European, American, and Canadian authorities have scored a major blow this week in the fight against cybercrime. The operation dubbed Endgame 2.0, organized collaboratively by Europol and Eurojust, has successfully dismantled a significant part of the global infrastructure used by cybercriminals to distribute ransomware.
This large-scale international effort involved law enforcement agencies from Germany, France, the Netherlands, Denmark, the United Kingdom, the United States, and Canada. Together, they launched a coordinated strike against some of the most dangerous malware variants in the world as well as the individuals behind their development.
The scale of this operation speaks volumes about its impact. Over 300 servers were taken offline worldwide, depriving cybercriminal groups of critical technological assets. Germany alone accounted for approximately 50 of these dismantled servers, indicating a major focus on that country. Additionally, authorities issued 20 international arrest warrants, primarily targeting Russian nationals. These individuals are currently under investigation for organized extortion and membership in foreign criminal organizations. The operation also neutralized 650 domains, effectively severing communication lines between hackers and their malicious infrastructure. Financially, authorities seized $3.5 million in cryptocurrency, bringing the total monetary value of seizures related to the Endgame initiative to €21.2 million since its launch in 2024.
Focusing on the Source
The Endgame 2.0 operation specifically targets “initial access malware”—software that allows cybercriminals to gain a stealthy first foothold within targeted systems. By establishing this initial entry, hackers can later deploy more destructive malware, including ransomware, with greater ease.
Catherine De Bolle, Executive Director of Europol, emphasized the strategic importance of this approach: « By disrupting the services that criminals depend on to deploy ransomware, we are attacking the problem at its source. This strategy focuses on breaking the infection chain at its most critical point. The actions specifically targeted malware variants that serve as replacements for those dismantled during the first phase of the operation in May 2024, which led to the arrest of four suspects and the takedown of over 100 servers.
According to Europol, Endgame 2.0 constitutes the largest operation ever conducted against such types of malicious software. Among the malware addressed during the operation are Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, highlighting the operation’s comprehensive scope.
The operation is ongoing, with future actions to be announced on the coalition’s dedicated website. German authorities plan to include eighteen key suspects on the European Union’s most-wanted list as early as this Friday.
In France, the effort involved the National Police, the National Gendarmerie, the National Office for the Fight Against Organized Crime (JUNALCO), and the Cybercrime Unit of the Paris Judicial Police.
Looking ahead, Europol’s next Internet Organized Crime Threat Assessment (IOCTA) report scheduled for release on June 11, 2025, will place particular emphasis on “initial access brokers.” This shift underscores the growing importance of targeting the earliest stages of cyberattacks to prevent further breaches.
