In a significant international operation coordinated by the European Union’s justice and police agencies, authorities have dismantled computer networks responsible for distributing ransomware via infected emails. This operation, described as the largest-ever against this type of cybercrime, led to the arrest of four “high value” suspects, the takedown of over 100 servers, and the seizure of more than 2,000 internet domains, according to the EU’s judicial cooperation agency, Eurojust.
Codenamed “Endgame,” the operation involved coordinated efforts in Germany, the Netherlands, France, Denmark, Ukraine, the United States, and the United Kingdom. Three suspects were arrested in Ukraine and one in Armenia, with searches conducted in Ukraine, Portugal, the Netherlands, and Armenia, added Europol, the EU police agency.
This is the latest in a series of international operations targeting malware and ransomware networks, following the 2021 takedown of the Emotet botnet. Europol assured that this would not be the last operation of its kind, announcing that further actions would be reported on the “Operation Endgame” website.
Dutch police estimated the financial damage caused by the network to governments, companies, and individuals to be in the hundreds of millions of euros (dollars). The infected systems of millions of people worldwide contributed to these botnets, they noted.
One of the main suspects allegedly earned cryptocurrency worth at least 69 million euros ($74 million) by renting out criminal infrastructure for ransomware distribution. Europol confirmed that the suspect’s transactions are under constant surveillance, with legal permission secured to seize these assets in future operations.
The operation targeted malware “droppers” such as IcedID, Pikabot, Smokeloader, Bumblebee, and Trickbot, which are typically spread through emails containing infected links or attachments. Europol highlighted the global impact on the dropper ecosystem, noting that the infrastructure for these malware families was dismantled during the action days, thereby disrupting ransomware and other malicious software attacks.
Ben Jones, CEO of Searchlight Cyber, praised the operation as a prime example of effective international collaboration against cybercrime. He emphasized that the widening net of law enforcement is making it increasingly difficult for cybercriminals to evade justice.
Stan Duijf of the Dutch National Police stated that the operation should serve as a warning to cybercriminals that they can be caught, asserting that “nobody is unfindable, even online.”
Martina Link, the deputy head of Germany’s Federal Criminal Police Office, described the operation as “the biggest international cyber police operation so far,” highlighting the successful neutralization of six major malware families through intensive international cooperation.
German authorities are seeking the arrest of seven individuals suspected of being members of a criminal organization spreading the Trickbot malware, and an eighth person believed to be a ringleader behind Smokeloader. Europol has added these eight suspects to its most-wanted list.
