Last month, June 2025 was a critical month for dark web activities. Law enforcement agencies shut down major illegal marketplaces. Massive data breaches exposed billions of credentials. Ransomware attacks targeted governments and businesses. This digest covers eight key events from June 2025 to July 2025. Let’s find out this month’s digest and see what’s happening on the dark web.
Europe-wide Takedown Hits Longest-Standing Dark Web Drug Market
On June 16, 2025, Europol led a major operation against Archetyp Market. This was the longest-standing dark web drug marketplace. It started in 2020 and had over 600,000 users. The market made €250 million selling drugs like cocaine, MDMA, amphetamines, and fentanyl. Police from Germany, the Netherlands, Romania, Spain, and Sweden were involved in the operation. They arrested a 30-year-old German man in Barcelona. He ran the market under the pseudonym ASNT. Authorities seized €7.8 million in assets. This included luxury vehicles and cryptocurrency. The operation, known as Operation Deep Sentinel, took place from June 11 to 13. It shut down servers in the Netherlands.
Pakistan Busts Global Child Abuse Ring Operating from Gaming Club
In June 2025, Pakistan’s National Cyber Crime Investigation Agency (NCCIA) broke up a global child abuse ring. It operated from a gaming club in Muzaffargarh, Punjab. Police rescued 10 children aged 6 to 10. They identified over 50 victims. Two suspects, Muhammad Junaid and Muhammad Irfan, were arrested. Four others, including the ringleader, a German named Reinz Andreas, are still at large. The group used studio-grade cameras and live-streaming equipment. They sold videos on the dark web for $100 to $500 each. They distributed content through encrypted apps like WhatsApp and Telegram. The operation got support from the US National Centre for Missing and Exploited Children, Interpol, and German authorities. The rescued children are now in the care of the Punjab Child Protection Bureau.
Billions of Credentials Exposed in Infostealer Data Leak
Between June 18 and 19, 2025, hackers stole 16 billion login credentials. This was one of the most significant data breaches ever. The data originated from platforms such as Apple, Google, Facebook, PayPal, and government websites in 29 countries. It was not from a single company, but rather from infostealer malware on infected devices. The stolen data was shared on the dark web. It included 30 datasets, with the largest having over 3.5 billion records. Criminals can use this data to hack accounts, steal identities, or commit fraud. Cybersecurity expert Bob Diachenko said no single company was breached. The credentials came from malware logs. Aras Nazarovas advised changing passwords and using two-factor authentication.
Access to British Firms’ Data Sold on Dark Web
In June 2025, SOCRadar’s Dark Web Team discovered hackers selling access to the systems of British companies. About 40 to 50 firms were affected. Each company had 2 to 3 servers accessed. Hackers offered remote control, file management, and screen sharing. This was posted on a dark web forum. The access could let criminals steal sensitive data or disrupt operations. This incident highlights that businesses remain vulnerable to cyberattacks. Companies need stronger cybersecurity to protect their systems.
US Seizes Crypto and 145 Domains of Dark Web Marketplace
On June 4, 2025, the US Department of Justice seized 145 domains linked to BidenCash. This dark web marketplace sold stolen credit card data. It started in March 2022 and had over 117,000 customers. The site sold more than 15 million stolen cards and made $17 million. It also gave away 3.3 million stolen cards for free between October 2022 and February 2023. The US worked with Dutch police to take down the site. They seized cryptocurrency used for illegal activities.
NordVPN Report: 94 Billion Cookies Leaked on Dark Web
NordVPN’s Dark Web Data Report for June 2025 found nearly 94 billion cookies leaked on the dark web. Over 57 million were from Irish users. About 4.7 million of those were still active. This was a 74% increase from last year. The report said 20.5% of all leaked cookies were still active. Hackers used 38 types of malware, up from 12 last year. Cookies from Google (4.5 billion) and YouTube (1.3 billion) were among the most leaked. Brazil, India, and the US were the most affected countries. Adrianus Warmenhoven from NordVPN said cookies can be “digital keys” to private information. People should clear browser data and use strong passwords to stay safe.
Qilin Ransomware Group’s Surge in Activity
In June 2025, Qilin became the most active ransomware group. It attacked more victims than any other group. This happened after RansomHub shut down. Qilin’s affiliates joined the group and employed new attack tactics. They targeted government agencies in the US, Colombia, UAE, and France. They also hit big brands like D*** Paris and T***aster. Some attacks had political objectives, such as disrupting public services and utilities. New ransomware groups, including Team XXX, Warlock, Global, W.A., and Kawa4096, also emerged. State-sponsored hackers, like APTiran, attacked Israel’s infrastructure with ransomware. Bob Diachenko said no single company was breached in the 16 billion credential leak. The data came from malware logs. Aras Nazarovas advised changing passwords and using two-factor authentication.
BidenCash forum taken down by the US
A law enforcement operation led by the US and Dutch authorities has taken down nearly 145 domains associated with the BidenCash cybercriminal marketplace. BidenCash, which has been used to sell stolen credit card numbers, compromised credentials, and personal information since 2022, had over 117,000 customers and generated $17 million in revenue. The DOJ reported that between October 2022 and February 2023, the marketplace published 3.3 million individual stolen credit card numbers for free to promote its services.
The stolen data included credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers. The Justice Department and FBI did not respond to requests for comment on whether any arrests were conducted as part of the operation.
7.4 Million Citizen Records Leaked on Dark Web
Paraguay has been targeted by cybercriminals who have leaked 7.4 million records containing personally identifiable information (PII) of its citizens. The ransomware group demanded $7.4 million in ransom payments, $1 per citizen, with a symbolic deadline of June 13, 2025. The stolen data was published on multiple underground forums and torrent files, allowing other internet users to download citizens’ records using P2P networks. The government of Paraguay declined to pay the ransom and provided no insight into how the information was stolen. The leaked data is presumably coming from the Agencia Nacional de Tránsito y Seguridad Vial de Paraguay, the Ministry of Public Health and Social Welfare of Paraguay, and another unnamed system storing PII.
The actors, known as “Cyber PMC,” positioned themselves as “mercenaries” attacking government systems for profit. This new development confirms the growing number of cyberattacks against Paraguay, with the profile of one key actor known for large-scale data breaches across South America. The intensity of cyberattacks and data breaches targeting Paraguay and other South American countries is alarming, highlighting the increasing efforts of foreign threat actors to compromise government information systems and portals that store PII of citizens.
In short, July 2025 digest highlighted the ongoing risks of the dark web. Law enforcement shut down Archetyp Market and BidenCash. However, billions of passwords and cookies were exposed. Qilin and new ransomware gangs targeted governments and corporations. A child abuse network was busted in Pakistan. These occurrences highlight the importance of robust cybersecurity. Worldwide cooperation is helping to stop dark web crimes. However, new threats keep arising. Users and businesses must take care to protect their data.
