Police Crack Down on Counter-Antivirus Services Used by Cybercrime Syndicates

In a significant operation led by the U.S. Department of Justice, law enforcement agencies around the world have taken down several popular counter-antivirus (CAV) services used by cybercrime syndicates to test their malware evasion capabilities.

Operation Endgame: A Global Effort to Combat Cybercrime

On May 27, 2025, authorities seized four domains, including AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru, as part of Operation Endgame. This global operation was led by the U.S. Department of Justice, with participation from Dutch, Finnish, French, German, Danish, Ukrainian, and Portuguese law enforcement agencies.

What is Counter-Antivirus (CAV) Services?

According to the DoJ, CAV services are used by cybercriminals to test their malware against antivirus programs. These services allow criminals to obfuscate their malware, making it undetectable and enabling unauthorized access to computer systems.

How do CAV Services Work?

CAV services like AvCheck let cybercriminals test their malware against antivirus programs to see if it will go undetected. This helps them launch stealthy attacks and gain access to victims' systems without being noticed, making these services a key tool in the cybercrime ecosystem.

Seized Domains and Evidence

Undercover agents purchased and tested the services provided by the seized websites, confirming they were built for cybercrime. The seized domains included:

* AvCheck[.]net * Cryptor[.]biz * Crypt[.]guru

Evidence, including email links, was used to tie these services to known ransomware groups behind attacks in the U.S. and abroad, some even targeting the Houston area.

Impact of the Operation

The dismantling of AvCheck and other CAV services marks a significant blow to cybercrime syndicates. FBI Houston Special Agent in Charge Douglas Williams stated, "Cybercriminals don't just create malware; they perfect it for maximum destruction." By leveraging counter antivirus services, malicious actors refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems.

International Cooperation

Dutch police, in coordination with U.S. and Finnish authorities, also published an announcement revealing they had dismantled AvCheck, a major service used by malware developers. Matthijs Jaspers, Team Lead of the High Tech Crime Team, stated, "Taking AVCheck offline is an important step in the fight against organised cybercrime because it disrupts the activities of cybercriminals in the earliest stages and prevents victims."

Conclusion

The takedown of AvCheck and other CAV services highlights the importance of international cooperation in combating cybercrime. By disrupting these malicious services, law enforcement agencies can prevent cybercrime syndicates from carrying out their nefarious plans and protect millions of people around the world from harm.

Follow us on Twitter: @securityaffairs and Facebook and Mastodon