Cybercrime and technology security news this week covered five distinct developments — from law enforcement’s largest botnet takedown of the year to a new domestic threat category the FBI has never used before. The week produced a Dutch botnet bust involving 17 million infected consumer devices, a Group-IB report documenting more than 4,300 fake FIFA websites targeting World Cup fans, a WIRED investigation revealing the FBI is surveilling a new category it calls “anti-tech extremists”, new research on AI agents deployed in simulated environments for security testing, and Mistral AI‘s landmark partnerships with Airbus and BMW — proving that Europe’s AI sovereignty argument is landing industrial contracts. Together, the stories map the week’s technology security and AI policy landscape.
What’s Happening & Why It Matters
Dutch Police Dismantle the Asocks Botnet: 17 Million Devices
On 28 May 2026, the Dutch National Police and the National Cyber Security Centre (NCSC-NL) announced the dismantlement of a massive botnet comprising at least 17 million infected consumer devices. The operation began after an NCSC-NL security researcher tipped off the Cybercrime Team of The Hague Police Unit about the infrastructure. Investigators traced the botnet’s control systems to 200 servers — all physically located in the Netherlands — hosted by a local provider. Officers seized a number of those servers. The hosting provider then shut down the remaining infrastructure after discovering it was being used for criminal purposes.
The botnet is identified as Asocks — a commercial residential and mobile proxy service. The infected devices included computers, routers, tablets, smartphones, and IoT devices such as smart security cameras. The operator covertly installed malware on poorly protected consumer devices. That malware turned each device into a proxy node — making criminal internet traffic appear to originate from a legitimate home IP address rather than a criminal server. By contrast, data centre IP addresses are routinely blocked by security systems. Residential IPs from home routers and smartphones carry trust that criminal actors exploit. The takedown removed that trusted cover from a network that had grown to 17 million nodes globally.
Asocks Use — and What It Means
Dutch police listed several categories of abuse enabled by the Asocks infrastructure. Those include phishing campaigns, distributed denial-of-service (DDoS) attacks, credential stuffing, malware distribution, and general online fraud. Residential proxy botnets are particularly valuable for credential stuffing — automated attacks that test stolen username-password combinations against banks, email providers, and e-commerce platforms. By routing those authentication attempts through millions of genuine home IP addresses, the attackers bypass the geo-blocking and rate-limiting systems that most platforms use to detect suspicious login activity.
The advice Dutch authorities issued after the takedown is straightforward and worth repeating. Keep operating systems and devices updated. Use strong, unique passwords with two-factor authentication. Download apps only from trusted sources. Check connected devices with antivirus software regularly. Those four steps collectively reduce the likelihood that a device is a botnet node — regardless of which specific botnet is currently the largest.
4,300 Fake FIFA Sites: Live World Cup Scams
The 2026 FIFA World Cup begins on 11 June in the United States, Canada, and Mexico. The criminal infrastructure targeting fans was live months earlier. Group-IB published an analysis documenting more than 4,300 fraudulent domains impersonating FIFA’s official web presence — registered since August 2025. Four independent threat actors are operating simultaneously. The dominant group, which Group-IB tracks as Ghost Stadium, is described as Chinese-speaking and profit-driven. Most fraudulent domains are currently dormant. They are scheduled to activate as kickoff approaches — following the same pattern Group-IB documented before the 2022 Qatar World Cup.
The FBI‘s Internet Crime Complaint Centre issued a parallel public service announcement confirming the bureau has identified dozens of fraudulent domains already in operation. The FBI described the central technique as typosquatting — registering domains that differ from fifa.com by a single character, an extra word, or an alternative top-level domain. The guidance is simple. Type fifa.com directly into your browser address bar. Do not click search engine advertisements for FIFA-related searches. Scammers can purchase sponsored results to divert traffic from the real site. Do not click links in emails or social media posts claiming to offer tickets, merchandise, or hospitality packages.
The Fake Visa Scam: The Most Dangerous Category
Within the FIFA scam landscape, Malwarebytes researchers identified one category that stands apart from fake merchandise and phishing ticketing sites. Several fraudulent sites are advertising “World Cup visas” — claiming to offer guaranteed tournament entry visas for $270 per person with a stated “98% success rate.” There is no such product. The US State Department has confirmed explicitly that no special FIFA tournament visa exists. The US, Canada, and Mexico each have standard visa processes. No supplementary tournament visa is available — or necessary. Anyone who pays for one has paid a criminal.
AI Agents in Simulated Environments: Security Research’s New Frontier
Euronews Next reported on emerging research using AI agents deployed in simulated digital environments for security testing and vulnerability discovery. Researchers are building controlled virtual environments — digital twin architectures — that allow AI agents to probe infrastructure without interacting with live systems. That approach enables more aggressive testing than traditional penetration testing tools allow. An AI agent that can explore a simulated replica of a bank’s authentication infrastructure, attempt credential attacks, and identify novel exploits does so entirely within a sandboxed environment. No live customer data is at risk.
The research connects directly to Anthropic‘s Project Glasswing — the controlled access programme for Claude Mythos Preview that TF covered earlier this month. Project Glasswing partners receive access to Mythos specifically for defensive security research in controlled environments. The Dutch botnet takedown and the FIFA scam network both represent the kinds of criminal infrastructure that AI-powered security agents — operating in simulated environments — could map and disrupt more quickly than human analysts working with traditional indicators of compromise.
The FBI’s “Anti-Tech Extremism” Warning: Surveillance of a New Category
The most politically significant cybersecurity story of the week comes from WIRED‘s investigation, published on 27 May. WIRED obtained more than 1,000 pages of unpublished reports from the Department of Homeland Security (DHS), the FBI, and regional intelligence fusion centres. Those documents reveal that US law enforcement has created a new domestic threat category: “anti-tech extremism.” The category encompasses public anger about AI job displacement, protests targeting data centre construction, and potential violent responses to the AI industry’s accelerating expansion.
A New York intelligence bureau report cited in the investigation warns that “the chaotic atmosphere that may result from emergent AI technology in the next five years may fuel large-scale protests that devolve into civil unrest and anti-tech violent extremist activity, especially in large urban areas such as New York.” In context — connecting legitimate public concerns about AI displacement to potential domestic terrorism — is the nexus of a significant civil liberties debate. As TF covered in its Pennsylvania data centre town hall article, community opposition to data centre expansion is already organised and vocal. The Trump administration’s National Security Presidential Memo 7 — which instructs the DOJ to target those with “anti-American,” “anti-Christian,” and “anti-capitalism” beliefs — provides the policy context in which a new surveillance category has emerged.
Mistral AI Signs Airbus and BMW: Europe’s Sovereign AI Moment
The week’s most commercially significant positive story is Mistral AI‘s simultaneous partnerships with Airbus and BMW, announced at Mistral‘s first AI conference in Paris on 28 May. Airbus signed a five-year partnership to deploy AI across commercial aircraft, helicopters, defence, and space activities. Priority areas include AI-assisted cockpit safety, automated technical document production, AI-driven engineering simulation, and edge AI for object recognition — all under strict security and sovereignty requirements. Airbus will be able to deploy Mistral models on-premises or in trusted cloud environments to meet confidentiality requirements for military aerospace applications.
BMW separately contracted Mistral to build AI models trained on the automaker’s crash simulation data — systems that “understand the physics” of vehicle safety testing. The financial terms of both agreements are undisclosed. Mistral CEO Arthur Mensch described the strategic context at the conference. “The most important use cases for AI are located in research and development and the creation of physical objects.” He added that Mistral does not have Microsoft’s balance sheet — but it has the trust of European industrial partners that does not automatically extend to US providers for defence-adjacent applications. CMA CGM, the world’s third-largest shipping company, will launch a Mistral-powered platform called Maia for its 80,000 staff on 1 June.
TF Summary: What’s Next
The Dutch botnet investigation continues. Dutch police have not named suspects or confirmed whether criminal charges will follow the server seizure. The FIFA World Cup opens on 11 June. The FBI expects additional fake domains to go live as that date approaches. The IC3 is accepting reports at ic3.gov. The WIRED investigation into anti-tech extremism surveillance is expected to generate Congressional and civil liberties responses. Mistral‘s Airbus and BMW deals are operational over the coming months.
MY FORECAST: Cybercrime and technology security news points toward three converging pressures in the second half of 2026. The FIFA World Cup scam infrastructure — currently dormant across 4,300+ domains — will activate on 11 June and trigger the largest coordinated sports-related cybercrime wave since the 2022 Qatar World Cup. The “anti-tech extremism” surveillance category will generate a formal legal challenge from civil liberties organisations before the end of the year — specifically targeting whether the category constitutes viewpoint-based suppression of legitimate political speech. And Mistral’s Airbus and BMW deals mark the moment when European sovereign AI ceased to be a policy aspiration and became an industrial-contract reality. The US government’s approach to AI governance — designating Anthropic a supply chain risk while Mistral wins European aerospace and automotive contracts — is producing a bifurcation in global AI industrial partnerships that will take years to reverse.