Operation ENDGAME Disrupts Global Ransomware Infrastructure
Operation ENDGAME, a coordinated effort by Europol and Eurojust, has dealt a significant blow to the global ransomware infrastructure. The operation, which took place from May 19 to 22, 2025, saw law enforcement take down over 300 servers, 650 domains, and seize €21.2M in cryptocurrency.
The impact of Operation ENDGAME was felt across the globe, with investigators from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States working together to dismantle the ransomware infrastructure. A Command Post was set up at Europol headquarters in The Hague, providing a central hub for the investigation.
"A Command Post was set up at Europol headquarters in The Hague during the action week, with investigators from Canada, Denmark, France, Germany, the Netherlands, the United Kingdom and the United States working with Europol’s European Cybercrime Centre and its Joint Cybercrime Action Taskforce," reads the press release published by Europol.
The coordination between Eurojust and law enforcement authorities proved crucial in making judicial cooperation effective. Eurojust provided essential support since the beginning of the investigation in 2024, ensuring that information was exchanged and investigative efforts were aligned.
As part of Operation ENDGAME, €3.5M in cryptocurrency was seized, bringing the total to over €21.2M. This follows the botnet crackdown in 2024, which targeted evolving malware threats and cybercriminal groups.
The operation targeted initial access malware used by threat actors to infiltrate systems prior to ransomware deployment. Neutralized strains included Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, all commonly used in ransomware-as-a-service schemes.
Authorities also issued 20 international arrest warrants for key operators, with several suspects now under international and public alerts. Germany will list 18 of them on the EU Most Wanted list from May 23. They allegedly provided or operated tools used in major ransomware attacks.
"This new phase demonstrates law enforcement’s ability to adapt and strike again, even as cybercriminals retool and reorganise. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source," said Catherine De Bolle, Europol Executive Director.
This operation marks a significant victory in the fight against ransomware, demonstrating law enforcement's ability to disrupt and dismantle complex cybercrime networks.