Operation Endgame was a major, ongoing international law enforcement initiative targeting the infrastructure and services that enable ransomware and other forms of cybercrime. First launched in May 2024, the operation was coordinated by agencies including the FBI, Europol, Eurojust, and law enforcement from multiple countries such as the United States, Denmark, France, Germany, the Netherlands, and the United Kingdom.
During the operation, law enforcement agencies dismantled approximately 300 servers and seized €3.5 million in cryptocurrency during the latest phase (May 2025), bringing the total amount seized over the course of the operation to more than €21 million. Authorities also neutralized 650 domains used by cybercriminals to distribute malware and facilitate ransomware attacks.
The operation specifically targeted malware “droppers” and “loaders” such as Bumblebee, QakBot, IcedID, Smokeloader, Pikabot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE, which are used to gain initial access to victims’ systems and deploy further malicious payloads, including ransomware.
Operation Endgame led to the seizure of major websites and domains selling hacking tools, including crypting and counter-antivirus (CAV) services. Crypting services are used to alter or encrypt malware, making it difficult for antivirus software to detect, while CAV tools let cybercriminals test their malware against multiple antivirus engines to ensure it remains undetected.
Notable domains seized include AVCheck.net, Cryptor.biz, Crypt.guru, and Cryptor.live, all of which were pivotal in helping cybercriminals refine and deploy undetectable malware.
The operation involved coordinated searches, arrests, and server takedowns across a dozen countries, with a central command post at Europol headquarters in The Hague. Law enforcement issued 20 international arrest warrants for individuals believed to be operating or providing initial access services to ransomware groups. The disruption extended to the cybercrime ecosystem, forcing threat actors to seek alternative services and highlighting the adaptability and decentralization of cybercriminal operations.
