Introduction

The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers.

LummaC2 seller’s official website

Lumma delivery usually involves human interaction, such as clicking a link, running malicious commands, etc. Recently, while investigating an incident as part of our incident response services, our Global Emergency Response Team (GERT) encountered Lumma on a customer’s system. The analysis revealed that the incident was triggered by human interaction, namely the user was tricked into executing a malicious command by a fake CAPTCHA page. In this article, we will review in detail how the fake CAPTCHA campaign works and share a list of IoCs that we discovered during our analysis and investigation of the campaign. Although we already described this distribution method in an earlier article, more details about this campaign have been discovered since then.

Lumma Stealer’s distribution vectors

Lumma Stealer’s distribution methods are diverse, using common techniques typically seen in information-stealing malware campaigns. Primary infection vectors include phishing emails with malicious attachments or links, as well as trojanized legitimate applications. These deceptive tactics trick users into executing the malware, which runs silently in the background harvesting valuable data. Lumma has also been observed using exploit kits, social engineering, and compromised websites to extend its reach and evade detection by security solutions. In this article, we’ll focus mainly on the fake CAPTCHA distribution vector.

This vector involves fake verification pages that resemble legitimate services, often hosted on platforms that use Content Delivery Networks (CDNs). These pages typically masquerade as frequently used CAPTCHAs, such as Google reCAPTCHA or Cloudflare CAPTCHA, to trick users into believing they are interacting with a trusted service.

Fake CAPTCHA distribution vectors

Fake CAPTCHA distribution scheme

There are two types of resources used to promote fake CAPTCHA pages:

• Pirated media, adult content, and cracked software sites. The attackers clone these websites and inject malicious advertisements into the cloned page that redirect users to a malicious CAPTCHA.
• Fake Telegram channels for pirated content and cryptocurrencies. The attackers create Telegram channels with names containing keywords related to cryptocurrencies or pirated content, such as software, movies, etc. When a user searches for such content, the fraudulent channels appear at the top of the search. The attackers also use social media posts to lure victims to these channels. When a user joins such a channel, they are prompted to complete an identity verification via a fraudulent “Safeguard Captcha” bot.
  
  Safeguard Captcha bot

  Once the user clicks the Verify button, the bot opens a pop-up page with a fake CAPTCHA.

Fake CAPTCHA page

Users are presented with a pop-up page that looks like a standard CAPTCHA verification, prompting them to click I’m not a robot/Verify/Copy or some similar button. However, this is where the deception begins.

Fake CAPTCHA page examples

Fake page malicious content

When the I’m not a robot/Verify/Copy button is clicked, the user is instructed to perform an unusual sequence:

• Open the Run dialog(Win+R)
• Press Ctrl+V
• Hit Enter

Without the user’s knowledge, clicking the button automatically copies a PowerShell command to the clipboard. Once the user pastes the command into the Run dialog and presses Enter, the system executes the command.

Examples of scripts copied to the clipboard and executed via the Run dialog

The command may vary slightly from site to site and changes every few days, but it is typically used to download Lumma Stealer from a remote server, which is usually a known CDN with a free trial period or a legitimate code hosting and collaboration platform such as GitHub, and begin the malware installation process. Let’s take a closer look at this infection chain using the following command that was executed in our customer’s incident as an example:

Command triggering Lumma’s infection chain

The command is rather simple. It decodes and runs the contents from the remote win15.txt file hosted at https[:]//win15.b-cdn[.]net/win15.txt. The win15.txt file contains a Base64-encoded PowerShell script that then downloads and runs the Lumma Stealer. When decoded, the malicious PowerShell script looks like this:

Contents of win15.txt

The script performs the following actions:

1. Downloads the malware. It downloads the win15.zip file from https[:]//win15.b-cdn[.]net/win15.zip to [User Profile]\AppData\Roaming\bFylC6zX.zip.
2. Extracts the malware. The downloaded ZIP file is extracted to C:\Users\[User]\AppData\Roaming\7oCDTWYu, a hidden folder under the user’s AppData directory.
3. Executes the malware. The script runs the Set-up.exe file from the unpacked archive, which is now located at C:\Users\[User]\AppData\Roaming\7oCDTWYu\Set-up.exe.
4. Establishes persistence mechanism. The script creates an entry in the Windows Registry for persistency, ensuring that the malware runs every time the system starts. The registry key is added under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The key name is 5TQjtTuo, with the value pointing to Set-up.exe.

However, in some cases, the malware delivery mechanism can be more complex. In the following example, the delivery script is a JavaScript code hidden in what looks like an .mp3 file (other file formats such as .mp4 and .png have also been used). In fact, in addition to the JavaScript, the file may contain a corrupt .mp3/.mp4 file, legitimate software code, or just random data.

The script is executed using the Microsoft HTML Application engine mshta.exe by prompting the user to paste the following command into the Run dialog box:

Command triggering JS-based infection chain

The mshta command parses the file as an HTA file (Microsoft HTML Application) and executes any JavaScript code within the <script> tag, triggering the following infection chain:

Layer (1)

The JS script inside the .mp3 file is executed by mshta.

JS script within the never.mp3 file

Layer (2)

After calculating the Kwb value, the following script is obtained, which is then executed by the eval function.

Layer (2) JS script

Layer (3)

After calculating the values for kXN and zzI, the final ActiveX command is built and executed. It contains an encoded PowerShell script in the $PBwR variable.

Deobfuscated Layer (2) JS script

Layer (4)

After decoding the PowerShell script, we found that its main purpose is to download and execute another PowerShell file from the C2 path hXXps://connect[.]klipfuzj[.]shop/firefire[.]png.

Decrypted Layer (3) PowerShell script

Analysis for firefire.png

The file firefire.png is a huge PowerShell file (~31MB) with several layers of obfuscation and anti-debugging. After deobfuscating and removing unnecessary code, we could see that the main purpose of the file is to generate and execute an encrypted PowerShell script as follows:

firefire.png

The decryption key is the output of the Invoke-Metasploit command, which is blocked if the AMSI is enabled. As a result, an error message is generated by the AMSI: AMSI_RESULT_NOT_DETECTED, which is used as the key. If the AMSI is disabled, the malware will fail to decrypt the script.

The decrypted PowerShell script is approximately 1.5MB in size and its main purpose is to create and run a malicious executable file.

Decrypted PowerShell script

Infection methods and techniques

Lumma Stealer has been observed in the wild using a variety of infection methods, with two primary techniques standing out in its distribution campaigns: DLL sideloading and injection of a malicious payload into the overlay section of legitimate free software. These techniques are particularly effective at evading detection because they exploit the trust that users place in widely used applications and system processes.

• DLL sideloading
  DLL sideloading is a well-known technique where malicious dynamic link libraries (DLLs) are loaded by a legitimate application. This technique exploits vulnerabilities or misconfigurations in software that inadvertently load DLL files from untrusted directories. Attackers can drop the Lumma Stealer DLL in the same directory as a trusted application, causing it to load when the application is executed. Because the malicious DLL is loaded in the context of a trusted process, it is much harder for traditional security measures to detect the intrusion.
• Injection of malicious payload into the overlay section of software
  Another method commonly used by Lumma Stealer is to inject a malicious payload into the overlay section of free software. The overlay section is typically used for legitimate software functionality, such as displaying graphical interfaces or handling certain input events. By modifying this section of the software, the adversary can inject the malicious payload without disrupting the normal operation of the application. This method is particularly insidious because the software continues to appear legitimate while the malicious code silently executes in the background. It also helps the malware evade detection by security tools that focus on system-level monitoring.

Both of these methods rely on exploiting trusted applications, which significantly increases the chances of successful infection. These techniques can be used in combination with others, such as phishing or trojanized software bundles, to maximize the spread of Lumma Stealer to multiple targets.

Sample analysis

To demonstrate how the Lumma Stealer installers work and the impact on systems and data security, we’ll analyze the stealer sample we found in the incident at our customer. This sample utilizes the overlay injection technique. Below is a detailed breakdown of the infection chain and the various techniques used to deploy and execute Lumma Stealer.

Initial execution and self-extracting RAR (SFX)

The initial payload in this sample is delivered as ProjectorNebraska.exe, which consists of a corrupt legitimate file and the malware in the overlay section. It is executed by the victim. Upon execution, the file extracts and runs a self-extracting RAR (SFX) archive. This archive contains the next stage of the infection: a Nullsoft Scriptable Install System (NSIS) installer. NSIS is a widely used tool for creating Windows installers.

NSIS installer components

The NSIS installer drops several components that are critical to the malware’s execution:

NSIS installer components

These include AutoIt components and an obfuscated batch script loader named Hose.cmd. The following AutoIt components are dropped:

• Fragments of a legitimate AutoIt executable: These are pieces of a genuine AutoIt executable that are dropped to the victim’s system, and then reassembled during the infection process.
• Compiled AutoIt script: The compiled script carries the core functionality of Lumma Stealer, including operations such as credential theft and data exfiltration.

These components are later reassembled into the final executable payload using the batch script loader that concatenates and executes the various fragments.

Hose.cmd orchestrates the final steps of the malware’s execution. Below is a breakdown of its key components (after deobfuscation):

Deobfuscated batch script code

Process tree after executing the batch script

The batch script performs the following actions:

• Security product evasion
  
  • The script scans for the presence of security software (SecureAnywhere and Quick Heal AntiVirus) using the tasklist If either of them is detected, it delays execution via the ping -n 198 command, which pings localhost 198 times. This trick is used to avoid sandbox detection, as the sandbox typically exits before the script completes the ping task.
  • The script checks for the presence of any of the following: Avast, AVG, McAfee, Bitdefender, Sophos, using the tasklist If one of them is detected, it keeps the executable name for AutoIt as AutoIt3.exe; otherwise, it renames it to Suggests.pif.

  
  

• Environment setup and payload preparation. It sets environment variables for the AutoIt executable and the final payload. It also creates a working directory named 195402 in the Temp directory to store malicious components.
• Obfuscation and extraction. The script filters and cleans a file named Sitting from the NSIS installer by removing the string OptimumSlipProfessionalsPerspective, and storing the result as Suggests.pif. It then uses the copy /b command to merge Suggests.pif with an additional component from the NSIS installer named Oclc into the AutoIt executable, saving it again as Suggests.pif.
• Payload assembly. It concatenates multiple files from the NSIS installer: Italy, Holmes, True, etc. to generate the final executable with the name h.a3x, which is an AutoIt script.
• Execution of Lumma Stealer. Finally, the script runs Suggests.pif, which in turn executes h.a3x, triggering the AutoIt-based execution of Lumma Stealer.

AutoIt script analysis

During the analysis, the AutoIt Extractor utility was used to decompile and extract the script from the h.a3x file. The script was heavily obfuscated and required additional deobfuscation to get a clean and analyzable .au3 script. Below is the analysis of the AutoIt loader’s behavior.

AutoIt script extraction

Anti-analysis checks

The script begins by validating the environment to detect analysis tools or sandbox environments. It checks for specific computer names and usernames often associated with testing environments.

Environment validation

It then checks for processes from popular antivirus tools such as Avast (avastui.exe), Bitdefender (bdagent.exe), and Kaspersky (avp.exe).

Anti-AV checks

If any of these conditions are met, the script halts execution to evade detection.

Executing loader shellcode

If the anti-analysis checks are passed, the script dynamically selects 32-bit or 64-bit shellcode based on the system architecture, which is located in the $vinylcigaretteau variable inside the script. To do this, it allocates executable memory and injects the shellcode into it. The shellcode then initializes the execution environment and prepares for the second-stage payload.

Part of the AutoIt loader responsible for the shellcode execution

Processing the $dayjoy payload

After executing the loader shellcode, the script processes the second-stage payload located in the $dayjoy variable. The payload is decrypted using RC4 with a hardcoded key 1246403907690944.

The encrypted payload

To decrypt the payload independently, we wrote a custom Python script that you can see in the screenshot below.

Python script for payload decryption

The decrypted payload is decompressed using the LZNT1 algorithm.

Payload decompression

Final payload execution

After decryption and decompression, the $dayjoy payload is executed in memory. The script uses DllCallAddress to invoke the payload directly in the allocated memory. This ensures the payload is executed stealthily without being written to disk.

Final payload execution

This final payload is the stealer itself. The malware’s comprehensive data theft capabilities target a wide range of sensitive information, including:

• Cryptocurrency wallet credentials (e.g., Binance, Ethereum) and associated browser extensions (e.g., MetaMask)
• Two-factor authentication (2FA) data and authenticator extensions
• Browser-stored credentials and cookies
• Stored credentials from remote access tools such as AnyDesk
• Stored credentials from password managers such as KeePass
• System and application data
• Financial information such as credit card numbers

C2 communication

Once Lumma Stealer is executed, it establishes communication with its command and control (C2) servers to exfiltrate the stolen data. The malware sends the collected information back to the attacker’s infrastructure for further exploitation. This communication is typically performed over HTTP or HTTPS, often disguised as legitimate traffic to avoid detection by network security monitoring tools.

C2 servers identified

The following C2 domains used by Lumma Stealer to communicate with the attackers were identified in the analyzed sample:

• reinforcenh[.]shop
• stogeneratmns[.]shop
• fragnantbui[.]shop
• drawzhotdog[.]shop
• vozmeatillu[.]shop
• offensivedzvju[.]shop
• ghostreedmnu[.]shop
• gutterydhowi[.]shop

These domains are used to receive stolen data from infected systems. Communication with these servers is typically via encrypted HTTP POST requests.

Conclusions

As a mass-distributed malicious program, Lumma Stealer employs a complex infection chain that includes a number of anti-analysis and detection evasion techniques, to stealthily infiltrate the victim’s device. Although the initial infection via dubious pirated software and cryptocurrency-related websites and Telegram channels suggests that individuals are the primary targets of these attacks, we saw Lumma in an incident at one of our customers, which illustrates that organizations can also fall victim to this threat. The information stolen by such malware may end up in the hands of more prominent cybercriminals, such as ransomware operators. That’s why it’s important to prevent stealer infections at the early stages. By understanding the infection techniques, security professionals can better defend against this growing threat and develop more effective detection and prevention strategies.

IoCs

The following list contains the URLs detected during our research. Note that the attackers change the malicious URLs and Telegram channels almost daily, and the IoCs provided in this section were already inactive at the time of writing. However, they may be useful for retrospective threat detection.

Malicious fake CAPTCHA pages

• seenga[.]com/page/confirm.html
• serviceverifcaptcho[.]com
• downloadsbeta[.]com
• intelligenceadx[.]com
• downloadstep[.]com
• nannyirrationalacquainted[.]com
• suspectplainrevulsion[.]com
• streamingsplays[.]com
• bot-detection-v1.b-cdn[.]net
• bot-check-v5.b-cdn[.]net
• spam-verification.b-cdn[.]net
• human-test.b-cdn[.]net
• b-cdn[.]net
• b-cdn[.]net

Telegram channels distributing Lumma

• t[.]me/hitbase
• t[.]me/sharmamod

securelist.com/lumma-fake-capt…

ANOTHER MONDAY, ANOTHER DIGITAL POLITICS. I'm Mark Scott, and you find me enjoying the four-day Easter weekend here in the United Kingdom. In honor of that, I give you my new favorite podcast.

In my day job, I'll be interviewing Brad Smith, Microsoft's president, in Brussels on April 30 at 10am CET. You can watch along here. For those of you who would like to attend in person, drop me a line here.

— Policymakers worldwide are now seriously considering a future where digital policymaking excludes the United States. Let's unpick what that means.

— It's official: Google is most definitely a monopoly, on both sides of the Atlantic. That will have far-reaching consequences — but it will take time.

— Digital rights civil society groups have been severely impacted by cuts in US government support. Here are the charts that explain the impact.

Let's get started:

digitalpolitics.co/newsletter0…

At Hackaday, it is always clock time, and clock time is a great time to check in with [shiura], whose 3D Printed Perpetual Calendar Clock is now at Version 2. A 3D printed calendar clock, well, no big deal, right? Grab a few steppers, slap in an ESP32 to connect to a time server, and you’re good. That’s where most of us would probably go, but most of us aren’t [shiura], who has some real mechanical chops.
There’s also a 24-hour dial, because why not?
This clock isn’t all mechanical. It probably could be, but at its core it uses a commercial quartz movement — you know, the cheap ones that take a single double-A battery. The only restriction is that the length of the hour axis must be twelve millimeters or more. Aside from that, a few self-tapping screws and an M8 nut, everything else is fully 3D printed.

From that simple quartz movement, [shiura]’s clock tracks not only the day of the week, the month and date — even in Febuary, and even compensating for leap years. Except for the inevitable drift (and battery changes) you should not have to adjust this clock until March 2100, assuming both you and the 3D printed mechanism live that long. Version one actually did all this, too, but somehow we missed it; version two has some improvements to aesthetics and usability. Take a tour of the mechanism in the video after the break.

We’ve featured several of [shiura]’s innovative clocks before, from a hybrid mechanical-analog display, to a splitless flip-clock, and a fully analog hollow face clock. Of course [shiura] is hardly our only clock-making contributor, because it it always clock time at Hackaday.

youtube.com/embed/H03xxuqXKgE?…

hackaday.com/2025/04/21/printe…

With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images.

SVG format

SVG (Scalable Vector Graphics) is a format for describing two-dimensional vector graphics using XML. This is how an SVG file appears when opened in image viewing software.

SVG image

But if you open it in a text editor, you can see the XML markup that describes the image. This markup allows for easy editing of image parameters, eliminating the need for resource-intensive graphics editors.

This is what an SVG file looks like when opened in a text editor

Since SVG is based on XML, it supports JavaScript and HTML, unlike JPEG or PNG. This makes it easier for designers to work with non-graphical content like text, formulas, and interactive elements. However, attackers are exploiting this by embedding scripts with links to phishing pages within the image file.

Sample SVG file with embedded HTML code. The tag introduces HTML markup

Phishing email campaigns leveraging SVG files

At the start of 2025, we observed phishing emails that resembled attacks with an HTML attachment, but instead utilized SVG files.

Phishing email with an SVG attachment

A review of the email’s source code shows that the attachment is identified as an image type.

The file as displayed in the email body

However, opening the file in a text editor reveals that it is essentially an HTML page with no mention of vector graphics.

Code of the SVG file

In a browser, this file appears as an HTML page with a link that supposedly points to an audio file.

SVG file viewed as HTML

Clicking the link redirects the user to a phishing page masquerading as Google Voice.

Phishing page mimicking Google Voice

The audio track at the top of the page is a static image. Clicking “Play Audio” redirects the user to a corporate email login page, allowing attackers to capture their credentials. This page, too, mentions Google Voice. The page also includes the target company’s logo, aiming to lower the user’s guard.

Login form

In a separate instance, mimicking a notification from an e-signature service, attackers presented an SVG attachment as a document that required review and signature.

Phishing e-signature request

Unlike the first example, where the SVG file acted as an HTML page, in this case it contains JavaScript that, when the file is opened, launches a browser window with a phishing site featuring a fake Microsoft login form.

Code of the SVG file

Phishing login form

Statistics

Our telemetry data indicates a significant increase in SVG campaigns during March 2025. We found 2,825 of these emails in just the first quarter of the year.

Emails with SVG attachments, January through March 2025 (download)

In April, the upward trend continued: in the first half of the month, we detected 1324 emails with SVG attachments – more than two-thirds of March’s figure.

Takeaways

Phishers are relentlessly exploring new techniques to circumvent detection. They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. These attacks, while currently relatively basic – much like HTML attachment scenarios – involve SVG files containing either a phishing link page or a redirection script to a fraudulent site. However, the use of SVG as a container for malicious content can also be employed in more sophisticated targeted attacks.

securelist.com/svg-phishing/11…

Gli aggressori utilizzano sempre più spesso metodi di promozione sui motori di ricerca per attirare gli utenti verso siti dannosi. Vengono utilizzati sia il “black SEO” sia gli annunci a pagamento, il tutto per garantire che le risorse dannose appaiano il più in alto possibile nei risultati di ricerca.

Questo approccio è chiamato SEO poisoning. I criminali mascherano contenuti dannosi da siti legittimi, sfruttando la fiducia nei marchi noti. In particolare, sono state identificate campagne in cui siti web falsi imitavano pagine di download di applicazioni popolari, come Firefox, WhatsApp e Telegram, e raccoglievano informazioni riservate da utenti ignari.

I ricercatori dell’ESET hanno analizzato delle campagne in cui i truffatori promuovevano falsi annunci Google per attirare le vittime su siti web falsi. Alcuni di essi erano in grado di assumere il controllo completo dei dispositivi della vittima.

Il settore finanziario continua a rappresentare un obiettivo particolarmente interessante. Nel 2022 si sono verificati casi in America Latina in cui sono stati distribuiti annunci pubblicitari dannosi sotto le mentite spoglie di Mastercard. Un altro esempio è un attacco di phishing sotto il marchio della compagnia di autobus argentina La Veloz del Norte, che ha portato al furto di dati personali e di pagamento degli utenti che cercavano di acquistare i biglietti.

L’intelligenza artificiale apre anche nuove opportunità per gli aggressori. I truffatori utilizzano attivamente la pubblicità per promuovere falsi servizi che si suppone siano basati sull’intelligenza artificiale, come i falsi siti ChatGPT. Il loro obiettivo è ottenere i dati della carta di credito. Spesso tali siti vengono progettati con i loghi di partner noti per apparire più convincenti.

I motori di ricerca si stanno impegnando per contrastare questo fenomeno. In un rapporto di Google Ads Safety 2023, gli esperti dell’azienda hanno bloccato o rimosso oltre 5,5 miliardi di annunci. Tuttavia, alcune minacce continuano a trapelare nei risultati di ricerca.

Per ridurre al minimo i rischi, gli esperti consigliano di controllare attentamente gli indirizzi dei siti web prima di cliccare su un link, di utilizzare soluzioni antivirus, di abilitare l’autenticazione a due fattori e di controllare gli annunci pubblicitari tramite gli strumenti integrati di Google.

La manipolazione dei motori di ricerca dimostra quanto sia importante fare attenzione ogni volta che si clicca su un link. Nonostante lo sviluppo della tecnologia e dell’intelligenza artificiale, la ricerca classica è ancora popolare.

L'articolo SEO Poisoning: Quando Google Diventa il Primo Alleato dei Cybercriminali proviene da il blog della sicurezza informatica.

E buona Pasqua, riempiamoci la bocca di Pace.

Gli Usa avvertono, 'senza una svolta su Kiev ci sfiliamo'

Fonte: ANSA
search.app/dRKGm

Parlando del padre:

"Ha preferito il lager piuttosto che arrendersi al nazifascismo e combattere con i tedeschi contro gli italiani" – ha spiegato – "aveva fatto amicizia con un compagno che gli aveva salvato la vita. Si chiamava Vasco"

agi.it/spettacolo/news/2025-04…

Nella loro eleganza, i mici sono diventati discreti guardiani del parco, custodi ideali di un passato che ancora parla.

agi.it/cronaca/news/2025-04-19…

#gatti

Riporto dalla newsletter di Haaretz:

The New York Times reported that the White House's antisemitism task force sent Harvard University its letter demanding reforms by mistake.

Ma perché l'estrema destra non riesce a non essere cialtrona? È una sua caratteristica genetica o hanno semplicemente la sfortuna di trovarsi leader cialtroni ad ogni latitudine?

Il Progetto EuroMed Justice ha recentemente organizzato un'attività di tre giorni del Technical Assistance Facility (TAF) al Cairo, in Egitto, dall'8 al 10 aprile 2025. L'evento ha riunito esperti e funzionari provenienti dall'Europa e dai Paesi Partner del Sud per concentrarsi sulla tutela del patrimonio culturale e sulla lotta al suo traffico illecito. L'attività è stata organizzata su richiesta delle autorità egiziane e cipriote e ha visto la partecipazione di 35 partecipanti in rappresentanza di diversi Paesi, tra cui Algeria, Belgio, Cipro, Egitto, Francia, Germania, Grecia, Italia, Libia, Marocco, Palestina, Svizzera e Regno Unito.

Il progetto EuroMed Justice mira a sviluppare meccanismi di cooperazione sostenibili per la cooperazione giudiziaria transfrontaliera in materia penale tra gli Stati membri dell'Unione Europea e i Paesi partner del Sud – Algeria, Egitto, Israele, Giordania, Libano, Libia, Marocco, Palestina e Tunisia. EuroMed Justice riunisce i soggetti interessati più rilevanti nel campo della giustizia penale dei Paesi partner del Sud, degli Stati membri dell'UE partecipanti, dei rappresentanti degli organismi dell'Unione Europea e delle organizzazioni internazionali attive nel campo della giustizia e della sicurezza. Il progetto organizza attività del TAF su richiesta delle autorità partecipanti per fornire un supporto personalizzato alle loro attività e azioni.

L'attività del TAF ha offerto ai partecipanti una piattaforma per condividere strategie e buone pratiche nella lotta al commercio illecito di beni culturali. L'evento è stato inaugurato ufficialmente alla presenza dell'Ambasciatore di Cipro in Egitto, del Vice Capo della Delegazione Europea al Cairo e di rappresentanti di alto livello dell'Egitto. I rappresentanti dei Paesi hanno condiviso casi di studio e storie di successo, evidenziando le sfide e i successi che hanno affrontato nei loro sforzi per la tutela del patrimonio culturale.

Il traffico illecito di beni culturali è diventato un'attività redditizia per la criminalità organizzata, in quanto può essere utilizzato per il riciclaggio di denaro, l'elusione delle sanzioni e il finanziamento del terrorismo, con conseguenze devastanti. Per contrastare questo problema, l'attività del TAF ha facilitato la cooperazione e la condivisione di conoscenze tra le parti interessate. Oltre ai casi di studio e alle storie di successo, i partecipanti hanno anche tratto spunto dalle presentazioni tenute dai rappresentanti del Team Anti-Traffico di Eurojust e da diverse organizzazioni internazionali, tra cui il Consiglio d'Europa, l' #UNICRI e l' #UNODC.

La tutela del patrimonio culturale e la lotta al suo traffico illecito sono sfide complesse e globali che richiedono un approccio multiforme. Il traffico illecito di beni culturali sottrae ai paesi d'origine una parte significativa della loro storia e identità, danneggiando gravemente il patrimonio culturale e causando perdite economiche significative. A tale riguardo, le strategie di tutela ricomprendono la Legislazione Nazionale e Internazionale (convenzioni internazionali come la Convenzione UNESCO del 1970 sul divieto di importazione, esportazione e trasferimento di proprietà di beni culturali sono strumenti chiave) e controllo alle Frontiere (un'efficace sorveglianza delle frontiere è essenziale per intercettare il traffico illecito. Questo richiede collaborazione tra le forze dell'ordine, le autorità doganali e gli esperti di beni culturali), oltre che, naturalmente, la collaborazione tra paesi, fondamentale per contrastare il traffico transnazionale. Questo include lo scambio di informazioni, la formazione congiunta delle forze dell'ordine e il supporto reciproco nelle indagini.

Nel corso dell’incontro sono stati organizzati incontri bilaterali parallelamente all'attività principale, aumentando ulteriormente le opportunità di collaborazione e cooperazione. Grazie alla condivisione di conoscenze e competenze, l'incontro ha posto le basi per una migliore cooperazione e collaborazione nella lotta al traffico illecito di beni culturali.

# EuroMedJustice #Eurojust #tutelabeniculturali # cooperazionegiudiziariatransfrontaliera #ConsigliodEuropa

La Polizia nazionale Ecuadoriana è riuscita a smantellare un’organizzazione criminale coinvolta nel traffico di droga verso l’Europa. L’indagine è andata avanti per due anni.

Il Ministero dell’Interno ecuadoriano ha riferito che durante l’esecuzione dell’operazione (nota come Gran Fénix 13 e 14), sono state catturate 59 persone: 44 sono state arrestate in Ecuador e 15 in Germania. L’operazione è stata condotta insieme a Europol, Guardia Civil spagnola, DIA italiana, LKA tedesca e sotto la direzione della Procura Generale dell’Ecuador. È stata inoltre supportata dalla Rete ON, finanziata dalla Commissione europea e guidata dalla Direzione investigativa antimafia italiana (DIA). La Polizia nazionale ha dichiarato di essere riuscita a identificare il modus operandi dei criminali coinvolti nel traffico illecito di sostanze illegali. Ha inoltre effettuato 50 perquisizioni, sequestrato 38,646 chilogrammi di cocaina, 32 telefoni cellulari, raccolto documentazione relativa alle indagini, 16 lucchetti e sigilli, 5 dispositivi di stoccaggio e due veicoli privati.

Questo gruppo criminale era coinvolto in due attività: la prima consisteva nella vendita di lucchetti e sigilli di sicurezza per container clonati e adulterati. La seconda struttura è stata identificata come “Los Choneros” e ha gestito un processo logistico per la mobilitazione di container contaminati da alcaloidi nei porti di Guayaquil e Puerto Bolivar. Questi container venivano esportati in Belgio, Germania, Italia e Spagna. L’impatto economico illegale di questa azione è di 966 milioni di dollari.

#Ecuador #Granfenix #Loschoneros # Europol #GuardiaCivil #DIA #LKA #reteON #ONNet #cooperazioneinternazionaledipolizia