192/68 Tuesday, May 27, 2025
Between May 19–22, 2025, law enforcement agencies from multiple countries carried out Operation ENDGAME, a large-scale coordinated cybercrime takedown led by Europol and Eurojust, aimed at dismantling the global infrastructure used to distribute ransomware. The operation resulted in the seizure of over 300 servers, the shutdown of more than 650 domains, the issuance of 20 international arrest warrants, and the confiscation of over €21.2 million worth of cryptocurrency.
A command center was set up at Europol’s headquarters in The Hague, bringing together law enforcement officers from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States, along with cybercrime specialists from the European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT).
Operation ENDGAME specifically targeted initial access malware, which cybercriminals use to gain a foothold in victim networks before deploying ransomware payloads. The malware families disrupted in the operation included Bumblebee, Qakbot, Hijackloader, Trickbot, Warmcookie, Latrodectus, and DanaBot, all commonly used within the Ransomware-as-a-Service (RaaS) ecosystem to target organizations worldwide.
Europol further revealed that 18 individuals linked to the development and distribution of these tools have played critical roles in facilitating ransomware attacks and will be added to the EU Most Wanted List starting May 23, 2025.
Catherine De Bolle, Executive Director of Europol, stated that Operation ENDGAME demonstrates law enforcement’s ability to adapt and respond to the constantly evolving tactics of cybercriminals. She added, “Striking at the infrastructure used to spread ransomware disrupts the kill chain at its source — a crucial step in reducing global threats to digital systems and critical infrastructure.”
