Authorities in the US, UK and EU have announced the “largest ever” law enforcement action against ransomware-deploying botnets – taking down over 100 malicious servers, conducting arrests, and issuing warnings for criminal suspects.

Announced 30 May, “Operation Endgame” has seen law enforcement from countries including Denmark, France, Germany and the Netherlands coordinate to “dismantle criminal infrastructure” responsible for hundreds of millions of dollars in global damages.

The operation was launched to tackle ‘botnets’ – a term used to describe networks of hacked computers which are leveraged to proliferate malware at a widespread scale.

The Federal Bureau of Investigation (FBI) and EU law enforcement agency Europol reports that in a bid to “defeat multiple malware variants”, Operation Endgame has taken down or disrupted over 100 servers since 28 May and gained control over 2,000 web domains.

“Operation Endgame demonstrates the FBI’s continued fight against cyber crime and malware-as-a-service models,” said FBI director Christopher Wray.

“The FBI used joint and sequenced actions to run a first-of-its-kind international operation and debilitate the criminal infrastructure of multiple malware services.

“These malware services infected millions of computers and were responsible for attacks across the globe, including on health care facilities and critical infrastructure services.”

Law enforcement mocks cyber criminals

Operation Endgame has so far resulted in four arrests (one in Armenia and three in Ukraine), as well as 16 searches of locations in Armenia, the Netherlands, Portugal and Ukraine, each of which supported the ongoing operation.

According to Europol, which has headquartered the operation, one of the “main suspects” has earned at least $112.4 million (€69 million) in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.

“The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained,” wrote Europol.

“Suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions.”

In addition to conducting arrests and dismantling botnet infrastructure, Operation Endgame seems to have a vested stake in dissuading (if not actively taunting) those suspected of being involved in botnet criminal activities.

This is most evident in the operation’s somewhat bizarre website, where the FBI, Europol, the UK’s National Crime Agency and other law enforcement agencies have posted an ominous collection of text and video warnings against botnet cyber criminals.

“Welcome to The Endgame,” reads the Operation Endgame website.

“We have been investigating you and your criminal undertakings for a long time and we will not stop here.

“This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting.

“Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways.”


Operation Endgame is disrupting botnets around the world. Photo: Supplied

Whether it’s a tongue-in-cheek nod to the dramatic posturing often found on the dark web sites of ransomware gangs or an entirely serious warning to the operation’s suspects, the website contains a countdown timer presumably teasing to its next release, a dramatic logo of warring chess pieces surrounded by the flags of participating nations, and a series of dubstep-backed videos depicting the downfall of botnets and anonymous cyber criminals.

“Think about (Y)our [sic] next move,” reads the website.

Europol has also added eight fugitives linked to “serious cyber crime activities” to Europe’s most wanted list and has further encouraged “suspects and witnesses” to reach out via the Operation Endgame website for an “openhearted dialogue”.

A who’s who of busted botnets

Botnets spread malware through use of ‘droppers’, which are a specialised type of malware used to bypass common security measures and install other, more severe malware onto target systems.

While they don’t typically cause direct damage themselves, droppers are essential to deploying more harmful software such as ransomware, viruses, and spyware on affected systems.

With support from partners across a dozen countries – including notable cyber security companies Proofpoint, Bitdefender and HaveIBeenPwned – Operation Endgame has targeted at least six dropper programs used in major botnets.

One such dropper is Pikabot, a deceptive trojan used by prominent ransom gangs such as BlackBasta and Conti to infect devices and deploy followup ransomware or remote computer takeovers.

Another hit by the operation is Bumblebee, a predominantly phishing-distributed malware which recently alarmed security researchers by returning to the malware scene after a four-month hiatus.

The FBI further boasts having taken various actions to “neutralise the threat” posed by IcedID, a long-known dropper with a history of banking attacks, and Smokeloader, which cyber threat intelligence company Intel471 reports as one of the top three most-used malware install services in 2023.

All-in-all, over 20 law enforcement officers across Denmark, France, Germany and the US have helped coordinate the takedown operation alongside “hundreds of other officers” from participating nations who have assisted in carrying out its actions.

Operation Endgame follows another landmark law enforcement action from the US Department of Justice – which on 24 May arrested Chinese national YunHe Wang, the alleged operator of one of the world’s largest botnets, 911 S5.

US attorney general Merrick Garland noted 911 S5 has notoriously facilitated criminal activity from cyberattacks through to child exploitation and bomb threats, infecting computers in nearly 200 countries and enabling “billions of dollars in pandemic and unemployment fraud”.

In addition to the arrest of Wang – who now faces a maximum penalty of 65 years in prison – the US government also seized 911 S5’s online infrastructure and website.