Dutch Police Lead Shutdown of Counter AV Service AVCheck

European and American law enforcement agencies have successfully dismantled one of the most significant Counter Antivirus (CAV) services in operation, known as AVCheck. This service permitted malware developers to verify the evasion capabilities of their creations against commercial antivirus solutions, thereby allowing them to refine their methods for creating undetectable and more effective malware.

The operation was disclosed on June 2, 2025, by the Dutch National Police, in collaboration with law enforcement from the United States and Finland. This strategic takedown effectively interrupts a crucial segment of the cybercriminal ecosystem.

Matthijs Jaspers, team leader at the Dutch National High Tech Crime Unit, labeled this operation as a critical development in the ongoing combat against cybercrime. He stated, “This will disrupt cybercriminals as early as possible in their operations and prevent potential victims. Over the past few years, our investigation has also gathered vital evidence regarding the individuals who manage and utilize the AVCheck service, alongside its related platforms, Cryptor.biz and Crypt.guru.”

The operation included a seizure notice—written in both English and Russian—which indicated that the success of the takedown was facilitated by exploiting the vulnerabilities of the service administrators. The notice emphasized that the service operators had failed to provide the security measures they had promised. Consequently, law enforcement agencies took the AVCheck servers offline and confiscated the user database, which included sensitive information such as usernames, email addresses, and payment details.

Investigators will meticulously analyze this intelligence to identify and apprehend users associated with this popular CAV service.

The takedown, executed on May 27, 2025, is closely linked to the broader initiative named Operation Endgame. Launched in May 2024, this operation aimed to disrupt the networks contributing to initial access malware, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

“Tracking cybercriminals is inherently challenging,” Jaspers remarked. “Thus, investing in a comprehensive approach remains essential to stay ahead of their actions. National and international cooperation, along with public-private partnerships, is increasingly vital for addressing victimization, halting criminal activities, and preventing the proliferation of online crime. Our focus extends beyond traditional detection and prosecution methods; we are actively pursuing other initiatives to enhance digital security.”

Echoing this sentiment, a representative from the U.S. Department of Justice commented on the evolving nature of modern criminal threats, necessitating innovative law enforcement strategies. U.S. attorney Nicholas Ganjei noted, “As cybercriminals have advanced their tactics, our law enforcement measures must evolve to not only target individual fraudsters or hackers but also the facilitators of these criminal enterprises. This investigation accomplished precisely that. With the closure of this syndicate, we have removed one more provider of malicious tools that cybercriminals rely on.”