Cybercriminals behind some of the most notorious ransomware operations have been dealt a massive blow following a coordinated international crackdown known as Operation Endgame. Led by Europol, the operation disrupted the infrastructure of major malware networks, seized millions in cryptocurrency, and issued arrest warrants for top cybercrime suspects.
Between May 19 and 22, authorities from eight countries took down approximately 300 servers and neutralized 650 malicious domains. This effort targeted the core infrastructure used to deploy ransomware in large-scale cyberattacks, significantly disrupting what Europol called the “ransomware kill chain.”
Among the malware strains dismantled were:
- Bumblebee
- Lactrodectus
- Qakbot
- Hijackloader
- DanaBot
- Trickbot
- Warmcookie
These sophisticated malware variants are often used as “malware-as-a-service” tools, providing initial access to corporate and government networks for ransomware deployment by other cybercriminals.
In addition to the infrastructure takedown, law enforcement agencies seized €3.5 million in cryptocurrency during the week of action, bringing the total seized under Operation Endgame to over €21.2 million. Twenty international arrest warrants were issued against key actors accused of providing initial access services—acting as brokers for ransomware operators.
Catherine De Bolle, Executive Director of Europol, emphasized the strategic nature of the operation:
“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganize. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”
A Command Post was established at Europol headquarters in The Hague, where representatives from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States coordinated in real-time. Europol provided operational and analytical support, cryptocurrency tracing, and facilitated live intelligence sharing. Eurojust played a crucial role in aligning judicial efforts across national boundaries since the investigation began in 2024.
Participating countries
- Canada: Royal Canadian Mounted Police (RCMP)
- Denmark: Danish Police (Politi)
- France: National Police (Police Nationale), National Gendarmerie (Gendarmerie Nationale), Public Prosecutor Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit, Paris Judicial Police (Préfecture De Police de Paris)
- Germany: Federal Criminal Police Office (Bundeskriminalamt), Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center
- The Netherlands: National Police (Politie), Public Prosecution Office (Openbaar Ministerie)
- The United Kingdom: National Crime Agency
- The United States: Federal Bureau of Investigation, United States Secret Service, The Defense Criminal Investigative Service, United States Department of Justice
Several suspects behind the dismantled malware networks will be publicly listed on the EU Most Wanted list starting May 23, with 18 individuals set to be published by German authorities. These suspects are believed to have created or maintained tools used to infiltrate victims’ systems across the world.
Operation Endgame is not over. The international law enforcement coalition has announced that follow-up actions are already underway, with ongoing investigations and additional arrests anticipated.
This sweeping operation underscores a new era of global cybersecurity cooperation, where joint efforts are targeting not only the perpetrators of ransomware but the very infrastructure and services that allow such threats to thrive.
Feeling lost in the digital world? Dr. Tom is here to help!
Join Dr. Tom every week in his award winning column, Dr. Tom’s Cyber Bits and Tips, for byte-sized advice on all things cyber and tech. Whether you’re concerned about online safety, curious about the latest cybercrime trends, or simply want to navigate the ever-evolving digital landscape, Dr. Tom has you covered.
From practical cybersecurity tips to insightful breakdowns of current threats, Dr. Tom’s column empowers you to stay informed and protect yourself online. So, dive in and get savvy with the web – with Dr. Tom as your guide!
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
