Cybercriminals around the world have suffered a major disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain. 

In addition, EUR 3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than EUR 21.2 million.

This latest phase of Operation ENDGAME follows on from the largest-ever international action against botnets in May 2024. It targeted new malware variants and successor groups that re-emerged after last year’s takedowns, reinforcing law enforcement’s capacity to adapt and strike back – even as cybercriminals retool and reorganise.

The operation focused on initial access malware – the tools cybercriminals use to infiltrate systems unnoticed before deploying ransomware. By disabling these entry points, investigators have struck at the very start of the cyberattack chain, damaging the entire cybercrime-as-a-service ecosystem.

The following malware strains were neutralised during the action:

• Bumblebee
• Lactrodectus
• Qakbot
• Hijackloader
• DanaBot
• Trickbot
• Warmcookie

These variants are commonly offered as a service to other cybercriminals and are used to pave the way for large-scale ransomware attacks. In addition, international arrest warrants were issued against 20 key actors believed to be providing or operating initial access services to ransomware operators.

Operation Endgame is an ongoing, long-term oriented, large-scale operation conducted jointly by several law enforcement agencies around the world against services and infrastructures assisting in or directly providing initial or consolidating access for ransomware.

European coordination

Europol supported the operation from the very beginning, providing coordination, operational and analytical support, cryptocurrency tracing, and facilitating real-time information exchange between the different partners involved.

A Command Post was set up at Europol headquarters in The Hague during the action week, with investigators from Canada, Denmark, France, Germany, the Netherlands,  the United Kingdom and the United States working with Europol’s European Cybercrime Centre and its Joint Cybercrime Action Taskforce. The Command Post coordinated law enforcement actions, managed intelligence on seized servers, and oversaw the implementation of the operational action plan.

Eurojust has provided essential support to make judicial cooperation effective since the beginning of the investigation in 2024. Coordination by Eurojust ensured that authorities were able to exchange information and align their investigative efforts.

Suspects to be added to EU Most Wanted list

Several key suspects behind the malware operations are now subject to international and public appeals. The German authorities will publish 18 of them on the EU Most Wanted list as of 23 May.

The suspects are believed to have provided or operated the tools that enabled criminal groups to access victim networks and launch large-scale ransomware attacks.

Looking ahead: IOCTA 2025 to spotlight access brokers

As cybercriminals continue to innovate, law enforcement is adapting its strategy to stay ahead. The upcoming Europol Internet Organised Crime Threat Assessment (IOCTA) 2025, to be published on 11 June, will place a strong focus on initial access brokers, reinforcing the importance of tackling the early stages of cyberattacks.

Operation Endgame will now continue with follow up actions announced on the dedicated website of the international law enforcement partners.