Authorities around the world cooperated this week to disrupt some of the world’s most dangerous malware. During an action week that took place between 19 May and 22 May, measures were taken against several malware families, and some of the perpetrators behind them were identified. In total, international arrest warrants were obtained against 20 individuals criminally charged, more than 300 servers were taken down and over EUR 3 million in cryptocurrency was seized. Eurojust and Europol have supported the authorities’ operation against the dangerous malware since 2024.
This week’s actions follow the largest ever operation against botnets from May 2024, Operation Endgame. This year during Endgame 2.0, the measures targeted the successor groups of malware taken down by the authorities and other relevant variants: Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie. As these variants are at the beginning of the cyberattack chain, disrupting them damages the entire ‘cybercrime as a service’ ecosystem.
The malware taken down this week is known as ‘initial access malware’. It is used for initial infection, helping cybercriminals to enter victims’ systems unnoticed and load more malware onto their devices, such as ransomware.
Due to the global nature of cybercrime, cross-border investigations are key for taking action against disruptive cybercrimes. Since 2024, Eurojust has provided essential support to ensure effective judicial cooperation. Coordination by Eurojust ensured that authorities could exchange information and align their investigative efforts. Europol supported the operation from the outset, providing coordination, operational and analytical support, cryptocurrency tracing, and facilitating the real-time exchange of information between the various partners involved.
German, French, Dutch, Danish, British, American and Canadian authorities joined forces from 19 to 22 May to take action against the world’s most dangerous malware variants and the perpetrators behind them. In total 37 suspects were identified and international arrest warrants were obtained against 20 individuals criminally charged. Over 300 servers worldwide were taken down and 650 domains were neutralised. During the action week, EUR 3.5 million in cryptocurrency was seized making the total cryptocurrency seized during Endgame EUR 21.2 million.
Operation EndGame will now continue with follow up actions announced on the dedicated website from the international coalition. Several key suspects behind the malware operations are now subject to international and public appeals. The German authorities will publish eighteen of them on the EU Most Wanted list as of 23 May.
The following authorities carried out the operation:
- Germany: German Federal Criminal Police Office; Public Prosecutor; General's Office Frankfurt am Main - Cybercrime Office; German Federal Office for Information Security
- France: PPO Paris section J3 (Cybercrime Unit); BL2C (Cybercrime unit Préfecture de Police); OFAC (National Office against Cybercriminality)
- Netherlands: Netherlands Public Prosecution Service (National Office); Netherlands Police
- Denmark: National Special Crime Unit – NSK; NC3 | High Tech Crime
- United Kingdom: National Crime Agency
- United States: Federal Bureau of Investigation (FBI); U.S Department of Justice’s Computer Crime and Intellectual Property Section; U.S. Attorney’s Office for the Central District of California
- Canada: Royal Canadian Mounted Police (RCMP)
Eurojust is an agency of the European Union