Large-scale sting tied to Operation Endgame disrupts ransomware infrastructure

Law enforcement agencies from Europe and North America have dismantled key infrastructure behind several leading malware strains used in ransomware attacks, the latest action in a yearslong effort to combat cybercriminals. 

The operation, conducted as part of Operation Endgame, targeted the early stages of the cybercrime chain, focusing on initial access malware. The coordinated effort resulted in the takedown of approximately 300 servers and the neutralization of 650 domains worldwide.

The crackdown is part of a sustained campaign against groups and individuals who provide access to compromised networks, enabling ransomware attacks against an array of professional organizations. Authorities issued international arrest warrants for 20 suspects.

Among the malware tools disrupted were Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie. These malicious software programs are typically offered as a “cybercrime-as-a-service” model, allowing other criminal actors to purchase access into victim networks. Their removal is expected to make it harder for organized groups to launch further ransomware attacks.

Details of the takedowns have trickled out over the course of the week. U.S. officials unsealed a grand jury indictment and criminal complaint Thursday charging 16 individuals for their alleged involvement in the development and deployment of DanaBot. The DOJ on Thursday also unsealed a federal indictment charging Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with allegedly leading the cybercrime group responsible for the development and deployment of the Qakbot malware operation, which was disrupted by international law enforcement in 2023. 

The operation marks a continuation of international law enforcement actions following large-scale botnet takedowns in 2024. Officials report that EUR 3.5 million in cryptocurrency was seized as part of this week’s operation, bringing the total seized during Operation Endgame to more than EUR 21.2 million.

Agencies from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States participated, with Europol providing operational and analytical support as well as real-time information exchange. 

This week’s actions were focused on initial access brokers, aiming to disrupt the broader ecosystem that supports ransomware deployment. Even with these takedowns and incidents, officials stressed that ransomware gangs routinely adapt malware or re-form under new names following arrests or infrastructure takedowns. 

“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise,” Catherine De Bolle, Europol’s executive director, said in a release. “By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”

The scope of Operation Endgame reflects the increasing complexity of cybercrime, which spans multiple jurisdictions and requires ongoing adaptation from authorities. Law enforcement and judicial entities have signaled that the crackdown is part of a sustained campaign, with follow-up actions planned and updates to be posted on a dedicated website.

Looking ahead, Europol has announced that its upcoming 2025 Internet Organised Crime Threat Assessment, which will be released June 11, will emphasize the threat posed by initial access brokers. The concentration indicates a continued shift in focus toward preempting cyberattacks at the earliest possible stage, rather than concentrating resources solely on responding to successful ransomware deployments.