Endgame 2.0
Operation Endgame 2.0 is live. A coalition of international law enforcement agencies formally announced its successive campaign against high-profile botnet infrastructures and their operators, on Friday, May 23rd 2025. The latest operation is disrupting Bumblebee, Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie; these initial access malware have all played a key part in enabling successful ransomware attacks.
Compromised accounts identified from various parts of the criminal infrastructure have been shared with Spamhaus, who will support with remediation.
Data
Use the access key that Spamhaus sent you by email to access the list of affected email accounts below.What is Operation Endgame?
Operation Endgame is a coordinated international law enforcement action targeting key cybercrime botnets. The program launched in May 2024 with the largest operation ever against botnets involved with ransomware. This operation amounted to detentions and interrogations, as well as server takedowns which disrupted the biggest malware droppers, including IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee.
Operation Endgame 2.0 builds on these successes to target Bumblebee, Latrodectus, Qakbot*, DanaBot, Trickbot*, and WarmCookie. These initial access malware provide tools used by cybercriminals to quietly breach systems before launching ransomware attacks. By disrupting these critical techniques used to gain the first foothold in a network or system, the operation impacts the first link in the cyberattack chain, undermining the broader cybercrime-as-a-service infrastructure.
A crucial aspect of operating cybercrime infrastructure, such as these botnets, relies on the use of stolen credentials. Law enforcement has shared these accounts with Spamhaus, who will help with remediating them.
*While Qakbot and Trickbot were not actively operating, this phase did include indictments against individuals connected to these groups.
How were these accounts involved?
Threat actors obtain credentials by using remote access tools (RATs) and infostealers, leveraging these compromised accounts to spread malware further or gain initial access to targeted networks and organizations. The data that will be provided by Spamhaus reflects accounts identified as part of these breaches.
Since this information has been recovered from multiple components of criminal infrastructure, we are unable to individually verify every entry. Some accounts may be outdated or already secured. However, given the potential threat, we believe sharing the complete dataset remains valuable.
Please note: that the data we share covers roughly the last 5 months (from January 1st 2025 until May 13th 2025), the current situation may be different.
What should be done?
If you receive an access key from Spamhaus via email, all passwords for the identified breached (email) accounts should be changed as soon as possible. Your company should get in contact with any related customers to support remediation.
What should we as the ISP or service provider tell our customers?
Here is a handy template you will be able to use:
Dear Administrator,
Spamhaus, who is working in conjunction with international law enforcement,
has notified us regarding mailboxes that are hosted on a server that your user
controls. These email addresses were identified as having been potentially
compromised for use by the Endgame cybercrime group targeted.
We ask that you immediately reset the passwords of these mailboxes to prevent
any further abuse. This is the only action required to resolve this issue. The
list of breached mailboxes identified are as follows:
example@example.com
......
We greatly appreciate any action you take in securing these mailboxes and helping
to ensure that that they are not further abused by miscreants to do any harm to
other users on the internet.
Regards,
Example Trust and Safety Department
What do the various fields in the data mean?
Both the JSON and the CSV formats contain the same fields. Here is a CSV example:
username, endpoint, timestamp
appleseed@example.com,https://example.com/login,2025-02-03T01:02:03
Username: Account username
Endpoint: URL to the service the credentials access.
Timestamp: Date and time account information was stolen.
A note on timing: this is information as-is from the malware infrastructure. We recommend a password reset if one has not been done recently, since the dataset was very recently actively used and may have been shared with other bad actors as well.
Where can I find publications about Endgame and the takedown?
Official publications: Operation Endgame website
Europol: Operation ENDGAME strikes again: the ransomware kill chain broken at its source
You contacted us at the incorrect/outdated address; can this be updated?
Yes! Please tell us what addresses we should use instead by emailing:
remediation-team@spamhaus.org.
I have a question that is not answered here
You can get in touch with the team via our contact form.