoft Edge and Opera, users of those browsers should verify that their browser vendor has shipped a corresponding update addressing the same V8 engine version. Chrome updates take effect when the browser is restarted; the update being installed does not mean the patched version is running.

Recommended actions

Push the Chrome 149.0.7827.102/.103 update through endpoint management to all managed endpoints before the June 23 CISA deadline.
Verify running Chrome versions, not installed versions. Chrome updates require a browser restart to take effect. Confirm that the version shown in chrome://version is 149.0.7827.102 or later on each endpoint.
For Microsoft Edge deployments, verify that Microsoft has shipped a corresponding Chromium engine update and that it has been applied. Check the Edge release notes for the V8 engine version included in the current stable release.

Derived from The Hacker News, Help Net Security, and CISA KEV entry for CVE-2026-11645, June 8–9, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

RoguePlanet Defender zero-day (Issue 59). No CVE, no patch. Works on fully patched Windows 11. Application allowlisting prevents execution. Monitor MSRC for emergency patch. Day 4

GreatXML BitLocker bypass (Issue 61). No CVE, no patch. Requires physical access and a prior Defender Offline Scan. Monitor MSRC for patch. Review recovery partition access controls on managed laptops. Day 3

Cross-source standouts

Law enforcement is now disrupting ransomware at the financial layer, not just the operational one

Prior ransomware takedowns focused on infrastructure: seizing servers, taking down leak sites, arresting operators. AudiA6 is different in emphasis: it targets the financial pipeline that converts ransomware proceeds into usable funds. Europol linked it to 15 or more ransomware operations, meaning the disruption affects multiple groups simultaneously rather than one. That approach, attacking the shared infrastructure and financial services that multiple ransomware ecosystems depend on, is increasingly the model. DOJ Disruption Week in Issue 54 followed similar logic against fraud accounts. The common thread is going after enabling services rather than specific threat actors, which scales better because one takedown affects multiple campaigns.

JDY demonstrates that network edge devices are reconnaissance infrastructure for nation-state actors

JDY compromises SOHO routers and IoT cameras and uses them as scanning nodes that blend into normal residential internet traffic. Those devices are outside most enterprise vulnerability management programmes because they are purchased by facilities or ISPs rather than IT, and because endpoint management tools do not cover them. The result is that Chinese nation-state actors have a persistent, growing reconnaissance capability embedded in the network edge of organisations and households adjacent to their actual targets, with devices that generate traffic indistinguishable from legitimate home internet activity. The answer is not sophisticated: SOHO and IoT firmware updates, network segmentation between home devices and corporate VPN tunnels, and inclusion of network edge hardware in vulnerability management scope. The problem is not the sophistication of the attack. It is that the targeted device category is structurally excluded from normal security operations.