As part of the latest “season” of Operation Endgame, a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets.
Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating access for ransomware. The previous edition focused on dismantling the initial access malware families that have been used to deliver ransomware.
The latest iteration, per Europol, targeted new malware variants and successor groups that re-emerged after last year’s takedowns such as Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. The interaction action was carried out between May 19 and 22, 2025.
“In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than €21.2 million,” the agency said.
Europol noted that the malware variants are offered as a service to other threat actors and are used to conduct large-scale ransomware attacks. Furthermore, international arrest warrants have been issued against 20 key actors who are believed to be providing or operating initial access services to ransomware crews.