Top counter antivirus service disrupted in global takedown

AVCheck, a large-scale service that cybercriminals use to check if their malware can be detected by various antivirus tools, was seized and taken offline Tuesday by a globally coordinated law enforcement action.

Officials on Thursday said they seized four domains and a server associated with the online software crypting syndicate. The site for the counter antivirus service and its related crypting services — Cryptor.biz and Crypt.guru — now display seizure notices with logos for the Justice Department, FBI, the Secret Service, the Dutch national police and the Finnish police.

“As cybercriminals have become more sophisticated in their schemes, they have likewise become more advanced in their efforts to avoid detection,” Nicholas J. Ganjei, U.S. Attorney for the Southern District of Texas, said in a statement. “As such, our law enforcement efforts must involve striking not just at the individual fraudster or hacker, but the enablers of these cybercriminals as well. This investigation did exactly that. With this syndicate shut down, there is one less provider of malicious tools for cybercriminals out there.”

Dutch authorities described AVCheck as one of the largest counter antivirus services used by cybercriminals globally, noting that it allowed attackers to access and deploy malware to victim networks undetected. Officials said the related crypting services enabled cybercriminals to make malware difficult for antivirus programs to detect.

“Taking AVCheck offline is an important step in the fight against organised cybercrime, because it disrupts the activities of cybercriminals in the earliest stages and prevents victims,” Matthijs Jaspers, team lead of the Dutch national police High Tech Crime unit, said in a statement. 

Before initiating the takedown, authorities said they made undercover purchases from the seized sites and confirmed they were designed for cybercrime. Prosecutors allege some email addresses and other data linked to the services are used by ransomware groups that have targeted victims in Houston, other parts of the United States and globally. 

“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” Douglas Williams, Special Agent in Charge of FBI Houston, said in a statement. “By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems.”

The successful law enforcement action against AVCheck and its related services was conducted as part of Operation Endgame, an ongoing globally coordinated effort to disrupt cybercrime. The AVCheck takedown marks the fourth high-profile law enforcement action against malware operations in the past week. 

Global law enforcement authorities and cybersecurity companies previously toppled the prolific Lumma Stealer infostealer operation, which infected about 10 million systems. Officials also seized and disrupted DanaBot’s malware-as-a-service operations, and dismantled hundreds of domains and servers used across several leading malware strains.