A sweeping international law enforcement operation has dealt a major blow to dark web drug trafficking and cybercrime, with 270 arrests across ten countries and the seizure of more than $200 million in cash and digital assets, over two metric tons of narcotics, and more than 180 firearms. The effort, known as Operation RapTOR, brought together agencies from the United States, Europe, Asia, and South America to dismantle illicit marketplaces and pursue the individuals behind them.
The operation was coordinated by Europol in partnership with the FBI-led Joint Criminal Opioid and Darknet Enforcement (JCODE) team. Participating U.S. agencies included Homeland Security Investigations (HSI), the Drug Enforcement Administration (DEA), the Food and Drug Administration’s Office of Criminal Investigations (FDA OCI), the Internal Revenue Service’s Criminal Investigation Division (IRS-CI), and the U.S. Postal Inspection Service (USPIS), among others. These organizations worked in concert with international counterparts in Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, and the United Kingdom.
Investigators seized infrastructure from multiple darknet marketplaces including Nemesis, Tor2Door, Bohemia, and Kingdom Market. These takedowns allowed authorities to trace thousands of transactions, leading to arrests and the confiscation of drugs, weapons, and other illicit items. Among the drugs seized were 144 kilograms of fentanyl or fentanyl-laced narcotics. Officials emphasized that these operations disrupt the networks that fuel the opioid crisis and online criminal commerce.
Acting ICE Director Todd Lyons stated the operation demonstrates the growing capacity of international partners to unmask cybercriminals: “Your anonymity ends where our global reach begins.” Europol’s cybercrime chief, Edvardas Šileris, echoed that sentiment, noting that “the dark web is not beyond the reach of law enforcement.”
In a related move, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Behrouz Parsarad, the Iranian founder of Nemesis Market. The platform was seized as part of Operation RapTOR, further curbing its ability to operate in the shadows.
U.S. Attorney General Pam Bondi credited the operation with preventing potential deaths and holding criminals accountable: “Criminals cannot hide behind computer screens or seek refuge on the dark web — this Justice Department will identify and eliminate threats to the American people regardless of where they originate.” FBI Director Kash Patel emphasized the collaborative nature of the effort, stating that it was “only possible with partners both at home and abroad.”
Officials described vendors who used encrypted messaging apps and cryptocurrency to mask transactions, selling everything from fentanyl-laced pills to firearms. These sellers were identified through analysis of darknet data and follow-up operations conducted across multiple jurisdictions.
Past investigations supported by JCODE illustrate the extent of the threat. In one case, Southern California residents were sentenced to more than 15 years in federal prison for supplying fentanyl-laced pills sold across all 50 U.S. states via the darknet. Another investigation in New Jersey and New York revealed vendors had shipped over 13,000 counterfeit Adderall orders containing methamphetamine. Federal agents seized nearly $330,000, 80,000 pills, firearms, and pill press machines.
As cybercriminals continue to evolve, so do law enforcement tactics. In addition to targeting darknet markets, Operation RapTOR included actions against malware distribution networks. A major component involved dismantling LummaC2, a malware-as-a-service operation that harvested login credentials, cryptocurrency wallet data, and sensitive personal information. Authorities seized over 2,300 domains used to control LummaC2’s infected systems, disrupting a network responsible for up to 10 million infections globally.
The developer of Lumma, known online as “Shamel,” marketed the tool through encrypted chat forums and offered subscriptions ranging from $250 to $20,000. Lumma’s infrastructure used techniques such as proxy masking, dynamic domain rotation, and exploitation of trusted platforms to avoid detection. According to Europol, this malware was among the most widely used tools for stealing information from Windows devices in 2025.
The crackdown was made possible through collaboration with Microsoft’s Digital Crimes Unit and cybersecurity companies including ESET, Cloudflare, and GMO Registry. Cloudflare placed interstitial warnings in front of the attackers’ domains and suspended accounts linked to the malware’s operators.
Even with these successes, officials caution that the threat remains. Criminals may regroup and shift tactics, but global law enforcement agencies plan to remain aggressive in targeting dark web actors and those who enable them. As ICE’s Robert Hammer said, “If you profit from pain online, we’re looking for you — and you’ll soon learn that no corner of the internet is beyond our reach.”
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
