Endgame 2.0

What is Operation Endgame?

Operation Endgame is a coordinated international law enforcement action targeting key cybercrime botnets. The program launched in May 2024 with the largest operation ever against botnets involved with ransomware. This operation amounted to detentions and interrogations, as well as server takedowns which disrupted the biggest malware droppers, including IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee.

Operation Endgame 2.0 builds on these successes to target Bumblebee, Latrodectus, Qakbot*, DanaBot, Trickbot*, and WarmCookie. These initial access malware provide tools used by cybercriminals to quietly breach systems before launching ransomware attacks. By disrupting these critical techniques used to gain the first foothold in a network or system, the operation impacts the first link in the cyberattack chain, undermining the broader cybercrime-as-a-service infrastructure.

A crucial aspect of operating cybercrime infrastructure, such as these botnets, relies on the use of stolen credentials. Law enforcement is sharing these accounts with Spamhaus, who will help with remediating them.

*While Qakbot and Trickbot were not actively operating, this phase did include indictments against individuals connected to these groups.

How were these accounts involved?

Threat actors obtain credentials by using remote access tools (RATs) and infostealers, leveraging these compromised accounts to spread malware further or gain initial access to targeted networks and organizations. The data that will be provided by Spamhaus reflects accounts identified as part of these breaches.

Since this information is being recovered from multiple components of criminal infrastructure, we will be unable to individually verify every entry. Some accounts may be outdated or already secured. However, given the potential threat, we believe sharing the complete dataset remains valuable - please monitor your email for updates on this data.

What should be done?

Information recovery from multiple components of criminal infrastructure is still ongoing. If you receive an access key from Spamhaus via email, all passwords for the identified breached (email) accounts should be changed as soon as possible. Your company should get in contact with any related customers to support remediation.

What should we as the ISP or service provider tell our customers?

Here is a handy template you will be able to use:

Dear Administrator,

Spamhaus, who is working in conjunction with international law enforcement, 
has notified us regarding mailboxes that are hosted on a server that your user 
controls. These email addresses were identified as having been potentially 
compromised for use by the Endgame cybercrime group targeted.

We ask that you immediately reset the passwords of these mailboxes to prevent 
any further abuse. This is the only action required to resolve this issue. The 
list of breached mailboxes identified are as follows:

example@example.com
......

We greatly appreciate any action you take in securing these mailboxes and helping 
to ensure that that they are not further abused by miscreants to do any harm to 
other users on the internet.

Regards,
Example Trust and Safety Department

Where can I find publications about Endgame and the takedown?

Official publications: Operation Endgame website

Europol: Operation ENDGAME strikes again: the ransomware kill chain broken at its source

I have a question that is not answered here

You can get in touch with the team via our contact form.