April saw big, threatening news on the dark web. The FBI arrested a money laundering operation called ElonmuskWHM. While other news reports circulated about the Kidflix child abuse network being taken down by the agency, 79 people were arrested in connection with the operation.
However, the dark web still holds serious threats. Login credentials from central Australian banks were leaked. A new Xanthorox AI hacking tool appeared, offering criminals a wide range of capabilities. Meanwhile, a Turkish man was arrested for his role in a dark web child abuse network. Ransomware groups continued to target government agencies, like one in Oregon.
The increasing danger of dark web crime and the ongoing efforts to tackle this crime wave are shown monthly. Let us discuss the major dark web incident that happened in April.
Germany Dismantles Major Dark Web “OP Stream” Operation
German authorities have successfully taken down one of the world’s largest darknet platforms for streaming child exploitation content. The operation involved 38 law enforcement agencies from 38 countries, including the US, the UK, and several EU nations.
The platform, which had over 1.8 million users worldwide, contained tens of thousands of disturbing images and videos depicting severe child sexual abuse. The operation identified 1,393 suspects globally, including more than 100 persons in Germany alone, despite attempts by perpetrators to conceal their identities. A crucial part of the investigation involved tracking cryptocurrency transactions used by the platform’s operators and users to avoid detection.
Extensive searches were conducted between March 10 and 23, leading to the seizure of electronic devices such as mobile phones and computers. The investigation is ongoing in multiple countries as law enforcement agencies analyze confiscated materials and conduct further searches.
Turkish Man Arrested in Connection with Dark Web Child Abuse Network
A global network that served child abuse images to hundreds of thousands of members on the dark web was dismantled by US cybercrime experts. Eight individuals were arrested, and 1.2 million videos were banned. The leader of the gang, Mehmet Berk Bozüyük, was identified as “John De Vil.” The site, which could be accessed via special internet servers for $100, provided access to the illegal “Dark/Deep Web,” where child abuse content was made available.
Agents identified 39-year-old Krunalkumar Modi as controlling the site’s database and granting access. During a raid on Modi’s home in New Jersey, authorities uncovered over 1.2 million videos, many involving babies, and millions of people were members of the site. The investigation revealed that Ximena Maqueda was the network’s financier.
Eight people were arrested during searches conducted in Canada and other countries. Bozüyük, using stolen and forged identities, was found to be facilitating the global sale and distribution of child abuse material. Many of the abused children were migrants who were kidnapped at the borders and sought internationally by their families.
The arrested people were charged with distributing child sexual abuse content across state lines, distributing obscene materials, and the illegal use of two-way communication devices. They were sent to prison, but Bozüyük and Maqueda remain at large. A Red Notice has been issued for Bozüyük’s arrest.
Over 26,000 Dark Web Forum Discussions Focused on Hacking Financial Institutions
A study of 46 deep-web hacker forums and over 26,000 threat actors‘ forum threads in 2024 revealed alarming trends in cyber threats targeting the financial services industry.
The research revealed a thriving underground economy centered around information-stealing malware, with an average of 3-4 daily mentions of unique “infostealer-as-a-service” across each monitored forum. Developers target individual threat actors and more sophisticated APT groups, offering enhanced UIs, technical support, and specialized modules for stealing corporate credentials.
Radware researchers identified a concerning trend in how these attack tools are marketed and distributed.
Infostealer developers increasingly offer tailored solutions with dedicated features specifically designed to target corporate accounts, such as Mystic Stealer, which provides specialized functionality to extract passwords from Outlook. The democratization of attack capabilities has reached unprecedented levels, making attribution and law enforcement intervention increasingly challenging.
The most significant development of 2024 has been the rise of “OTP (One-Time Password) bots,” underground services operated via Telegram that enable threat actors to automate social engineering attacks.
These bots function by using credential stuffing attacks using previously leaked username-password combinations. When login attempts fail due to two-factor authentication requirements, attackers target these accounts using OTP bots that impersonate legitimate entities through pre-recorded or AI-generated voice calls and SMS messages.
Login Credentials of Four Major Australian Banks Leaked on Telegram and Dark Web
According to a report by the Australian Broadcasting Corporation, hackers have stolen Australian banking passwords and are selling them online. The login credentials for four major banks are being seen on Telegram and the dark web.
The credentials were stolen from personal devices via “info stealer” malware, with some compromised devices infected as early as 2021. Globally, over 31 million devices have been infected by info-stealing malware, with over 58,000 affected in Australia alone. Australian superannuation funds have also been targeted by cyberattacks, using stolen passwords to access accounts and commit fraud.
Xanthorox AI Emerges on Dark Web as All-in-One Hacking Tool
Cybersecurity firm SlashNext has identified a new AI platform, Xanthorox AI, designed for offensive cyber operations. Xanthorox AI, first appearing in late Q1 2025, is based on five distinct AI models optimized for specific cyber operations, hosted on private servers under the seller’s control.
This sets Xanthorox AI apart from previous malicious tools, which often rely on existing large language models (LLMs). The platform is fully custom-built, using “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.
The platform’s modular design allows for future updates or replacement of specific functionalities. It also features built-in voice and image handling modules, live internet search scraping using over 50 engines, and offline functionality.
The toolkit includes the Xanthorox Coder, which automates tasks like code creation and script development, Xanthorox Vision, which adds visual intelligence, and Reasoner Advanced, which aims to replicate human-like decision-making. Xanthorox AI facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control.
Threat Intelligence Firm Trades Cryptocurrency for Dark Web Accounts
Prodaft, a threat intelligence company, is offering users of Dark Web cybercrime forums a new deal: Prodaft will pay to take accounts off cybercriminals’ hands while guaranteeing the anonymity of the sellers.
The SYS initiative will buy vetted accounts from five known cybercrime forums: XSS and Exploit, in RAMP4U, Verified, and BreachForums. Prodaft will pay extra for forum accounts with moderator or administrator roles. Users involved in these activities will not have to explain their past or answer any questions.
The aim is to position for better threat intelligence gathering. The account will be analyzed and assessed, and Prodaft will provide details of the offer and payment method. All purchased forum accounts will be reported to the firm’s law enforcement partners for transparency, but the seller’s identity will be protected.
To be viable for SYS, accounts must be registered before December 2022 and cannot be on the Most Wanted by the FBI or any other law enforcement list. Payment can be made in Bitcoin, Monero, or other cryptocurrency.
Ransomware Group Claims Oregon Agency’s Sensitive Data Leaked on Dark Web
Oregon Public Radio reported that Rhysida, a ransomware group responsible for a cyberattack on April 9, released 1.3 million files, containing 2.4 terabytes of data, allegedly stolen from the Oregon Department of Environmental Quality (DEQ).
The files containing sensitive employee information were released after DEQ officials paused most services, including vehicle emissions testing. The agency spokesperson, Lauren Wirtis, provided little additional information.
The department regulating air quality announced a potential cyberattack but denied any data breach. From April 9 to 11, employees were forced to work from their phones and could not receive emails. The department has enlisted a data forensics team to investigate the incident, but has not admitted to any data theft.
79 Arrested in Takedown of Dark Web’s Largest Child Abuse Network, ‘Kidflix’
Kidflix, one of the most significant known child sexual abuse material (CSAM) websites on the dark web, was dismantled on March 11, 2025, in a coordinated effort involving authorities from over 35 countries. With over 1.8 million registered users, the platform was designed to grow fast and allowed users to stream and download CSAM. It used a system that rewarded uploads and engagement with cryptocurrency-based tokens, which could be used to unlock higher-quality versions of the content.
The scale of the abuse is massive, with the platform hosting around 91,000 unique videos, totaling more than 6,200 hours of CSAM. On average, 3.5 new videos were uploaded every hour, many of which had never been seen by investigators. Seventy-nine people have been arrested in connection with the site, including some who were directly involved in abusing children.
Law enforcement has identified nearly 1,400 suspects, and the investigation is still ongoing. Officials also blocked over 3,000 electronic devices and rescued 39 children from dangerous situations. Kidflix was a highly organized and profitable operation, with users earning tokens by uploading CSAM, tagging content, and verifying video descriptions. The site’s infrastructure supported low, medium, and high-quality video, making it even more attractive to predators.
The operation’s success relied heavily on international teamwork, with agencies from the United States, the United Kingdom, Australia, Canada, Germany, and others helping to track suspects, secure digital evidence, and identify victims.
FBI Takes Control of Dark Web Money Laundering Operation ‘ElonmuskWHM’
The FBI has been increasingly infiltrating cybercrime, using its agents to embed with and even fully operate digital criminal organizations. A case in point is the FBI’s operation of “ElonmuskWHM,” a dark web money laundering operation that allowed cybercriminals to cash out cryptocurrency elicited via criminal schemes. Customers, including drug traffickers and hackers, would send the business their crypto, and the operator would mail them cash. Elon Musk would take a 20% fee for his services.
The FBI began investigating the service in 2021, recruiting the Postal Service to help it probe cash shipments between cybercriminals and the operator. Investigation showed that nearly $90 million worth of cryptocurrency traveled through Elon Musk’s network, and at one point, the operator boasted of making as much as $30 million from his business. Eventually, police found and arrested the conspirator, a 30-year-old Indian national named Anurag Pramod Murarka, and took over the site.
The feds operated ElonmuskWHM for approximately 11 months, allowing the feds to understand ties between the service and drug trafficking prosecutions, robbery at knife point investigations, and numerous computer hacking investigations.
The FBI also took extreme steps to unmask the operator of ElonmuskWHM, including demanding Google turn over identifying information about everyone who watched a specific YouTube video over eight days. Murarka was sentenced to 121 months in prison in January.
This is the latest example of the government clandestinely infiltrating cybercriminal operations to understand their structure and probe customers. The FBI’s “Trojan Shield” operation allowed the bureau to monitor 11,800 devices in 90 countries, providing a window into high-level criminal activity by as many as 300 transnational crime organizations.
