As part of a major hit against global cybercrime, an international operation led by Europol with the support of German authorities has taken down the servers used to maintain and control the “world’s largest and busiest” dark web market, which contained over 200,000 customer and drug dealer accounts.
The operation, conducted from May 19th to the 22nd 2025, engaged several law enforcement agencies from Canada, Denmark, France, Germany, the Netherlands, the UK and the US.
Part of the ongoing “Operation Endgame,” this new stage, specifically hitting at the infrastructure and actors responsible for notorious strains of malware commonly used early on in ransomware attacks.
Such malware goes by the names of Bumblebee, Lactrodectus, QakBot etc and are usually available to purchase as a service by criminals wishing to quietly access systems then use the access to infect with ransomware or carry out whatever illegal operation they have planned.
Around 300 servers around the world have been AESDDoS. Trojan taken down as part of the operation, and around 650 domains used by the network have also been disabled. In statement, Europol officials said that law enforcement officers also confiscated more than €3.5 million in cryptocurrency, upping the total haul under Operation Endgame to upwards of €21.2 million.
The 20 are wanted on international arrest warrants for alleged provision or support of initial access to the infrastructure used in the attacks.
Catherine De Bolle, Europol Executive Director said of the importance of this operation, “This new phase shows law enforcement’s determination to adapt and strike back, even in those cases where cybercriminals think that they can hide behind a veil of anonymity provided by new technology.”
By taking down the services criminals use to carry out attacks, we are denying the attackers the means to move the ransomware around and the services they otherwise rely on to continue their operations.
German authorities were instrumental in the operation, in which suspects were probed for organized extortion and belonging to a foreign criminal organization. They added that about 50 of the deactivated servers were in Germany and said most of the 20 people named in arrest warrants are Russian citizens.
This is the next stage of the the global action under Operation Endgame that kicked off in May 2024 when a significant botnet takedown took place. Law enforcement also hopes to disrupt the cybercrime-as-a-service economy and future ransomware attacks by taking action against the initial access malware. Officials have said it is an evolving situation and that more actions are anticipated.
