This week, the FBI, Europol, and law enforcement partners across Canada, Germany, and the Netherlands dismantled a piece of criminal infrastructure most of their fellow citizens have never heard of: SocGholish. In a coordinated operation, investigators and private cybersecurity firms took down 106 servers and remediated nearly 15,000 infected websites, disabling a botnet that had quietly powered some of the most damaging ransomware campaigns of the last decade.

It's worth pausing on what was actually dismantled. SocGholish – also known as “FakeUpdates” – wasn't a single piece of malware aimed at a single target. It was infrastructure: a sprawling network of compromised, mostly ordinary WordPress sites – restaurants, auto shops, small service businesses – that redirected unsuspecting visitors toward fake software update prompts. Click the prompt, and you'd hand a foothold to whoever was buying access that day. 

For years, that buyer was often Evil Corp, the Russian cybercrime syndicate the US Treasury has sanctioned and law enforcement has chased for nearly a decade. From that foothold came initial access for some of the most prolific ransomware families in recent memory: LockBit, RansomHub, Hades, WastedLocker, DoppelPaymer.

This is the part that should concern anyone with significant assets, a public profile, or a sprawling personal and business footprint: none of those 15,000 infected websites were the actual target. They were the door. The actual targets were whoever happened to click next – a family office controller checking a vendor invoice, an assistant browsing a local business site, a principal's household manager looking up a contractor. SocGholish didn't need to know who you were. It just needed you to visit the wrong page on an otherwise unremarkable site.

That's the uncomfortable truth this takedown surfaces. Ultra-HNW families, family offices, and the businesses tied to them don't have a single perimeter to defend – they have dozens: Portfolio companies; charitable foundations; household staff with their own devices and browsing habits; vendors, property managers; and advisors who all touch sensitive financial and personal data but answer to nobody's security policy but their own. Evil Corp and groups like it have spent years proving that they don't need to breach you directly. They need one compromised contractor's website, one infected vendor portal, one careless click three steps removed from your inner circle – and they've shown that they will wait for it.

It's also worth being honest about what this takedown does and doesn't accomplish. Operation Endgame, the multinational campaign behind this action, has disrupted Evil Corp's infrastructure before. The group has weathered Treasury sanctions, indictments, and prior takedowns by reconstituting under new affiliate brands and rented ransomware kits. A server seizure is a genuine setback. It is not a retirement notice. The infrastructure will be rebuilt, under a new name, sooner than most victims expect.

For high net worth families and the enterprises around them, that's the operating reality: law enforcement can win individual battles, but it cannot be your security strategy. The families and family offices that stay ahead of groups like Evil Corp are the ones who treat their digital footprint – every entity, every vendor relationship, every device in the household – as a single, continuously monitored attack surface, rather than waiting to learn that they were collateral damage in someone else's breach notification.

That's the work we built Invincyble to do. Our monitoring platform ingests the same class of threat intelligence – malware infrastructure, compromised domains, known threat-actor indicators – that researchers used to map SocGholish in the first place, and applies it continuously against the specific footprint of the family, the foundation, the portfolio companies, and the vendors orbiting a principal's life. When infrastructure tied to a group like Evil Corp resurfaces, as it will, our clients aren't reading about it after the fact in a breach notification. They're already insulated from it, because we hardened the contractor relationships, the household devices, and the digital perimeter long before the next SocGholish showed up wearing a different name.

The takedown announced this week is good news. It's also a preview of the next one – and the families who treat cybersecurity as a continuous discipline, not a news story they read after the fact, are the ones who won't be in it.

Invincyble LLC provides concierge cybersecurity for ultra-high net worth individuals, family offices, and the enterprises around them. To learn how continuous threat monitoring and digital footprint hardening apply to your specific exposure, reach out for a confidential consultation.

Source: Matt Kapko, “Authorities disrupt Evil Corp's SocGholish botnet,” CyberScoop, June 18, 2026.

About the author

Derek Blok, based in Los Angeles, is an ethical hacker and former director of cyber terrorism and security in the Defense and Intelligence community. He is the founder and CEO of two cybersecurity companies: Invincyble, a private firm offering confidential white-glove protection and crisis mitigation for high net worth individuals, family offices, and private companies against the growing manifold threats in the cyber world; and HackerLyfe, an A+ governmental contracting company for the defense industry.

Derek Blok