Operation Endgame Continues with Smokeloader Customer Arrests

Posted on by

Law enforcers in Europe and North America have made more arrests in an ongoing operation designed to disrupt a thriving underground trade in malware.

Operation Endgame was launched in May 2024, with a mission to disrupt the cyber-attack supply chain by taking out developers and infrastructure associated with several popular malware families. These included IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. 

Now Europol has announced follow-on arrests of customers associated with pay-per-install botnet Smokeloader. Their names and contact details were found in a database kept by its operator, a threat actor known as “Superstar.”

Europol claimed customers of the bot malware used it to access victims’ machines for keylogging, webcam access, ransomware deployment, cryptomining and other purposes.

Read more on policing operations: International Police Operation Dismantles Phone Scam Network

The policing network said participating authorities had linked online personas and usernames in the database to real-life individuals, who were subsequently subject to house searches, “knock and talks” and arrest warrants. Some chose to cooperate with police by allowing forensic examination of their devices.

It also emerged that several of these customers had resold Smokeloader at a markup, adding more potential suspects for police to investigate.

Law enforcers from the US, Canada, Denmark, France, Germany, the Netherlands and the Czech Republic took part in the latest iteration of Operation Endgame, alongside Eurojust.

Europol also cited more server takedowns, although provided no additional detail on them.

On revealing the operation last year, Europol claimed it was the largest ever against botnet malware operations.

Coordinated action led to four arrests, the disruption or takedown of over 100 servers, and police taking control of more than 2000 domains.

One suspect was said to have made tens of millions of euros from renting out criminal infrastructure for ransomware deployment.

Europol’s purpose in publicizing the latest round of arrests will be to strike fear into the cybercrime community, that threat actors’ identities could be unmasked.