Europol-Led Operation Endgame Hits Botnet, Ransomware Networks

Written by

A new operation coordinated by Europol has targeted several significant malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. 

Dubbed “Endgame” and conducted between May 27 and 29 2024, the operation aimed to disrupt criminal networks by arresting high-value targets, dismantling their infrastructure and freezing illicit proceeds.

The targeted malware facilitated ransomware and other malicious software attacks, significantly impacting the global dropper ecosystem.

Largest Operation Against Botnets

The operation, which is reportedly the largest ever against botnets, was initiated and led by France, Germany and the Netherlands, with support from Eurojust and involvement from countries including Denmark, the United Kingdom and the United States. 

Additional support came from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine, involving arrests, suspect interviews, searches and server and domain takedowns. Key private partners such as Bitdefender, Cryptolaemus and Shadowserver, among others, also contributed to the efforts.

Coordinated Actions and Arrests

The coordinated actions resulted in four arrests, including one in Armenia and three in Ukraine, 16 location searches across several countries, the disruption or takedown of over 100 servers and law enforcement control over more than 2000 domains.

“The takedown of any botnet will ultimately harm the operation of cybercriminals, and subsequently, the outcomes from Operation Endgame should be applauded,” commented Raj Samani, SVP and Chief Scientist at Rapid7.

According to the security expert, the extensive seizure of targeted dropper infrastructure and the arrests show that crime does not pay, and that law enforcement can track down individuals.

“The involvement of private enterprise is another positive. Digital interconnectivity demands international solidarity. As these attacks spread internationally, it’s increasingly vital for cross-collaboration between international agencies and private-sector specialists. Cybercriminals have no boundaries, and neither should our efforts to counter them,” Samani explained.

Significant Discoveries

One notable discovery from the investigations was that a primary suspect had earned at least EUR 69m in cryptocurrency by renting out criminal infrastructure for ransomware deployment. This suspect’s transactions are being monitored, and legal permissions have been obtained to seize these assets in future actions.

Read more on the crypto operations: Six Austrians Arrested in Multi-Million Euro Crypto Scheme

According to a new Europol blog post, Operation Endgame’s success is not the end of the fight against botnets and cybercrime. 

“New actions will be announced on the website Operation Endgame,” reads the post. “In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.”

Commenting on the operation, Cian Heasley, threat team lead at Adarma, said, “Hopefully, it will serve as a strong deterrent to cyber criminals and reassure individuals and enterprises that authorities are proactively tackling the rising problem of bots.”

Image credit: PixelBiss /

What’s hot on Infosecurity Magazine?