In a significant blow to cybercriminal networks, Europol, in collaboration with international law enforcement agencies, has executed a large-scale operation targeting the infrastructure supporting ransomware activities. Dubbed “Operation Endgame,” this initiative led to the dismantling of over 300 servers and the seizure of €3.5 million in cryptocurrency, marking a pivotal moment in the global fight against cybercrime.
Scope and Execution of Operation Endgame
Between May 19 and 22, 2025, Operation Endgame mobilized law enforcement agencies from Germany, France, the Netherlands, Denmark, the United Kingdom, the United States, and Canada. The coordinated effort focused on disrupting services and infrastructures that facilitate initial access for ransomware attacks. This phase of the operation targeted malware variants and successor groups that had re-emerged following previous takedowns, including Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE.
The operation’s achievements are substantial:
- 300 servers dismantled worldwide
- 650 domains neutralized
- €3.5 million in cryptocurrency seized during the action week
- 20 international arrest warrants issued against key individuals involved in providing or operating initial access services to ransomware groups
These actions bring the total amount seized during Operation Endgame to over €21.2 million, underscoring the operation’s ongoing impact since its inception in May 2024.
Targeted Malware and Criminal Networks
Operation Endgame specifically targeted “initial access malware,” which cybercriminals use to infiltrate systems and deploy additional malicious software, including ransomware. The malware variants addressed in this operation are often offered as services to other threat actors, facilitating large-scale ransomware attacks.
Among the individuals targeted, several have been added to the EU Most Wanted list, including:
- Roman Mikhailovich Prokop (aka carterj), 36, associated with the QakBot group
- Danil Raisowitsch Khalitov (aka dancho), 37, associated with the QakBot group
- Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, associated with the TrickBot group
- Mikhail Mikhailovich Tsarev (aka mango), 36, associated with the TrickBot group
- Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, associated with the TrickBot group
- Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, associated with the TrickBot group
These individuals are believed to play significant roles in providing or operating services that grant ransomware groups access to victim systems.
International Collaboration and Future Actions
The success of Operation Endgame highlights the importance of international cooperation in combating cybercrime. Europol and Eurojust provided essential support, including coordination, operational and analytical assistance, cryptocurrency tracing, and facilitating real-time information exchange among participating agencies.
The operation is ongoing, with follow-up actions planned. Several key suspects remain at large, and efforts to apprehend them continue. German authorities have announced that 18 of these suspects will be added to the EU Most Wanted list, emphasizing the commitment to bringing all perpetrators to justice.
Impact on the Cybercrime Landscape
Operation Endgame represents a strategic effort to disrupt the ransomware kill chain at its source by targeting the infrastructure and services that enable these attacks. By dismantling servers, neutralizing domains, and apprehending key individuals, law enforcement agencies aim to significantly hinder the operations of ransomware groups.
Europol Executive Director Catherine De Bolle stated, “This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganize. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”
Conclusion
The dismantling of over 300 servers and the seizure of €3.5 million in cryptocurrency during Operation Endgame marks a significant milestone in the global effort to combat ransomware and cybercrime. The operation’s success underscores the effectiveness of international collaboration and the importance of targeting the foundational elements of cybercriminal operations.
As Operation Endgame continues, law enforcement agencies remain vigilant, adapting their strategies to counter the evolving tactics of cybercriminals. The ongoing efforts serve as a reminder that, through coordinated action and determination, the global community can make substantial strides in securing the digital landscape against malicious actors.