Approximately 300 criminal servers in over 50 countries have been taken down in a coordinated operation involving international law enforcement agencies. Operation Authorities from several countries, including Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States, participated in the synchronized effort, named Operation Endgame, which took place from May 19 to May 22, 2025.
This is the second phase of Operation Endgame following a larger botnet takedown in May 2024. The emphasis this time was on destabilizing the infrastructure that supports the malware of initial access, which cybercriminals use to compromise systems before deploying ransomware. Taking down these command and control servers is a significant victory for law enforcement against the cybercrime-as-a-service model.
Investigators dismantled some 650 malicious domains and took the fight to the operators, issuing 20 international arrest warrants for individuals suspected of providing or using these initial access services. More than €3.5 million of cryptocurrency was also found and seized, taking the combined value of assets taken by officers under Operation Endgame to the equivalent of €21.2 million.
The targeted malware samples by this campaign are Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot and Warmcookie. These strains of malware are frequently provided for lease or service by other criminals, resulting in the ability to carry out widespread ransomware sprees.
Europol acted as the leading co-ordination structure between the involved countries, guiding the cross-border cooperation and exchange of information hosted at the Europol European Cybercrime Centre (EC3) and providing operational and analytical support during the investigation. A special command post was set up at Europol’s headquarters in The Hague where investigators from the participating countries worked closely together.
German prosecutors have launched criminal proceedings against 37 alleged perpetrators and they are issuing 18 new EU Most Wanted Alerts. This action demonstrates the shared commitment of international law enforcement to act with speed and determination to address ransomware threats,” the FBI said in a release.
Closing these malicious servers is a big step, but security experts warn that cybercriminals will probably evolve and recalibrate their methods. An ever-watchful eye, global partnership and engagement and aggressive offensive defenses—all these will continue to be paramount in the effort to combat the cyber criminal.
