Authorities across North America and Europe have launched a coordinated enforcement action against users of the Smokeloader botnet, marking a significant development in the ongoing Operation Endgame.
The latest actions follow the major takedown of five key malware droppers in May 2024—IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee—under the operation codenamed Operation Endgame. This operation disrupted large-scale malware distribution infrastructure and targeted the operators behind these services.
Earlier this year, law enforcement focused on the customers of the pay-per-install Smokeloader botnet, which was operated by a threat actor dubbed ‘Superstar’. These customers used the service to gain unauthorized access to victims’ machines, deploying malware for a range of nefarious purposes, including keylogging, webcam access, ransomware, crypto mining, and more.
The enforcement actions included arrests, house searches, arrest warrants, and “knock and talks”.
Authorities were able to identify the customers through a database seized during the original Operation Endgame raids which contained registration information linking individuals to the botnet.
Investigations revealed that some who bought access to the botnet later resold the service to others at a markup. When contacted by law enforcement, several suspects chose to cooperate and allowed the examination of digital evidence on their devices.
These efforts are a shift in focus from the infrastructure providers targeted in May 2024 to the users of these crime-as-a-service tools—law enforcement continues to act on leads uncovered during the initial takedown, working to link online usernames to real-world identities.
Authorities have emphasized that Operation Endgame is ongoing. A website, operation-endgame.com, has been introduced for individuals to provide information or engage with law enforcement. Suspects who have not yet been arrested are being warned that they will be held accountable.
Participating Authorities:
- Canada: Royal Canadian Mounted Police (RCMP)
- Czech Republic: Police of the Czech Republic (Policie České republiky)
- Denmark: Danish Police (Dansk Politi)
- France: National Police (OFAC – Office Anti-Cybercriminalité)
- Germany: Federal Criminal Police Office (Bundeskriminalamt); Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center (ZIT)
- Netherlands: National Investigations and Special Operations (NIS), Netherlands Police (Politie)
- United States: Federal Bureau of Investigation (FBI); United States Secret Service; United States Department of Defense – Defense Criminal Investigative Service (DCIS)
Europol and the Joint Cybercrime Action Taskforce (J-CAT), hosted by Europol, have continued to support Operation Endgame. Europol facilitated information exchange, provided analytical and forensic support, and coordinated operations through calls and operational sprints at its headquarters in The Hague.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.