Law Enforcement Disrupts AVCheck Platform Exploited by Cybercriminals for Malware Assessment

An international law enforcement operation has successfully dismantled AVCheck, a service utilized by cybercriminals for testing the detection capabilities of their malware against commercial antivirus solutions prior to its deployment.

The official website for AVCheck, avcheck.net, now displays a seizure notice adorned with the emblems of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch Police, indicating the site’s closure.

As outlined in a statement from the Dutch police, AVCheck was recognized as one of the largest counter antivirus (CAV) services globally, assisting cybercriminals in evaluating the stealth and evasion capabilities of their malware.

Matthijs Jaspers of the Dutch police remarked on the significance of this operation, stating, “Taking the AVCheck service offline represents a crucial advancement in combating organized cybercrime. This action disrupts cybercriminal activities in their early stages and aids in preventing prospective victims.”

Investigators have uncovered connections between AVCheck’s administrators and crypting services such as Cryptor.biz and Crypt.guru. Authorities have seized Cryptor.biz, while Crypt.guru remains offline.

Crypting services serve a vital role for malware authors and operators by allowing them to encrypt or obfuscate their malicious payloads, rendering them less detectable by antivirus software, thus forming part of the same criminal ecosystem.

Cybercriminals typically utilize crypting services to obfuscate their malware, followed by testing it on platforms like AVCheck to ensure its evasion capabilities before deploying it against their targets.

Prior to the shutdown of AVCheck, law enforcement created a counterfeit login page that alerted users to the legal consequences associated with using the service.

The U.S. Department of Justice reported that the takedown of AVCheck and associated encryption services transpired on May 27, 2025, emphasizing the importance of dismantling these platforms.

FBI Special Agent Douglas Williams commented, “Cybercriminals do not merely create malware; they refine it for maximum impact. By leveraging counter antivirus services, malicious actors enhance their capabilities to bypass advanced security systems, evade forensic analysis, and cause chaos within targeted environments.”

The uncovering of AVCheck’s illicit operations and its connections to ransomware attacks against American entities was achieved through undercover agents who posed as clients and engaged in transactions on these platforms.

According to the affidavit supporting these seizures, authorities undertook undercover purchases from the seized websites and evaluated the services, affirmatively confirming their design for facilitating cybercrime. Court documents allege a thorough review of linked email addresses and other data, connecting these services to known ransomware groups targeting victims both domestically and internationally, including incidents reported in the Houston area.

This operation is part of Operation Endgame, a comprehensive international law enforcement initiative that has recently led to the seizure of 300 servers and 650 domains linked to ransomware activities. The same operation previously disrupted well-known malware operations such as Danabot and Smokeloader, further illustrating its impact on combatting cybercrime.