Cybercriminals have been dealt a major blow as global law enforcement agencies, coordinated by Europol and Eurojust, dismantled critical components of the infrastructure behind some of the world’s most disruptive ransomware operations.
Between 19 and 22 May 2025, authorities conducted a sweeping takedown of the digital backbone enabling initial access malware; tools routinely used by bad actors to gain a foothold in victims’ systems.
Operation Endgame neutralised over 300 servers across multiple countries, took down 650 malicious domains, and seized more than €3.5 million in cryptocurrency. This brings the total assets confiscated under the Operation Endgame banner to more than €21.2 million.
In tandem, international arrest warrants were issued for 20 key suspects believed to be facilitating access for ransomware operators. German authorities confirmed that 18 of these individuals will be added to the EU Most Wanted list from 23 May, as part of a public appeal to bring the perpetrators to justice.
Striking at the Source
Unlike previous law enforcement actions that primarily targeted ransomware payloads or infrastructure, this phase of Operation Endgame focused on what investigators describe as the “start of the kill chain”.
Specifically, it targeted initial access malware, a key component of the cybercrime-as-a-service ecosystem.
By neutralising the malware that opens the door to ransomware, authorities have effectively severed the attackers’ entry point, disrupting the broader operations of countless criminal networks.
Among the malware families dismantled during the operation were Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie.
These scourges have long been the de facto digital foot soldiers for cybercriminal groups. They offer everything from credential theft and system reconnaissance to backdoor access, all on demand.
Coordinated Global Action
The operation was a global collaboration. Europol set up a central Command Post at its headquarters in The Hague, coordinating actions in real time with investigators from Canada, Denmark, France, Germany, the Netherlands, the UK, and the US.
Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) provided operational, analytical, and cryptocurrency tracing support. Meanwhile, Eurojust played a pivotal role in ensuring judicial cooperation across borders, allowing agencies to align legal strategies and share sensitive intelligence efficiently.
“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise,” said Europol Executive Director Catherine De Bolle. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”
The Long Arm of Justice
This latest enforcement action marks a continuation of the May 2024 crackdown, which was described as the largest international effort against botnets to date. As ransomware groups evolve and rebuild, Operation Endgame has proven capable of adapting and responding in kind.
The announcement of international arrest warrants signals that law enforcement agencies are not merely content with taking down infrastructure—they are determined to bring the architects of these cyber threats to justice.
Many of the individuals targeted in this operation are believed to be initial access brokers—specialist cybercriminals who sell or rent entry points into corporate and government networks. These brokers are increasingly seen as the linchpin of modern ransomware campaigns.
What’s Next: IOCTA 2025
With cybercrime evolving so rapidly, law enforcement agencies are already preparing their next move.
Europol’s upcoming Internet Organised Crime Threat Assessment (IOCTA) 2025, scheduled for release on 11 June, will focus on the threat posed by initial access brokers. It hopes to pre-empt the next wave of ransomware attacks before they begin.
Participating Countries and Agencies
The multinational scope of Operation Endgame cannot be overstated. Participating agencies included:
Canada: Royal Canadian Mounted Police (RCMP)
Denmark: Danish Police (Politi)
France: Police Nationale, Gendarmerie Nationale, JUNALCO, and Paris Judicial Police
Germany: Bundeskriminalamt and Prosecutor General’s Office Frankfurt – Cyber Crime Center
Netherlands: National Police and Public Prosecution Office
United Kingdom: National Crime Agency
United States: FBI, United States Secret Service, Defense Criminal Investigative Service, and Department of Justice
The international law enforcement community has indicated that Operation Endgame is far from over. Further enforcement actions are already in motion, with ongoing investigations, seizures, and arrests expected in the months ahead.
For now, cybercriminals around the globe are on notice: the era of impunity is over. Law enforcement is striking not just at the symptoms, but at the source.
Good News for Almost Everyone
Ben Hutchison, associate principal consultant at Black Duck, says “Disruption of a significant malware distribution and cybercriminal threat actor network’s operation and technical capabilities such as this is good news for everyone (except the criminals), as not only does it hinder ongoing criminal activity, but it also manifests the potential consequences and risks of engaging in such criminal enterprise.”
He says cybercrime may be big business these days, and while it may feel to those involved due to the frequent global distribution and digital nature of their interaction that its a victimless crime in the sense it ‘isn’t a real crime’ and ‘no one actually gets hurt’, the inherent lie in such an idea is easy to prove.
“Hospitals and public services are often the victims impacted by such attacks (although this may in part be due to the challenges such organisations may experience in maintaining their often legacy and complex IT environments). Additionally, impacted organisations and individuals unable to resume services are losing their livelihoods as a result.”
Significant, Yet Rare
Hutchison adds: “While this take down is positive for many reasons and more so for those impacted by the criminal group’s operations, unfortunately, such large-scale, globally distributed, interagency law enforcement actions, although significant, are relatively rare compared to the frequency of the problem. They can take significant time, coordination, investigative effort, alignment across regional and political boundaries, and sufficient associated attribution, legal standing, and even diplomatic effort to pull off.”
Sadly, he says despite such efforts, they may only impact a portion of a threat actor’s capabilities given the geographically distributed and at times ephemeral membership and operation of such groups. “This recent effort also builds on previous actions undertaken by law enforcement against similar malware variants and threat actors this time last year. This hopefully reinforces the message that despite the challenges involved, the wheels of justice do keep turning.”
Build a Resiliency Strategy
“As part of a resiliency strategy, organisations should ensure they practice cybersecurity incident preparedness, business continuity, and recovery planning. Additionally, they should implement a process that deals with significant threats and impacts to systems, software, and associated operations, so that when the worst happens, they know how to respond. Incident planning should go beyond addressing limited data breaches or responding to product vulnerability notifications, or examples like fire, theft, and natural disasters, as is often the case in more traditional organisational risk management scenarios, and look at the risks faced by organisations in today’s connected digital and cyber-physical landscape.”
Lastly, he says organisations impacted by cybercrime, in addition to a purely technical and operational response, should engage with the appropriate regional/national and industrial CERT, CSIRT, and law enforcement agencies. “Examples include the NCA and NCSC in the UK, CISA in the US, and BSI in Germany. If you don’t know who to report an incident to in your region, any national cybersecurity organisation and governmental advice resources are a good place to start.”
Continued Action is Essential
Muhammad Yahya Patel, Global Security Evangelist & Advisor, Office of the CTO, at Check Point Software, adds: “It’s encouraging to see law enforcement maintaining pressure on cybercriminals. While some threat groups may go underground after infrastructure is seized, continued action is essential, and arresting these individuals remains a top priority.”
Patel says this latest operation focused on initial access brokers and the tools they use to infiltrate systems. “These malware strains are particularly dangerous, often serving as the entry point for ransomware and data exfiltration attacks. Their takedown will be welcomed by cybersecurity defenders, as it delivers a significant blow to the underground market for initial access.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.