As part of the latest “season” of Operation Endgame, a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets.
Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating access for ransomware. The previous edition focused on dismantling the initial access malware families that have been used to deliver ransomware.
The latest iteration, per Europol, targeted new malware variants and successor groups that re-emerged after last year’s takedowns such as Bumblebee, Lactrodectus, QakBot, DanaBot, TrickBot, and WARMCOOKIE. The interaction action was carried out between May 19 and 22, 2025.
“In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to more than €21.2 million,” the agency said.
Europol noted that the malware variants are offered as a service to other threat actors and are used to conduct large-scale ransomware attacks. Furthermore, international arrest warrants have been issued against 20 key actors who are believed to be providing or operating initial access services to ransomware crews.
“This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganize,” Europol Executive Director Catherine De Bolle said. “By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”
Germany’s Federal Criminal Police Office (aka Bundeskriminalamt or BKA) has revealed that criminal proceedings have been initiated against 37 identified actors. Some of the individuals who have been added to the E.U. Most Wanted list are listed below –
- Roman Mikhailovich Prokop (aka carterj), 36, a member of the QakBot group
- Danil Raisowitsch Khalitov (aka dancho), 37, a member of the QakBot group
- Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, a member of the TrickBot group
- Mikhail Mikhailovich Tsarev (aka mango), 36, a member of the TrickBot group
- Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, a member of the TrickBot group
- Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, a member of the TrickBot group
The disclosure comes as Europol took the wraps off a large-scale law enforcement operation that resulted in 270 arrests of dark web vendors and buyers across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1).
The suspects, Europol noted, were identified based on intelligence gathered from the takedowns of the dark web marketplaces Nemesis, Tor2Door, Bohemia, and Kingdom Markets. Several suspects are alleged to have conducted thousands of sales on illicit marketplaces, often using encryption tools and cryptocurrencies to conceal their digital footprints.
“Known as Operation RapTor, this international sweep has dismantled networks trafficking in drugs, weapons, and counterfeit goods, sending a clear signal to criminals hiding behind the illusion of anonymity,” Europol said.
Along with the arrests, €184 million in cash and cryptocurrencies, 2 tons of drugs, 180 firearms, 12,500 counterfeit products, and more than 4 tons of illegal tobacco have been seized by authorities. The joint action follows Operation SpecTor in May 2023, which led to the arrest of 288 dark web vendors and buyers and the seizure of €50.8 million in cash and cryptocurrency.
“With traditional marketplaces under increasing pressure, criminal actors are shifting to smaller, single-vendor shops — sites run by individual sellers to avoid marketplace fees and minimize exposure,” Europol said. “Illegal drugs remain the top commodity sold on the dark web, but 2023 also saw a surge in prescription drug trafficking and a rise in fraudulent services, including fake hitmen and bogus listings designed to scam buyers.”
