An internationally coordinated law enforcement operation, dubbed 'Endgame,' has dismantled a significant global malware network in May 2025. Led by German authorities, the operation involved agencies from Canada, Denmark, France, the Netherlands, the United Kingdom, and the United States, with support from Europol and Eurojust.
Between May 19 and May 22, authorities took down over 300 servers and neutralized 650 domains used to distribute malware. Approximately €3.5 million in cryptocurrency was seized, bringing the total seized during Operation Endgame to €21.2 million.
The operation resulted in the identification of 37 suspects and the issuance of international arrest warrants for 20 individuals. The suspects are accused of using malware such as Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie to infiltrate networks, steal data, and deploy ransomware. German authorities are investigating suspects for organized extortion and membership in a foreign criminal organization.
Authorities say the disruption of these 'initial access malware' variants, which are used to gain initial access to victim systems, significantly damages the cybercrime-as-a-service ecosystem. Operation Endgame began in 2022 and continues to evolve, targeting new malware variants and successor groups.