Police take down major pop-up scams

On June 18, an international police operation seized the servers behind the fake "update your browser" pop-up, the one that has been tricking people into installing malware since 2017. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites.

The network is called SocGholish, and that pop-up was the first link in a chain that ends with a company locked out of its own files, or your data in the hands of bad actors. This week the police cut the chain near the start.

You have probably seen the box. You are on a normal website and a pop-up appears telling you your browser is out of date, click here to update. If you saw Saturday's post on the fake CAPTCHA scam, this is in the same family.

The clever tactic was stealth. It only showed the fake box to real targets and stayed invisible to everyone else, including the people who owned the hacked sites. That is how it ran for years without anyone noticing. Researchers at Proofpoint call SocGholish the originator of the whole technique.

What that pop-up was after had nothing to do with selling you anything. SocGholish was what the security world calls an "initial-access broker." Its business was breaking into computers and selling that access on to other criminals. The buyers were ransomware gangs like LockBit and RansomHub, the kind that rent out their attacks to anyone with a login.

The fake update box was just the front door. Whoever paid for the access decided what came next, and what they usually came for was your files held hostage or your data dumped on a leak site.

This is a rare takedown that gets ahead of the damage. Instead of cleaning up after a ransomware attack, the police cut the supply line that feeds one.

Dutch police, who led the operation, say the login details for 1.4 million websites were exposed in the process. The breach-notification service Have I Been Pwned was handed 154,000 email addresses and more than half a million passwords from the haul. Canada's federal police disinfected 2,488 computers and notified every Canadian victim they could identify.

The Netherlands, the FBI, Germany, and Canada ran it together with Europol behind them, as part of an ongoing campaign called Operation Endgame that has spent two years knocking out malware services hundreds of servers at a time.

Don't celebrate too much. The servers are gone, but the people who ran them are not.

SocGholish is tied to Evil Corp (yes, that's really their name), a Russian group that law enforcement knows well. The US, UK, and Australia have all sanctioned Evil Corp. Its alleged leader, Maksim Yakubets, carries a $5 million FBI bounty and is believed to have worked with Russian intelligence.

None of those people are reachable by a server seizure. Groups like this have rebuilt after takedowns before.

The 1.4 million leaked passwords are already circulating, and the scam was never SocGholish's alone. Copycats like ClearFake and ZPHP run the same play, and nobody touched them yet.

A few steps you can take.

If you have seen these pop-ups, one simple rule: a real browser update never arrives as a box on a web page. Chrome, Edge, Safari, and Firefox all update themselves in the background, so any website telling you to update is lying, every time.

• Close the tab.
• If you ever clicked one and are not sure what happened, check your email at haveibeenpwned.com, change any password that shows up, and run a scan with the security software already on your machine.
• One catch: real breach warnings never email you a link to "check your data," so type the address in yourself.

If you run a website, you may have been one of the hosts without ever knowing it. That is what the 1.4 million number accounts for.

• Put your domain into Have I Been Pwned's domain search.
• Change every admin password, and turn on multi-factor login.
• Update WordPress along with its plugins.
• If the police cleaned your site, do not call it fully clean yet. They pulled the backdoor, but your passwords and any extra admin accounts the attackers added are still yours to deal with.

Build the habit and you'll be covered, with or without the next takedown: a real update never comes from a website, so close every one of these pop-ups on sight.

The pop-up looks like junk mail, but it's at the front of a line that ends with a company locked out of its own files, or your data sold to whoever pays. Close the pop-up, and you cut your own link out of the chain.

Have you ever absentmindedly clicked one of these pop-ups? If so, what happened? I'd love to hear about it. You can reach me at joel@freshfromcache.com.

Source: Netherlands Police (politie.nl), June 18, 2026, corroborated by Proofpoint, Infoblox, and Have I Been Pwned.