Article Details

Europol: Five pay-per-infect suspects cuffed, some spill secrets to cops. Officials teased more details to come later this year. Following the 2024 takedown of several major malware operations under Operation Endgame, law enforcement has continued its crackdown into 2025, detaining five individuals linked to the Smokeloader botnet. In the first update for Operation Endgame since September, international police coordinated by Europol said today that "several" suspects detained opted to cooperate during questioning. According to the agency, this cooperation involved allowing investigators to examine digital evidence stored on their personal devices. There was no mention of suspects providing information about other individuals involved. The Register asked Europol for more details about the criminals who were arrested. In the months since the big Operation Endgame busts of May 2024, police said they were able to link various suspects' handles to their real identities following the seizure of a database.  That database contained the details of Smokeloader customers, a backdoor-cum-malware dropper, operated by the individual known as Superstar, who charged users for access based on the number of installs on victim machines. Investigators were aware that Smokeloader was used by customers for various follow-on crimes, such as keylogging, webcam access, ransomware deployment, cryptomining and more. Officials said today that the malware's customers faced various consequences ranging from "knock and talks," full house searches, all the way to arrests. In addition to aiding police officers with their digital forensics work, Europol said several cooperators also revealed that they would buy access to Smokeloader from Superstar and resell it at a markup, adding what it called "an additional layer of interest to the investigation." Some of the suspects had assumed they were no longer on law enforcement's radar, only to come to the harsh realization that they were still being targeted. Operation Endgame does not end today "Some of the suspects had assumed they were no longer on law enforcement's radar, only to come to the harsh realization that they were still being targeted. Operation Endgame does not end today." In its usual style, Operation Endgame once again shared an animated video version of its update today, which teased additional details not included in the official announcement. Looking through the short clip, images suggest investigators had remote access to Superstar's environment and saw the full customer list, quipping that storing them in a spreadsheet "isn't very GDPR compliant." The customer list includes Telegram IDs, dates of Smokeloader purchases, the number of installs each customer secured, and the areas in which their bots operated. The video hinted at three individuals being arrested in that phase and that a second database is being investigated. Global law enforcement's follow-on efforts involved targeting the customers of the malware products, demonstrating their intent to prosecute on those the demand side, not just the biggest fish in the sea. Operation Endgame saw global law enforcement disrupt the IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee malware operations, all of which at their pomp have been among the most prolific malware strains in the past few years. The operation was one of the three major internationally coordinated actions against cybercrime that transpired across the year. Operation Cronos saw the disruption of ransomware giant LockBit in February, while Operation Magnus came later in October, bringing down the Redline and Meta infostealers. Operation Endgame hinted at more updates to come later this year, potentially related to that second database, and is still seeking those with relevant intel to hand it over.