Operation Endgame: German Federal Criminal Police Office BKA and International Partners Achieve Biggest Strike Against Global Cybercrime to Date

Ten international arrest warrants and four provisional arrests. Germany initiates and coordinates “takedowns” of the most dangerous malware outlets

German Central Office for Combating Internet Crime (ZIT) – and the Federal Criminal Police Office (BKA) carried out a internationally coordinated operation on 28 and 29.05.2024, together with law enforcement authorities from the Netherlands, France, Denmark, Great Britain, Austria and the USA, supported by Europol and Eurojust, taking several of the currently most influential malware families offline. The Portuguese, Ukrainian, Swiss, Lithuanian, Romanian, Bulgarian and Armenian law enforcement authorities were also involved in the measures within the framework of international legal assistance.

Operation Endgame seized more than 100 servers

In the measures coordinated primarily by the ZIT and the BKA as part of the international “Endgame” operation, over 100 servers were seized worldwide and over 1,300 criminally used domains were neutralized. An asset freeze of 69 million euros was obtained against an identified operator and administrator. In addition, 99 crypto wallets with a current total volume of more than 70 million euros were blocked at numerous crypto exchanges. Furthermore, 10 international arrest warrants were issued and four people were provisionally arrested. As part of the overall measures, searches took place at a total of 16 properties in Armenia, the Netherlands, Portugal and Ukraine, during which numerous pieces of evidence were seized. The data seized during Operation Endgame is currently being evaluated and could lead to follow-up investigations.

The “takedowns” were preceded by lengthy and complex investigations in the participating countries. In Germany, the investigations are being conducted, among other things, on suspicion of gang-related and commercial extortion as well as membership in a criminal organization abroad.

Aimed on at least 15 ransomware groups, called “Droppers”

The aim of the international Operation Endgame is the sustainable combating of global cybercrime, by not only taking action against individual malware families, but bundling measures against the technical and financial infrastructure used by the perpetrators and against the actors of several such partly collaborating perpetrator groups.

The current measures were primarily directed against the groups behind the six malware families IcedID, SystemBC, Bumblebee, Smokeloader, Pikabot and Trickbot, which were connected to at least 15 ransomware groups as so-called “droppers”. Droppers are malware variants used for initial infection and serve as gateways for cybercriminals to infect victim systems unnoticed and then load additional malware. This is done, for example, with the aim of intercepting personal data such as usernames and passwords or, in the case of ransomware, encrypting infected systems or networks affected by them for extortion purposes.

“Smokeloader” malware most dangerous to Germany

From a German perspective, the most dangerous dropper was the Smokeloader malware, which has existed for over ten years and has continuously evolved. During the international measures, the technical infrastructure of Smokeloader as well as five other dropper services was seized and their control taken over by law enforcement authorities. This deprived the perpetrators of access to thousands of victim systems. The Smokeloader botnet alone comprised several hundred thousand systems over the course of the past year. The Federal Office for Information Security (BSI) is responsible for notifying victims of a botnet infection.

Germany has issued arrest warrants for a total of eight actors. On this basis, the BKA and ZIT are jointly searching for seven identified individuals who are under urgent suspicion of having participated as members of a criminal organization for the purpose of distributing the Trickbot malware. In addition, a further suspect is being sought who is urgently suspected of being one of the ringleaders of the group behind the Smokeloader malware. Images and descriptions of the suspects can be accessed on the BKA website at the following link:

“With the largest international cyber police operation to date, law enforcement authorities have achieved a significant blow against the cybercrime scene. The current success is based on measures against infrastructures, actors and their financial resources and is suitable for impairing trust within the underground economy. Through intensive international cooperation, six of the largest malware families were neutralized. We will continue to actively counteract cybercrime together with our national and international partners in order to deprive criminals of their basis for operation as permanently as possible.”

BKA Vice President Martina Link

“The international cooperation of law enforcement authorities in combating cybercrime is working and is constantly being further developed. Because only with joint measures such as the seizure of criminal IT infrastructure and the skimming of criminally obtained financial resources can those responsible for globally operating malware groups be effectively prosecuted.”

ZIT Head Senior Public Prosecutor Dr. Benjamin Krause:

In order to sustainably counteract cybercrime, personal investigations, i.e. the identification and successful prosecution of perpetrators, are an important and effective approach. However, since cybercriminals often operate from abroad and are tolerated or even protected by some countries, they often remain out of reach for German law enforcement. Still, cybercrime is highly interconnected to terrorist groups and activities.

Therefore, the measures of the German law enforcement authorities are also aimed at weakening and destroying the infrastructure of cybercriminals. Through this infrastructure approach, considerable financial resources have recently been withdrawn from the underground economy. In addition, IT systems and data have been seized that have led to further investigative approaches.

For example, in 2023 it was possible to seize the server infrastructure of the world’s highest-grossing crypto mixer on the darknet, ChipMixer, and secure around 90 million euros. Furthermore, the infrastructure of several criminal marketplaces was seized – including Kingdom Market. In addition, the Qakbot malware was taken offline in 2023 and Emotet in 2021. Both were among the top threats from cyberspace and caused worldwide damage amounting to several hundred million euros.

Further information on the still ongoing mission can be found here.

Basic Source: BKA