Europol Disrupts Global Ransomware Networks: Seizure of 300 Servers and €3.5 Million in Assets

As part of the latest phase of Operation Endgame, a coordinated effort by various law enforcement agencies has resulted in the dismantling of approximately 300 servers globally, the neutralization of 650 domains, and the issuance of arrest warrants for 20 significant individuals involved in ransomware activities.

Initiated in May 2024, Operation Endgame continues to focus on disrupting the infrastructure and services that support ransomware operations. The previous iteration of this operation concentrated on dismantling malware families that act as conduits for ransomware deployment.

The most recent operation, conducted from May 19 to May 22, 2025, targeted new variants of malware and successor organizations that emerged following prior takedowns. Key malware families targeted in this action included Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE. Europol reported that during this action week, authorities seized €3.5 million in cryptocurrency, raising the total amount confiscated under Operation Endgame to over €21.2 million.

Europol highlights that these malware variants are marketed as services for other cybercriminals, enabling them to execute extensive ransomware attacks. Furthermore, international warrants have been put into motion against 20 key players believed to facilitate or operate initial access services for ransomware gangs.

Catherine De Bolle, Executive Director of Europol, emphasized the evolving capabilities of law enforcement, stating, “This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganize. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source.”

The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) has initiated criminal proceedings against 37 identified actors. Among those who have appeared on the E.U. Most Wanted list are:

– Roman Mikhailovich Prokop (aka carterj), 36, a member of the QakBot group
– Danil Raisowitsch Khalitov (aka dancho), 37, a member of the QakBot group
– Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, a member of the TrickBot group
– Mikhail Mikhailovich Tsarev (aka mango), 36, a member of the TrickBot group
– Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, a member of the TrickBot group
– Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, a member of the TrickBot group

This announcement coincides with a significant law enforcement operation resulting in 270 arrests of dark web vendors and buyers across ten countries, including the United States, Germany, the United Kingdom, and others. The individuals captured were connected to major dark web marketplaces such as Nemesis, Tor2Door, Bohemia, and Kingdom Markets. Notably, some suspects are accused of conducting thousands of transactions on these illicit platforms while employing encryption tools and cryptocurrencies to obscure their activities.

Operation RapTor, as this initiative is termed, has disrupted networks dealing in drugs, firearms, counterfeit goods, and other illicit commodities, demonstrating a robust response to the criminal activities that thrive in the dark web. Europol has indicated that this operation, along with prior initiatives, reflects the growing challenges faced by traditional marketplaces, prompting a shift towards smaller, individual-operated websites that aim to evade detection.

Seizures during these operations included €184 million in cash and cryptocurrencies, 2 tons of illicit drugs, 180 firearms, and over 12,500 counterfeit products, among other illegal goods. This marks a continuation of efforts following Operation SpecTor, which earlier resulted in significant arrests and seizures in May 2023.

The U.S. Department of Justice recently announced the dismantling of the Incognito Market, which reportedly facilitated over $100 million in illegal narcotics sales. The owner, Rui-Siang Lin, has pled guilty to operating this major online narcotics marketplace.

These enforcement actions are a testament to the commitment of law enforcement worldwide to confront and neutralize the threats posed by cybercriminals and their networks.