In a sweeping international operation dubbed "Operation Endgame," law enforcement agencies have dismantled approximately 300 servers worldwide, neutralized 650 domains, and issued arrest warrants for 20 key suspects. Launched in May 2024, this ongoing effort focuses on disrupting the infrastructure and services that enable ransomware attacks, targeting both initial access providers and those consolidating ransomware operations.
The latest phase, conducted between May 19 and 22, 2025, honed in on emerging malware variants and successor groups that resurfaced after last year’s takedowns. These include malware families like Bumblebee, Latrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. Europol reported that €3.5 million in cryptocurrency was seized during this operation, contributing to a cumulative total of over €21.2 million confiscated throughout Operation Endgame.
Europol emphasized that these malware variants are often provided as a service to other cybercriminals, facilitating large-scale ransomware campaigns. Additionally, international arrest warrants were issued for 20 individuals suspected of operating or providing initial access services to ransomware groups.
“This latest phase underscores law enforcement’s adaptability and resolve to strike back as cybercriminals attempt to regroup and retool,” said Europol Executive Director Catherine De Bolle. “By targeting the critical services that enable ransomware, we are severing the chain at its core.”
Germany’s Federal Criminal Police Office (BKA) announced that criminal proceedings have been launched against 37 identified individuals. Among those added to the E.U. Most Wanted list are:
● Roman Mikhailovich Prokop (alias carterj), 36, linked to the QakBot group
● Danil Raisowitsch Khalitov (alias dancho), 37, associated with QakBot
● Iskander Rifkatovich Sharafetdinov (aliases alik, gucci), 32, tied to TrickBot
● Mikhail Mikhailovich Tsarev (alias mango), 36, connected to TrickBot
● Maksim Sergeevich Galochkin (aliases bentley, manuel, Max17, volhvb, crypt), 43, part of TrickBot
● Vitalii Nikolaevich Kovalev (aliases stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, affiliated with TrickBot
In a parallel effort, Europol unveiled the results of "Operation RapTor," a large-scale crackdown on dark web marketplaces, leading to 270 arrests across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1). The arrests stemmed from intelligence gathered during the takedowns of dark web markets like Nemesis, Tor2Door, Bohemia, and Kingdom Markets. Many suspects reportedly conducted thousands of illicit transactions, using encryption tools and cryptocurrencies to mask their activities.
“Operation RapTor has disrupted networks trafficking drugs, weapons, and counterfeit goods, sending a strong message to criminals who believe they can hide behind anonymity,” Europol stated.
Authorities seized €184 million in cash and cryptocurrencies, 2 tons of drugs, 180 firearms, 12,500 counterfeit products, and over 4 tons of illegal tobacco. This operation follows the earlier Operation SpecTor in May 2023, which resulted in 288 arrests and the seizure of €50.8 million in cash and cryptocurrency.
Europol noted a shift in criminal behavior, with dark web vendors increasingly moving to smaller, single-vendor shops to avoid marketplace fees and reduce exposure. While illegal drugs remain the dominant commodity, 2023 saw a rise in prescription drug trafficking and fraudulent services, such as fake hitmen and scam listings designed to deceive buyers.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
