In a significant international effort to combat cybercrime, Europol has executed a new phase of Operation Endgame, resulting in the dismantling of approximately 300 servers worldwide, the neutralization of 650 domains, and the issuance of arrest warrants for 20 individuals involved in ransomware activities. This operation, conducted between May 19 and 22, 2025, underscores the ongoing commitment of global law enforcement agencies to disrupt the infrastructure supporting cybercriminal enterprises.
Background on Operation Endgame
Launched in May 2024, Operation Endgame is a collaborative initiative targeting services and infrastructures that facilitate initial access for ransomware attacks. The operation focuses on dismantling malware families and the networks that deploy them, thereby disrupting the cybercriminal ecosystem at its foundation.
Recent Actions and Achievements
The latest phase of Operation Endgame concentrated on emerging malware variants and successor groups that have surfaced following previous takedowns. Notably, the operation targeted malware such as Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. These malware variants are often offered as services to other threat actors, enabling large-scale ransomware attacks.
During the action week, authorities seized €3.5 million in cryptocurrency, bringing the total amount seized during Operation Endgame to over €21.2 million. This substantial financial seizure highlights the profitability of cybercriminal activities and the importance of disrupting their financial channels.
International Collaboration and Legal Actions
The operation involved coordinated efforts from multiple countries, including Germany, France, the Netherlands, Denmark, the United Kingdom, the United States, and Canada. This international collaboration was crucial in identifying and targeting the complex networks used by cybercriminals.
German authorities have initiated criminal proceedings against 37 identified individuals. Among those added to the EU Most Wanted list are:
– Roman Mikhailovich Prokop (aka carterj), 36: Alleged member of the QakBot group.
– Danil Raisowitsch Khalitov (aka dancho), 37: Alleged member of the QakBot group.
– Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32: Alleged member of the TrickBot group.
– Mikhail Mikhailovich Tsarev (aka mango), 36: Alleged member of the TrickBot group.
– Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43: Alleged member of the TrickBot group.
– Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36: Alleged member of the TrickBot group.
These individuals are believed to have played significant roles in orchestrating and facilitating ransomware attacks that have affected numerous organizations worldwide.
Impact on Cybercrime Infrastructure
By targeting the infrastructure that supports ransomware operations, Operation Endgame aims to disrupt the cybercriminal supply chain. The dismantling of servers and neutralization of domains impede the ability of cybercriminals to deploy malware and conduct attacks. This proactive approach not only addresses existing threats but also serves as a deterrent to future cybercriminal activities.
Statements from Law Enforcement Officials
Europol Executive Director Catherine De Bolle emphasized the adaptability and persistence of law enforcement in combating cybercrime: This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganize. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.
Broader Context and Related Operations
Operation Endgame is part of a broader strategy to combat cybercrime through international cooperation. Previous operations have yielded significant results:
– Operation Morpheus (July 2024): Europol coordinated the takedown of 593 Cobalt Strike servers used by cybercriminals to infiltrate victims’ networks. This operation involved law enforcement agencies from multiple countries and highlighted the misuse of legitimate tools for malicious purposes.
– Operation First Light 2024 (May to June 2024): This global law enforcement effort targeted online scams, resulting in the arrest of 3,950 suspects and the seizure of $257 million in illegal assets. The operation addressed various forms of internet fraud, including phishing, romance scams, and investment scams.
– Operation RapTor (May 2025): Europol announced the arrest of 270 individuals involved in dark web activities across 10 countries. The operation led to the seizure of €184 million in cash and cryptocurrencies, 2 tons of drugs, 180 firearms, and 12,500 counterfeit products.
These operations demonstrate a concerted and sustained effort by international law enforcement agencies to tackle various facets of cybercrime, from ransomware to online fraud and dark web marketplaces.
Future Outlook
Operation Endgame is an ongoing initiative, with further actions planned to continue disrupting cybercriminal networks. The adaptability of law enforcement agencies in responding to evolving cyber threats is crucial in maintaining the integrity and security of global digital infrastructures.
Conclusion
The recent phase of Operation Endgame represents a significant milestone in the fight against ransomware and cybercrime. Through international collaboration, substantial financial seizures, and the targeting of key individuals and infrastructures, law enforcement agencies are sending a clear message about their commitment to disrupting and dismantling cybercriminal operations. Continued vigilance and cooperation will be essential in addressing the ever-evolving landscape of cyber threats.
