Int’l Police Target Botnets In ‘Operation Endgame’

Police in Europe and the US coordinated what authorities said was the largest ever action against botnets, infrastructure used to place malware such as ransomware on users’ and organisations’ systems, in a move that targeted the infrastructure of “dropper” software including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.

Droppers are small pieces of code placed on targeted systems, usually via malicious email attachments, that are able to in turn download further malware onto the system, including ransomware.

By targeting botnets, infrastructure made up of hacked computers, authorities hoped to disrupt the ability of numerous malware actors to place their code onto victims’ computers.

The action, called “Operation Endgame”, was led by France, Germany and the Netherlands, supported by EU judicial cooperation agency Eurojust and involved Denmark, the UK and the US, with additional support from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine and private security companies.

Arrests

In addition to taking down 100 servers in Europe, Canada and the US, authorities arrested one person in Armenia and three in Ukraine, searched 16 locations in Armenia, the Netherlands, Portugal and Ukraine, and took control of more than 2,000 domains.

The investigations revealed that one of the main suspects has earned at least 69 million euros (£59m) in cryptocurrency through renting out criminal infrastructure sites to deploy ransomware.

“The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained,” Europol said in a statement.

Authorities set up an Operation Endgame website where they said they would announce further actions.

“Operation Endgame does not end today,” Europol said.

Financial damage

Dutch police said the financial damage to individuals, organisations and governments inflicted by the botnets ran to the hundreds of millions of euros.

“Millions of people are also victims because their systems were infected, making them part of these botnets,” Dutch police said.

“This operation shows that you always leave tracks, nobody is unfindable, even online,” said Stan Duijf of the Dutch National Police in a video statement.

Germany is seeking the arrest of seven people suspected of being involved with the Trickbot malware organisation and an eighth person suspected of being one of the ringleaders behind Smokeloader.

Europol said the eight individuals were being added to its Most Wanted list.