Global operation delivers one-two punch to cybercrime 'assembly line', seizing servers and credentials

In a coordinated international law enforcement action dubbed 'Operation Endgame', authorities struck a major blow against cybercrime by simultaneously disabling two malware tools. Microsoft leveraged the RICO statute, typically used against organized crime, to argue that the tools shared overlapping infrastructure and were part of a single conspiracy. This legal approach enabled the disruption of more than 200 command-and-control servers and the severance of criminal control over 18,000 infected computers.

Europol, which coordinated the law enforcement component, announced the recovery of 27 million stolen login credentials and the discovery of $47 million worth of 'crypto assets of criminal origin'. Overall, 326 servers and 142 domains were taken down by law enforcement and private sector partners, severely crippling the malware's distribution network. Europol emphasized that such collaboration increases friction for cybercriminals, making attacks harder to launch, spread, or recover from.

Key industry partners in the operation include ESET, Proofpoint, IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions. In addition to the tool targeted by Microsoft, Operation Endgame also disrupted SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. SocGholish spreads through compromised websites, tricking visitors into installing trojanized apps disguised as browser extensions or legitimate software.

Europol responded by cleaning infected WordPress sites and urging administrators to change credentials and tighten security. It also notified parties whose data and credentials were exposed. Countries involved in the enforcement actions include Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States.