Ransomware infrastructure dismantled in new phase of Operation Endgame

From May 19-22, 2025, law enforcement authorities linked to Operation Endgame, dismantled 300 servers and neutralized 650 domains used to launch ransomware attacks, and international arrest warrants were issued against 20 targets leading the chain of attacks. Also, €3.5 million in cryptocurrencies were seized during the same week, bringing the total seized during the operation to an estimated €21.2 million.

Operation Endgame is an international campaign jointly conducted by several law enforcement agencies around the world against ransomware and related malware services and infrastructures. Together with private sector cybersecurity partners and companies, authorities coordinated by Europol and Eurojust targeted multiple cybercrime assets, including Bumblebee, Lactrodectus, Qakbot, DanaBot, Trickbot and Warmcookie.

These malware distributions are often offered as a service to other cybercriminals and are used to gain access to the networks of victims targeted by ransomware attacks. In addition, they have the ability to hijack banking sessions, steal data and browsing histories, and provide remote access to compromised systems, allowing actions such as logging keystrokes or videotaping user activities.