In a historic operation against cybercrime, Europol, Europe’s leading crime agency, has coordinated the largest-ever crackdown on botnets. Operation Endgame, conducted from May 27 to 29, targeted a nefarious network that utilized botnets to spread malware and ransomware, leading to the arrest of four high-value suspects in key countries, Armenia and Ukraine. This extensive operation spanned several nations and involved collaborative efforts from multiple law enforcement agencies and private security companies, including the FBI.
The initiative was a significant coordinated effort involving law enforcement and cybercrime specialists from 13 countries, including non-EU countries, led by Germany, the Netherlands, and France. Significant actions were also conducted in the UK and the US, with more than 100 servers and 2,000 domains effectively taken down.
Droppers, the primary tools used in these cyberattacks, were deployed as a first-strike mechanism allowing hackers to install harmful software by bypassing security measures. These droppers are engineered to be particularly evasive, capable of disguising their code to mimic legitimate software, thereby operating undetected on infected computers without being saved to the local hard drive. This stealth mode makes it exceedingly difficult for security software to detect and remove them. Upon completing their mission, the droppers self-delete, leaving behind the malware to continue its destructive tasks.
The malware spread primarily through phishing attempts, utilizing deceptive emails and compromised websites to infect users. The FBI highlighted the disruption of over 100 servers hosting attacks involving four Windows-based malware variants: IcedID, Smokeloader, Pikabot, and Bumblebee. These malware strains caused “hundreds of millions of dollars” in damages via ransomware or password stealers, as stated by FBI Director Christopher Wray. He noted that the malware services infected millions of computers and were responsible for attacks on health care facilities and critical infrastructure.
Europol also targeted two other malware variants, SystemBC and Trickbot, which were used to generate millions by selling access to infected computers. “All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol stated.
One of the primary suspects managed to amass no less than €69 million (approximately $75 million), largely in cryptocurrency, by renting out websites to other cybercriminals. These sites were used to launch extortion schemes, locking users out of their computers and demanding ransom payments for access restoration.
As part of Operation Endgame, police conducted 16 raids across four countries. The comprehensive takedown also resulted in more than 100 servers and 2,000 domains being disabled across Europe and North America. These domains are now under the stringent surveillance of European law enforcement authorities.
Despite the success of the recent operations, the threat persists with eight fugitives linked to the cybercrime ring still at large. Germany has issued outstanding warrants for their arrest, and as of May 30, these individuals have been added to Europe’s Most Wanted list. The eight fugitives, linked to the Smokeloader and Trickbot malware strains, have evaded arrest, and Russia has long refused to extradite hacking suspects to the West.
In response, Europol has resorted to publicly exposing these suspects by placing them on Europe’s Most Wanted List. Law enforcement also created a website for Operation Endgame, which trolls the hackers behind the malware variants. “This is Season 1 of Operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways,” the site currently says.
In the meantime, the data breach notification site Have I Been Pwned is notifying users victimized by the malware variants. Law enforcement agencies provided 16.5 million email addresses and 13.5 million unique passwords to the site for notification purposes.
Europol has declared that the takedown operation is ongoing and has already planned further actions to dismantle remaining and future cybercrime networks.
