Back to Intelligence

DoJ 'Disruption Week' Takedown: Defending Against Transnational Crypto Fraud Networks

SA
Security Arsenal Team
June 4, 2026
5 min read

On May 18, 2026, the U.S. Department of Justice (DoJ) launched a sweeping coordinated action known as "Disruption Week," targeting transnational cyber-enabled fraud networks operating out of Southeast Asia. This operation resulted in the seizure of $3.8 million in assets and the takedown of millions of compromised social media, email, and internet access accounts. While this is a significant victory, the disruption of these networks often leads to threat actors scattering and aggressively pivoting to new infrastructure. Defenders must act now to identify if their environments are being leveraged as unwitting proxies or if their users are being targeted by the residual social engineering campaigns that fuel these fraud operations.

Technical Analysis

The "Disruption Week" operation focused on dismantling the infrastructure used to facilitate cryptocurrency fraud, commonly involving "pig-butchering" schemes and investment scams. The technical footprint of these campaigns relies heavily on the large-scale compromise of legitimate accounts across three pillars:

  1. Social Media & Email: Attackers hijack legitimate accounts to propagate fraudulent investment opportunities, bypassing traditional email filters through the trust inherent in established connections.
  2. Internet Access Accounts: The seizure of internet access credentials suggests the use of compromised residential or business ISP accounts to proxy traffic, obfuscating the true source of the fraud operations and evading IP-based reputation blocklists.

From a defensive perspective, the primary risk to the enterprise is twofold: Account Takeover (ATO) of internal users (who may be reusing passwords leaked from these breaches) and ** inadvertent infrastructure abuse**, where compromised internal hosts act as command-and-control (C2) or proxy nodes for these transnational actors.

Detection & Response

To defend against the fallout and ongoing techniques used by these disrupted networks, security teams should hunt for unauthorized cryptocurrency wallet interaction on endpoints and signs of proxy software indicative of compromised internet access credentials.

━━━ DETECTION CONTENT ━━━

SIGMA Rules

The following rules target the execution of unauthorized cryptocurrency wallets—often the end-goal of these frauds—and the presence of proxy software used to tunnel traffic through compromised internet access accounts.

YAML
---
title: Potential Crypto Wallet Execution on Corporate Endpoint
id: 88d4e1a2-2026-4b8c-a5f1-9c3e2d4b5a6c
status: experimental
description: Detects the execution of known cryptocurrency wallet or mining binaries on corporate endpoints, which may indicate user involvement in fraud schemes or malware payload execution.
references:
 - https://www.justice.gov/opa/pr/justice-department-announces-results-disruption-week-cyber-enabled-fraud
author: Security Arsenal
date: 2026/05/20
tags:
 - attack.resource-development
 - attack.t1587.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\bitcoin-core.exe'
     - '\ethereum-wallet.exe'
     - '\monero-wallet-cli.exe'
     - '\miner.exe'
     - '\xmrig.exe'
   - Image|contains:
     - '\AppData\Roaming\Bitcore\'
     - '\AppData\Roaming\Ethereum\'
     - '\AppData\Roaming\Zcash\'
 condition: selection
falsepositives:
 - Authorized use by finance/research teams
level: medium
---
title: Proxy Process Execution indicative of Credential Abuse
id: 99f5a2b3-2026-5c9d-b6g2-0d4f3e5c6d7e
status: experimental
description: Detects execution of common proxy tools (3proxy, Squid, CCProxy) often used when attackers compromise internet access accounts to tunnel malicious traffic.
references:
 - https://www.justice.gov/opa/pr/justice-department-announces-results-disruption-week-cyber-enabled-fraud
author: Security Arsenal
date: 2026/05/20
tags:
 - attack.command_and_control
 - attack.t1090.003
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\3proxy.exe'
     - '\squid.exe'
     - '\ccproxy.exe'
     - '\nginx.exe'
   CommandLine|contains:
     - '-p '
     - 'proxy'
 condition: selection
falsepositives:
 - Legitimate IT administration proxying
level: high

KQL (Microsoft Sentinel)

This query hunts for network connections to high-risk ports or domains associated with the proxy infrastructure often used in these transnational fraud campaigns.

KQL — Microsoft Sentinel / Defender
// Hunt for outbound connections on non-standard ports often used for proxying
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (1080, 3128, 8080, 9050) // Common proxy/Tor ports
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "edge.exe", "svchost.exe")
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Count desc

Velociraptor VQL

Use this artifact to hunt for the presence of unauthorized wallet configuration files or proxy binaries on disk.

VQL — Velociraptor
-- Hunt for crypto wallet and proxy configuration artifacts
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/*/AppData/Roaming/**/*wallet*.dat")
WHERE Mtime > ago(-30d)

UNION ALL

SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="C:/Program Files/**/3proxy.exe")

Remediation Script (PowerShell)

This script identifies running processes associated with common cryptocurrency wallets and unauthorized proxy services, providing an option to terminate them.

PowerShell
<#
.SYNOPSIS
    Identify and terminate unauthorized crypto-wallet and proxy processes.
.DESCRIPTION
    Scans for processes matching known wallet/proxy signatures and kills them upon confirmation.
#>

$MaliciousProcesses = @(
    "bitcoin-core", "ethereum-wallet", "monero-wallet-cli", 
    "miner", "xmrig", "3proxy", "squid", "ccproxy"
)

$FoundProcesses = Get-Process | Where-Object { 
    $MaliciousProcesses -like $_.ProcessName 
}

if ($FoundProcesses) {
    Write-Warning "Detected unauthorized processes:"
    $FoundProcesses | Format-Table Id, ProcessName, Path -AutoSize
    
    $Confirm = Read-Host "Terminate these processes? (Y/N)"
    if ($Confirm -eq 'Y') {
        $FoundProcesses | Stop-Process -Force
        Write-Output "Processes terminated. Initiate forensic scan of the affected endpoints."
    }
} else {
    Write-Output "No known unauthorized crypto or proxy processes detected."
}

Remediation

  1. Compromise Assessment: Conduct a thorough review of Active Directory logs for "Impossible Travel" logins and successful authentications from Southeast Asian IP ranges (if unusual for your user base), correlating with the May 2026 timeframe.
  2. Credential Reset: Enforce a password reset for all users identified as having credentials leaked in third-party breaches associated with these social media/email dumps. Enable FIDO2/WebAuthn where possible.
  3. Network Egress Filtering: Update firewall rules to block outbound traffic to non-standard proxy ports (e.g., 1080, 3128, 8080) from endpoints that do not require it for business operations.
  4. User Awareness: Immediately roll out targeted security awareness training focusing on "Pig Butchering" investment scams originating from compromised social media accounts of friends or family.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringcrypto-fraudsocial-engineeringdoj-disruption-weekaccount-takeover

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action