Contact us
Contact us

News

About

Home Crypto News Hackers Pose as IT Support to Extort U.S. Law Firms

Hackers Pose as IT Support to Extort U.S. Law Firms

Author Whitewallet Research
Posted: 28 May 2026, 11:50 CET 2 min read

The FBI says Silent Ransom Group operatives have used phone calls, phishing and in-person visits to access law firm computers, copy client files and demand ransoms.

The FBI has warned that the group known as Silent Ransom Group (also tracked as Luna Moth, Chatty Spider and UNC3753) has repeatedly targeted U.S. law firms. Agents say members pose as IT support by phone or email, gain access to firm systems and remove sensitive client files.

According to the FBI, the campaign typically starts with phishing emails or calls urging employees to contact an alleged IT support line. Attackers then guide staff to grant remote desktop access or to install remote-access software. When remote access does not work, operatives have gone to law offices in person and plugged storage devices into computers, telling staff they need to image a system or create a backup after a suspicious message.

Once an attacker has local or remote access, the FBI says they escalate privileges only as much as required and copy files without encrypting systems. The group commonly uses legitimate administration tools such as Windows Secure Copy (WinSCP) or a renamed or hidden version of the Rclone utility to transfer data off machines.

The stolen files are used for extortion. The FBI reports the actors send ransom emails threatening to publish or sell confidential material and in some cases call a victim’s clients or employees to increase pressure to negotiate payment. While the group has targeted the insurance, finance and healthcare sectors, FBI notices say it has focused on U.S. law firms since spring 2023.

Law firms store client records, privileged communications, financial information and case strategies; the FBI notes that exposure of those files can affect clients and ongoing matters.

The FBI has issued alerts describing the group’s aliases and tactics and advising organizations to verify unusual IT requests through internal channels, limit the use of remote administration tools, monitor for abnormal file transfers and enforce physical access controls to prevent unauthorized devices from being connected to corporate machines.

Gabrielle Hempel, a security operations strategist at Exabeam, commented, “After years of building detections around malware and exploits, attackers are shifting toward social engineering, trusted tooling and physical access.” Nick Tausek, lead security automation architect at Swimlane, warned that posing as IT support and moving quickly to steal data before staff notice makes prevention and early detection more difficult.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE