
In a wide-ranging international operation, law enforcement authorities coordinated by Europol and Eurojust dealt a major blow to cybercriminals by dismantling the key malware infrastructure used for ransomware attacks. From 19 to 22 May 2025, around 300 servers worldwide were taken down, 650 domains were seized and international arrest warrants were issued against 20 key suspects. During the operation, €3.5 million in cryptocurrencies were seized, bringing the total seizures under Operation Endgame to over €21.2 million.
This phase of Operation Endgame, following the largest botnet crackdown in May 2024, targeted new malware variants such as Bumblebee, IcedID, Qakbot, SmokeLoader, DanaBot, Trickbot, and WarmCookie, which serve as entry points for large ransomware attacks. By targeting these initial means of access, authorities disrupted the chain of cyberattacks, damaging the cybercrime-as-a-service ecosystem.
Catherine De Bolle, Executive Director of Europol, stated: “This operation demonstrates the ability of law enforcement to adapt and strike again, breaking the ransomware chain at the source.”
The operation was coordinated from a Command Post in The Hague, with the participation of agencies from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom and the United States.
Eurojust ensured judicial cooperation, while 18 suspects will be added to the EU's most wanted list from 23 May. Europol's upcoming assessment, IOCTA 2025, will focus on initial access intermediaries, underlining the importance of preventing cyberattacks at an early stage. Operation Endgame will continue with further actions, strengthening the global fight against cybercrime.
“ Cybercriminals around the world have suffered a major disruption as law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled the key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down around 300 servers worldwide, neutralised 650 domains and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain. In addition, €3.5 million in cryptocurrencies were seized during the week of the operation, bringing the total amount seized during Operation Endgame to more than €21.2 million. This latest phase of Operation ENDGAME follows the largest ever international action against botnets in May 2024. It targeted new malware variants and successor groups that re-emerged after last year’s attacks, reinforce law enforcement's ability to adapt and respond - even as cybercriminals reorganize and regroup.
The operation focused on front-end malware – the tools that cybercriminals use to infiltrate systems unnoticed before deploying ransomware. By disabling these entry points, investigators have struck at the beginning of the cyberattack chain, damaging the entire cybercrime-as-a-service ecosystem. The following malware types were neutralized during the operation: Bumblebee, Lactrodectus, Qakbot, Hijacker, DanaBot, Trickbol. These variants are typically offered as a service to other cybercriminals and are used to pave the way for large-scale ransomware attacks. In addition, international arrest warrants were issued against 20 key actors believed to be providing or operating front-end services for ransomware operators. Catherine De Bolle , ”said Europol’s statement.
Lini një Përgjigje