Ransomware Networks Hit Hard in Latest Operation Endgame

Law enforcement is cracking down on ransomware! In the latest phase of Operation Endgame, a global effort has taken down roughly 300 servers and 650 domains. Plus, there are arrest warrants out for 20 individuals.

Launched back in May 2024, Operation Endgame isn't new. It's designed to target the services and infrastructure that help ransomware gangs get their foot in the door – providing that initial access they need. Previous efforts focused on taking down the malware families used to spread ransomware in the first place.

This time around, according to Europol, the operation targeted new malware strains and groups that popped up after last year's takedowns. Think names like Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and even WARMCOOKIE. This latest action unfolded between May 19th and 22nd, 2025.

And it's not just servers they're grabbing. "In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than €21.2 million," Europol said.

Here's the deal: these malware variants are often offered as a service. This means other criminals can rent them to launch their own large-scale ransomware attacks. Europol says that international arrest warrants are out for 20 key players believed to be providing or running these initial access services for ransomware crews.

"This new phase demonstrates law enforcement's ability to adapt and strike again, even as cybercriminals retool and reorganize," said Europol Executive Director Catherine De Bolle. "By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source."

Germany's Federal Criminal Police Office (BKA) revealed that criminal proceedings have been started against 37 identified actors. Some are on the E.U. Most Wanted list:

• Roman Mikhailovich Prokop (aka carterj), 36, QakBot group
• Danil Raisowitsch Khalitov (aka dancho), 37, QakBot group
• Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, TrickBot group
• Mikhail Mikhailovich Tsarev (aka mango), 36, TrickBot group
• Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, TrickBot group
• Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, TrickBot group

This news comes as Europol announced a massive operation resulting in 270 arrests of dark web vendors and buyers across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1).

Europol says the suspects were identified thanks to intelligence gathered from taking down dark web marketplaces like Nemesis, Tor2Door, Bohemia, and Kingdom Markets. Some suspects allegedly made thousands of sales on these illicit sites, often using encryption and cryptocurrencies to hide their tracks.

"Known as Operation RapTor, this international sweep has dismantled networks trafficking in drugs, weapons, and counterfeit goods, sending a clear signal to criminals hiding behind the illusion of anonymity," Europol said.

Besides the arrests, authorities seized a staggering €184 million in cash and cryptocurrencies, 2 tons of drugs, 180 firearms, 12,500 counterfeit products, and over 4 tons of illegal tobacco. This joint effort follows Operation SpecTor in May 2023, which saw 288 dark web vendors and buyers arrested and €50.8 million seized.

"With traditional marketplaces under increasing pressure, criminal actors are shifting to smaller, single-vendor shops — sites run by individual sellers to avoid marketplace fees and minimize exposure," Europol explained. "Illegal drugs remain the top commodity sold on the dark web, but 2023 also saw a surge in prescription drug trafficking and a rise in fraudulent services, including fake hitmen and bogus listings designed to scam buyers."

Update

The U.S. Department of Justice (DoJ) announced that Incognito Market, a dark web marketplace, facilitated over $100 million in narcotics sales between October 2020 and March 2024 before it was shut down. Back in December 2024, Rui-Siang Lin pleaded guilty to owning and running Incognito Market, one of the internet's biggest narcotics bazaars.

"These predators who peddled poison on the dark web might have thought they are untouchable — hiding behind screens, pushing fentanyl, fueling overdoses, and cashing in on misery. However, Operation RapTor just proved them wrong," said Drug Enforcement Administration (DEA) Acting Administrator Robert Murphy.