Following the emergence of new ransomware infrastructure that developed after previous international disruptions, Operation Endgame 2.0 executed a coordinated global strike against cybercriminal networks between May 19-22, 2025. The operation, coordinated through Europol with a command post established in The Hague, built upon Operation Endgame first launched in May 2024, particularly targeting services that provide initial or consolidating access for ransomware operations.
Law enforcement agencies across dozens of countries simultaneously dismantled critical infrastructure supporting multiple malware families, including Bumblebee, Latrodectus, QakBot, and DanaBot variants. The operation, which included the particular action “DanaBusted” targeting DanaBot infrastructure, likewise neutralized TrickBot, HijackLoader, and WARMCOOKIE malware systems that serve as access points for ransomware deployment. Zero-day exploits discovered during the operation highlighted previously unknown vulnerabilities in major systems.
Law enforcement agencies dismantled critical infrastructure supporting Bumblebee, Latrodectus, QakBot, and DanaBot malware families serving as ransomware access points.
The thorough action resulted in approximately 300 servers taken down worldwide and 650 domains neutralized during the four-day operation. Authorities seized €3.5 million in cryptocurrency during this action week, bringing total cryptocurrency seizures across both Endgame operations to over €21.2 million. These financial disruptions target the economic incentives that drive cybercriminal activities.
Twenty key actors identified as architects of ransomware infrastructure now face international arrest warrants, with 18 suspects placed on the EU’s Most Wanted list by German authorities. These individuals allegedly operated access-as-a-service networks, providing entry points for ransomware gangs targeting hospitals, governments, and corporations globally.
The operation’s strategic focus on disrupting the ransomware supply chain represents a shift toward targeting initial access brokers rather than merely pursuing end-stage ransomware operators. By eliminating these foundational services, law enforcement aims to prevent large-scale attacks before they reach critical infrastructure and vital services. The coordinated effort disrupted a billion-dollar cybercrime ecosystem that had been sustaining ransomware operations worldwide. DanaBot’s modular architecture included components for keystroke monitoring and video recording, demonstrating the sophisticated capabilities that make such malware-as-a-service platforms particularly valuable to threat actors.
A significant data component emerged from the operation, with 15.4 million affected accounts identified from compromised criminal infrastructure. The breach information, reportedly occurring in June 2025, was added to Have I Been Pwned database on May 23, 2025.
Spamhaus supports ongoing remediation efforts, sharing data from various parts of the criminal infrastructure with security partners to assist in thorough recovery and protection measures.
