20 more arrest warrants issued as part of Operation Endgame 2.0
In another significant step towards combating internationally organised cybercrime, the Federal Criminal Police Office (BKA) and the Central Office for Combating Internet Crime (ZIT) of the Frankfurt am Main Public Prosecutor’s Office, together with international partner authorities, implemented the largest coordinated law enforcement operation against malware infrastructures to date in May 2025. The operation, known as ‘Operation Endgame 2.0’, led to the identification of 37 suspects, against whom 20 international arrest warrants have now been issued.
International cooperation and objectives
The operation was carried out with the participation of law enforcement agencies from the Netherlands, France, Denmark, the United Kingdom, Canada and the United States, coordinated by Europol and Eurojust. The aim is to combat so-called ‘initial access malware’ – types of malware that are typically used as a first point of entry for further cyber attacks, especially by ransomware groups.
The focus is particularly on droppers and loaders such as Bumblebee, Danabot, Hijackloader, Latrodectus, Qakbot, Trickbot and Warmcookie. These enable attackers to penetrate systems and install further malware – often with the aim of encrypting data and extorting money (ransomware).
Technical and financial infrastructure deliberately weakened
As part of the operation, around 300 servers worldwide – 50 of them in Germany – and around 650 domains were deactivated. The perpetrators thus lost crucial parts of their communication and control infrastructure. In addition, cryptocurrencies worth around 3.5 million euros were seized, which also dealt a severe blow to the financial structures of the perpetrator groups.
The measures were the result of months of investigations, in particular on suspicion of gang-related and commercial extortion and membership of criminal organisations. In addition, US authorities have brought charges (indictments) against 17 suspects under US law.
Strategic approach: early disruption of the attack chain
The approach is based on the so-called ‘kill chain’: by intervening in the initial phase of the attack, the cybercrime ecosystem is to be systematically weakened. The measures address the technical, human and financial infrastructure. Operation Endgame, initiated in 2022, has developed into a central international instrument of cyber defence.
Public search and communication with perpetrators
A public search is underway for 18 suspected members of the Trickbot and Qakbot groups. Photographs and information are available on the BKA website. In addition, the operation focuses on directly addressing potential perpetrators: video messages entitled ‘Think about (y)our next move’ are published at www.operation-endgame.com to unsettle perpetrators and raise awareness among potential witnesses.
Support for victims and preventive measures
The German Federal Office for Information Security (BSI) is supporting the operation with technical sinkholing and analysis of infected systems. The aim is to inform those affected about ongoing infections and to assist them in cleaning up their systems. The BSI provides information on the malware variants affected and guidance on system cleanup on its website.
In addition, companies that have fallen victim to ransomware as a result of a primary infection with Qakbot are currently being identified. In cooperation with US authorities, seized funds – around 21 million euros – are to be returned to the victims.
Outlook
Operation Endgame 2.0 marks another milestone in the fight against organised cybercrime.
The BKA has announced that it will continue to expand its active cyber security measures. International cooperation is considered an indispensable part of effective law enforcement in an increasingly digitalised and globally networked environment.
Further information on Operation Endgame is available from the Federal Criminal Police Office at www.bka.de/Endgame.
