This week’s pattern was one of regulators and law enforcement reaching into the connective tissue of financial crime – the infrastructure that makes industrial offending possible, rather than the offending itself. Europol and Eurojust dismantled First VPN, a virtual private network sold inside the cybercrime ecosystem to launder identity across ransomware, fraud and data theft operations. OFAC published Iran-related and Counter-Terrorism designations across three consecutive working days. The European Anti-Money Laundering Authority held its first major public hearings on FIU-to-FIU and FIU-to-European Public Prosecutor’s Office cooperation, the operational plumbing of the new EU AML architecture. The European Commission opened a consultation on MiCA. The FinCEN AML/CFT programme rule, the most consequential domestic AML reform in a generation, closes its public comment period on 9 June. And the Department of Justice secured a federal jury conviction of the founder of HealthSplash for a $1 billion Medicare scheme. Read together, the week is a reminder that financial crime enforcement is increasingly an exercise in re-engineering the infrastructure of detection, supervision and obscurity – not only in punishing individuals at the margins.

1. Europol dismantles First VPN – cybercrime’s anonymisation layer

Europol and Eurojust announced on 21 May the dismantling of First VPN, a virtual private network service used by ransomware operators, fraudsters and data thieves to conceal their activity. Led by France and the Netherlands with support from eight further countries, the operation ran on 19 and 20 May, dismantled 33 servers, seized three domains (1vpns.com, 1vpns.net, 1vpns.org) and associated onion addresses, and resulted in the interview of the alleged administrator following a house search in Ukraine. CyberScoop reports that investigators obtained the user database and identified VPN connections used by alleged cybercriminals. Infosecurity Magazine notes that the investigation began in December 2021, with users now formally notified that their identities are known to authorities.

This action sits at the intersection of crime-as-a-service economics and displacement theory. Anonymisation is a tradable commodity inside the cybercrime supply chain – a service layer purchased from specialised providers rather than self-built by individual offenders. Dismantling that service layer yields disproportionate suppression of the downstream offender population it enables, the same logic that has driven enforcement against bulletproof hosting and phishing-as-a-service in recent years. The structural feature worth noting is the seizure of the user database. Read through a rational choice lens, the most powerful deterrent here is not the dismantling itself but the credible retrospective identification of buyers – the cost calculation now includes the possibility that one’s anonymisation provider has, in fact, been an evidence-collection apparatus for half a decade. Expect a temporary migration toward smaller, more fragmented providers, with the associated friction that fragmentation imposes.

2. OFAC publishes Iran and Counter-Terrorism designations across three consecutive working days

OFAC published Iran-related designations and a Counter Terrorism designation on 27 May; Iran-related designations with the issuance of a Russia-related general licence and amended FAQs on 28 May; and further Counter Terrorism designations with an amended Iran-related FAQ on 29 May. The cadence, three consecutive working days, each with new SDN listings, extends the publication rhythm that has characterised the spring’s Iran sanctions enforcement.

I have made the cadence argument repeatedly across May, and the structural point remains. Under rational choice, the variable most reliably suppressing offending is the perceived certainty of detection and consequence, not the severity of any individual designation. OFAC has, in effect, normalised a publication tempo whose function is not the individual SDN entry but the aggregate signal that exposure is continuous. The complementary point worth noting this week is the simultaneous publication of designation removals and amended general licences. Sanctions architecture is most credible to financial institutions when the perimeter is dynamic and well-documented; the worst outcome for capable-guardian compliance is a perimeter that drifts silently. Cadence in additions should be matched by cadence in housekeeping, and on the evidence of this week, OFAC is now operationalising both.

3. AMLA holds public hearings on FIU cooperation and home-host supervisory ITS

The European Anti-Money Laundering Authority held its public hearings on draft Implementing Technical Standards for FIU cooperation on 27 May, with a morning session covering the two European Public Prosecutor’s Office reporting instruments and an afternoon session on FIU-to-FIU exchanges over FIU.net. The instrument introduces six standard templates for FIU-to-FIU exchanges and harmonises reporting between Financial Intelligence Units, the EPPO and AMLA. A parallel public hearing on draft Regulatory Technical Standards for home-host supervisory cooperation was held by AMLA on 28 May.

This is unglamorous and structurally important. Routine activity theory identifies capable guardianship as one of the three constitutive conditions for offending to be suppressed. Across the EU, that guardianship has historically been weakened by fragmentation, twenty-seven national FIUs with bilateral information-exchange habits, inconsistent formats, and variable bandwidth. Harmonised reporting templates, common formats and EPPO integration are the unromantic infrastructure that makes information cross borders at the speed at which money already does. Whether AMLA’s regime works depends on whether the ITS are robust enough to compress the practical delay in cross-border FIU exchange to a window meaningful in operational terms. That is the test the Authority will be measured on across 2027.

4. EU Commission opens consultation on MiCA functioning

The European Commission launched a public and a targeted consultation on 20 May on the functioning of the Regulation on Markets in Crypto Assets. Both consultations are open for feedback until 31 August, with the Commission stating that feedback will inform future policy work on digital assets. The targeted consultation addresses more technical and legal questions and is aimed at digital asset issuers and service providers, financial institutions, technology providers and industry bodies.

MiCA is the first regional regulatory architecture to treat crypto asset service provision as a regulated activity rather than as a technological frontier; the consultation is the first scheduled opportunity to examine whether the perimeter, the licensing regime and the supervisory tooling have absorbed the reality of how crypto-enabled financial crime actually operates. From a trust exploitation perspective, the question to interrogate is whether MiCA’s authorisation regime has narrowed the gap between regulated and unregulated activity, or whether it has simply moved the perimeter, with serious illicit activity migrating to non-authorised platforms operating into the EU without an authorised counterparty. Expect submissions from FATF-active jurisdictions, AMLA, national FIUs and operational law enforcement bodies to focus on that perimeter question.

5. FinCEN AML/CFT programme rule comment period closes 9 June

The FinCEN Notice of Proposed Rulemaking to fundamentally reform AML/CFT programmes closes its public comment period on 9 June 2026. Analysis from Paul Weiss sets out the four principal objectives: ensuring AML/CFT programmes are risk-based and focused on outcomes rather than technical compliance; elevating FinCEN’s role in supervising banks’ programmes through a 30-day notice-and-consultation framework with the federal banking agencies before significant supervisory action; refocusing enforcement on failures to establish effective programmes (treating failures to maintain them more leniently absent significant or systemic failure); and incentivising the provision of “highly useful information” through the FinCEN Exchange Programme, 314(a) responses and innovative analytics including artificial intelligence and federated learning.

The doctrinal shift is from procedural compliance to outcomes-based effectiveness – exactly the trajectory FATF has been imposing on its fifth-round mutual evaluations. The criminologically significant point is the rule’s explicit endorsement of innovative monitoring, including artificial intelligence and federated learning, as a mitigating factor in supervisory and enforcement assessments. That is a sharp departure from the prior regulatory posture, which treated new technology as an additional source of risk to be controlled. The risk in the design is in the 30-day FinCEN consultation framework, a notice-and-consultation gate before federal banking agency action can be slow-running in a different administration with a more aggressive enforcement posture. The next test, after 9 June, is how rapidly FinCEN moves to a final rule and what the implementation runway looks like across community banks, broker-dealers, money services businesses and casinos.

6. DOJ HealthSplash $1 billion Medicare conviction

A jury in the Southern District of Florida found the founder and owner of HealthSplash guilty on 15 May for operating a platform that generated false doctors’ orders and prescriptions to defraud Medicare and other federal health care benefit programmes – billing more than $1 billion for unnecessary equipment. The announcement was part of the National Fraud Enforcement Division’s second consecutive ~$1 billion weekly enforcement summary, but the HealthSplash verdict is itself structurally significant: a platform-level health care fraud conviction, in which the defendant’s product was the production of false orders at scale.

The HealthSplash case is the cleanest articulation in recent months of crime-as-service architecture in domestic federal programme fraud. The defendant did not himself bill Medicare; he sold an orderly, scaled production of false documentation to downstream billers. That is the same structural relationship as phishing-as-a-service in the cybercrime ecosystem and is reachable by enforcement using the same logic that drove the First VPN takedown – target the service layer rather than only the downstream operators it enables. Combined with the West Coast Health Care Fraud Strike Force, the Minnesota takedown covered in Lab Report #7, and the FinCEN Health Care Fraud Advisory published in March, federal health care fraud enforcement is now operating against three layers simultaneously: end-perpetrators, professional enablers, and platform-level production of fraudulent documentation.

7. Europol releases the 2026 Internet Organised Crime Threat Assessment

Europol’s 2026 Internet Organised Crime Threat Assessment (IOCTA), published 28 April and circulating widely through May, frames the evolving cybercrime landscape around encryption-enabled communications, AI-augmented social engineering, and the maturing market for crime-as-a-service. The full report is available from Europol here.

IOCTA’s analytical value sits not in its threat catalogue but in its consolidation of the service economy framing. Europol now describes cybercrime as a layered ecosystem in which access, anonymisation, intrusion, persistence, monetisation and laundering are sold as discrete services to a wider downstream offender population. That maps the operational reality more accurately than the individual offender model that has historically dominated cyber policy. The criminologically important implication is that effective enforcement intervention must target the services, VPNs, phishing kits, drop-loader infrastructure, money mule recruitment channels, rather than only the offenders who buy them. The First VPN takedown is, in that sense, exactly the kind of operational action the IOCTA framing implies.

New Research Worth Reading

• Levi, M. and Williams, M. L. (2024), Cyber-Frauds, Scams and their Victims (Routledge). The updated edition consolidates a decade of empirical work on victimisation patterns, organisational vulnerability and the policy response architecture. Essential reading alongside the IOCTA 2026.
• Soudijn, M. R. J. (2026), The professional enabler: A conceptual review for criminology, in Trends in Organized Crime. Develops a workable definition of the professional enableras a criminological category, directly relevant to the gatekeeper-attribution thread of recent FCA and OCC enforcement.
• Tropina, T. and Callanan, C. (2026), Cybercrime, Cooperation and the Law: Cross-Border Investigations in a Digital World (Springer). Maps the operational and legal architecture for cross-border cybercrime cooperation, useful framing for the Europol First VPN action and AMLA’s FIU-cooperation ITS.
• Maguire, M. and Demetis, D. (2026), Anti-Money Laundering, Counter-Financing of Terrorism and Financial Inclusion: The Unintended Consequences of Regulation, in the Journal of Financial Crime. Examines the trade-offs between AML stringency and financial inclusion, relevant to the FinCEN programme rule’s “risk-based resource allocation” requirement.