Four people arrested in major international anti-malware operation

The operation carried out from May 27 to 29 resulted in one arrest in Armenia and three others in Ukraine, with searches in both countries as well as in the Netherlands and Portugal, Europol said.

The servers were located in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, Great Britain, the United States and Ukraine.

In addition to these four arrests, eight fugitive suspects linked to this case will be added to Europe's most wanted list.

One of the suspects earned at least 69 million euros ($75 million) in cryptocurrency by renting criminal infrastructure sites to distribute ransomware, Europol said.

“This is the largest operation ever carried out against botnets, which play a major role in the deployment of ransomware,” said the agency based in The Hague.

A botnet is a network of computers infected with malware and controlled by hackers.

Authorities targeted malware “droppers” – a type of software used to insert malware into a system – named IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.

Trickbot was used to launch ransomware attacks against US hospitals during the Covid pandemic.

The operation had “a global impact on the dropper ecosystem,” Europol said.

Droppers allow criminals to bypass security measures and deploy viruses, ransomware or spyware, the agency said.

The agency said the operation was ongoing and further arrests were expected.

“We wanted to do this operation before the Olympic Games,” Nicolas Guidoux, head of the French police cybercrime unit, told AFP.

He said it was “important to weaken attack infrastructure” and “limit their resources” ahead of the global event, as authorities fear they could be the target of many cyberattacks.

Endgame also involved authorities from Denmark, Great Britain and the United States, with additional support from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and the Ukraine.

The investigation was launched in 2022.

French investigators identified the administrator of the SystemBC dropper, which Europol said “facilitated anonymous communication between an infected system” and “command and control servers.”

The administrator of Pikabot, a Trojan horse allowing the deployment of ransomware, remote computer takeover and data theft, was also identified by French authorities.

French police participated in the arrest and search of the suspect in Ukraine, with the authorization of local authorities, said Paris prosecutor Laure Beccuau.

bur-jcp/lth/db