Four people arrested in major international anti-malware operation

The operation, which took place from May 27 to 29, resulted in one arrest in Armenia and three others in Ukraine. Searches were carried out in both countries as well as in the Netherlands and Portugal, Europol said.

The servers were located in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the USA and Ukraine.

In addition to the four arrests, eight fugitive suspects linked to the case will be placed on Europe’s most wanted list.

One of the suspects earned at least 69 million euros ($75 million) in cryptocurrency by renting out criminal infrastructure websites to spread ransomware, Europol said.

“This is the largest operation to date against botnets, which play an important role in the spread of ransomware,” said the agency based in The Hague.

A botnet is a network of computers infected with malware and controlled by hackers.

Authorities targeted malware “droppers” – a type of software used to inject malicious software into a system – called IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.

Trickbot was used to launch ransomware attacks on US hospitals during the Covid pandemic.

The operation has “global implications for the dropper ecosystem,” Europol said.

Droppers allow criminals to bypass security measures and spread viruses, ransomware or spyware, the agency said.

The agency said the operation was still ongoing and more arrests were expected.

“We wanted to carry out this operation before the Olympic Games,” Nicolas Guidoux, head of the French police’s cybercrime unit, told AFP.

He said it was “important to weaken the attacking infrastructure” and “limit their resources” before the global event, as authorities fear the country could become the target of numerous cyberattacks.

Authorities from Denmark, the United Kingdom and the United States also participated in Endgame, with additional support from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine.

The investigation was launched in 2022.

French investigators have identified the administrator of the SystemBC dropper, which Europol said enabled “anonymous communication between an infected system” and “command-and-control servers.”

The administrator of Pikabot – a Trojan horse that enables the deployment of ransomware, remote computer takeover and data theft – was also identified by the French authorities.

The French police were involved in the arrest of the suspect and the house search in Ukraine with the authorization of the local authorities, said Paris prosecutor Laure Beccuau.

bur-jcp/lth/db