{
	"id": "82ecd295-3541-41a5-9569-9ccb786c2e98",
	"created_at": "2026-04-06T00:19:53.110021Z",
	"updated_at": "2026-04-10T03:19:59.787106Z",
	"deleted_at": null,
	"sha1_hash": "d89d14b5f9c7aa791fdea94cb3f9b217bc5b4785",
	"title": "Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492204,
	"plain_text": "Operation Endgame follow-up leads to five detentions and\r\ninterrogations as well as server takedowns\r\nBy Europol\r\nPublished: 2025-04-09 · Archived: 2026-04-05 18:56:13 UTC\r\nFollowing the massive botnet takedown codenamed Operation Endgame in May 2024, which shut down the\r\nbiggest malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, law enforcement\r\nagencies across North America and Europe dealt another blow to the malware ecosystem in early 2025. \r\nIn a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor\r\nknown as ‘Superstar’, faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks’.\r\nSuperstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines.\r\nCustomers used the service to deploy malware for their own criminal activities. Investigations revealed that botnet\r\naccess was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment,\r\ncryptomining and more. Law enforcement tracked down the customers as they were registered in a database\r\nseized during Operation Endgame. \r\nWhile the actions in May 2024 targeted high-level actors who facilitated cybercrime, by deploying ransomware,\r\nfor example, this follow-up operation targets a different level. Law enforcement moved – and continues to move –\r\nagainst the criminals who used the services taken down during Operation Endgame, focusing on the demand side\r\nof the criminal ecosystem. Customers of crime-as-a-service providers are now learning the painful lesson that their\r\npersonal data was not protected by these individuals who involuntarily painted targets on their backs.\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns\r\nPage 1 of 3\n\nLaw enforcement agencies in all the involved countries have closely followed the leads uncovered during\r\nOperation Endgame, helping them to link online personas and their usernames to real-life individuals. When\r\ncalled in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of\r\ndigital evidence stored on their personal devices. Several suspects resold the services purchased from\r\nSmokeloader at a markup, thus adding an additional layer of interest to the investigation.\r\n…and a dedicated website for those who want to get in touch\r\nSome of the suspects had assumed they were no longer on law enforcement’s radar, only to come to the harsh\r\nrealisation that they were still being targeted. Operation Endgame does not end today. New actions will be\r\nannounced on the website operation-endgame.com. Anyone with information is invited to contact the authorities\r\nthrough this website. In addition, suspects involved in these and other botnets, who have not yet been arrested,\r\nwill be held directly accountable for their actions. \r\nEuropol and the Joint Cybercrime Action Taskforce (J-CAT), hosted by Europol, continue to support the\r\ninvestigation of Operation Endgame. It has facilitated the information exchange between the authorities involved\r\nand provided analytical and forensic support to the investigators. To support the coordination of the operation,\r\nEuropol organised coordination calls and operational sprints at its headquarters in The Hague.\r\nParticipating authorities:\r\nCanada: Royal Canadian Mounted Police (RCMP)\r\nCzech Republic: Police of the Czech Republic (Policie České republiky)\r\nDenmark: Danish Police (Dansk Politi)\r\nFrance: National Police (OFAC) (Police Nationale - Office Anti-Cybercriminalité)\r\nGermany: Federal Criminal Police Office (Bundeskriminalamt); Prosecutor General’s Office Frankfurt am\r\nMain – Cyber Crime Center (Generalstaatsanwaltschaft Frankfurt am Main – ZIT)\r\nNetherlands: National Investigations and Special Operations (NIS), Netherlands Police (Politie)\r\nUnited States of America: Federal Bureau of Investigation (FBI); United States Secret Service; United\r\nStates Department of Defense - Defense Criminal Investigative Service (DCIS)\r\nParticipating agencies:\r\nEurojust\r\nOperation Endgame - think about (y)our next move:\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns\r\nPage 2 of 3\n\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-we\r\nll-server-takedowns\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns"
	],
	"report_names": [
		"operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d89d14b5f9c7aa791fdea94cb3f9b217bc5b4785.pdf",
		"text": "https://archive.orkl.eu/d89d14b5f9c7aa791fdea94cb3f9b217bc5b4785.txt",
		"img": "https://archive.orkl.eu/d89d14b5f9c7aa791fdea94cb3f9b217bc5b4785.jpg"
	}
}