In a follow-up to last year’s massive cybercrime takedown, law enforcement agencies across North America and Europe have struck another blow against the global malware ecosystem.
Nearly a year after the landmark Operation Endgame dismantled major malware dropper infrastructure, authorities have arrested at least five individuals connected to the Smokeloader botnet service.
The second phase of Operation Endgame, announced on April 9, 2025, specifically targeted the “demand side” of the cybercriminal ecosystem – focusing on customers who purchased access to compromised systems through the Smokeloader pay-per-install service operated by a threat actor known as ‘Superstar.
“In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks,'” Europol stated in their press release.
This strategic pivot represents a significant evolution in law enforcement’s approach to cybercrime. While the May 2024 operation focused on dismantling the infrastructure of significant malware platforms like IcedID, SystemBC, Pikabot, Bumblebee, and Smokeloader, this follow-up operation targets those who purchased and utilized these malicious services.
The investigative breakthrough came from a critical database seized during the initial phase of Operation Endgame in May 2024.
This database contained user records linking online identities to real-world individuals, allowing investigators to track down former Smokeloader clients who had previously flown under the radar.
Smoke Loader, a sophisticated modular loader malware with robust persistence and anti-analysis capabilities, enabled customers to install additional payloads on infected systems quietly.
Investigators discovered these customers deployed the access for various illicit activities, including ransomware attacks, keylogging, cryptojacking, webcam surveillance, and more.
“Several suspects resold the services purchased from Smokeloader at a markup, thus adding layer of interest to the investigation,” authorities noted.
When questioned, multiple suspects chose to cooperate, providing access to personal devices that yielded further evidence about the distribution and use of purchased malware payloads.
The original Operation Endgame in May 2024 was described as the “largest ever operation against botnets” by Europol.
That coordinated action resulted in four arrests, the takedown of over 100 servers across 10 countries, and more than 2,000 domains brought under law enforcement control.
FBI Director Christopher Wray emphasized the significance of the ongoing operation: “The fight against borderless cybercrime does not end here, and the FBI is committed to tackling this ever-evolving threat”.
Law enforcement has made it clear that Operation Endgame will continue, with a dedicated website (operation-endgame.com) created for suspects seeking information or wishing to cooperate.
The site contains a stern warning: “We have been investigating you and your criminal undertakings for a long time and we will not stop here.”
The operation continues to be coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT), with participation from law enforcement agencies across Canada, the Czech Republic, Denmark, France, Germany, the Netherlands, and the United States.
As this multi-phase operation continues to unfold, the message to cybercriminals is clear: neither infrastructure providers nor their customers are beyond the reach of international law enforcement.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Nearly a year after the landmark Operation Endgame dismantled major malware dropper infrastructure, authorities have arrested.){kind=link}