To understand why Operation Endgame matters, you have to understand what droppers are and why they sit at the center of the modern ransomware supply chain. A dropper — also called a loader — is a lightweight piece of malware with one job: land on a machine, establish persistence, and deliver a secondary payload. The dropper itself rarely does anything visible. It does not encrypt files, steal credentials, or trigger a ransom note. It just opens a door and holds it open until whoever paid for access decides what to do next.
That division of labor is the point. Ransomware groups like LockBit, Conti, and their successors do not need to compromise networks themselves. They buy access from initial access brokers who purchase it from dropper operators who maintain botnets of hundreds of thousands of compromised machines. Each layer specializes, charges for its contribution, and keeps its exposure limited. The dropper ecosystem is the first and often the most durable layer of this chain — and it is what Operation Endgame has targeted across two coordinated phases spanning May 2024 to May 2025.
Phase One: May 2024
Between May 27 and 29, 2024, Europol coordinated what it described as the largest operation ever conducted against botnets. Led by France, Germany, and the Netherlands, with involvement from Denmark, the United Kingdom, the United States, and additional support from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine, the operation dismantled infrastructure associated with six major dropper and loader families: IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot.
The numbers: four arrests (one in Armenia, three in Ukraine), 16 location searches across multiple countries, more than 100 servers taken down across 10 countries, and over 2,000 domains brought under law enforcement control. Eight additional suspects — predominantly Russian nationals linked to TrickBot and SmokeLoader operations — were added to Europol's Most Wanted list. Investigators also identified one key suspect who had earned at least €69 million in cryptocurrency by renting out criminal infrastructure for ransomware deployment.
In parallel with the infrastructure takedown, SmokeLoader's command-and-control servers began issuing "uninstall" commands to infected machines — actively cleaning up the botnet's own footprint on compromised systems, a move coordinated with law enforcement remediation efforts. Some 16.5 million email addresses and 13.5 million unique passwords stolen by these malware programs were loaded into Have I Been Pwned to begin notifying affected users.
Europol framed Phase One as "Season 1" and explicitly invited criminals to "think about (y)our next move" on seized domain pages — an unusually confrontational psychological dimension designed to erode trust inside criminal networks and signal sustained pursuit rather than a one-time raid.
The Malware Families Targeted in Phase One
IcedID (Bokbot) originated in 2017 as a banking trojan before evolving into a full-featured loader for secondary malware, including ransomware. With three distinct variants identified over its lifetime and hundreds of active campaigns, IcedID had become a favored tool for initial access brokers and was associated with former Conti and TrickBot personnel. Ukrainian national Vyacheslav Penchukov — known as "Tank" — pleaded guilty in February 2024 to charges tied to IcedID distribution.
SmokeLoader first appeared in 2011 and had operated continuously for over a decade, ranking among the top three most-used malware install services in 2023. It is a modular backdoor whose primary function is delivering follow-on payloads, widely sold as a pay-per-install service on underground forums.
SystemBC, identified in 2019, turns infected machines into SOCKS5 proxies — routing malicious traffic from other malware through the compromised host to obscure command-and-control communications. Walmart's security team connected SystemBC use to the TrickBot group and the Ryuk ransomware operation. It can infect both Linux and Windows systems.
Bumblebee emerged in late 2021 as a loader capable of deploying Cobalt Strike, Silver, and Meterpreter, and had been a common initial access point for ransomware deployments. It returned to active campaigning in early 2024 before the takedown disrupted its infrastructure.
Pikabot first appeared in campaign data in March 2023 and was almost exclusively used by TA577, one of the most sophisticated persistent cybercriminal threat actors tracked by Proofpoint. Pikabot became TA577's primary payload after the Qakbot disruption in August 2023 and disappeared from observed email campaigns in March 2024.
TrickBot, a modular banking trojan active since 2016, had been used to steal financial credentials and PII before evolving into a full access and persistence framework. Its operators were believed to include experienced Russian nationals, several of whom were added to Europol's Most Wanted list as part of Endgame.
The Follow-Up: January 2025
In early 2025 — before Phase Two launched — law enforcement conducted a follow-up action specifically targeting a different tier of the ecosystem. Where Phase One had focused on the dropper operators and high-level developers, this follow-up targeted the customers: the criminals who had purchased access to compromised machines through pay-per-install networks and related services. Five detentions and interrogations were conducted, and additional server takedowns executed. The seized database from May 2024 was proving its value, allowing investigators to link online personas and usernames to real-world identities.
This represented a deliberate strategic shift — moving down the criminal supply chain to apply pressure at the demand side rather than only the supply side. Europol explicitly stated that the operation was "targeting a different level" and would continue to pursue both operators and customers of the disrupted services.
Phase Two: May 2025
Almost exactly one year after the original operation, between May 19 and 22, 2025, Phase Two launched. The scale exceeded Phase One. Approximately 300 servers taken down worldwide. 650 domains neutralized. International arrest warrants issued for 20 key actors. €3.5 million in cryptocurrency seized during the action week, bringing the total seized across all Endgame activity to over €21.2 million. Germany announced 18 suspects would be added to the EU Most Wanted list.
Phase Two targeted the successor infrastructure that had emerged after the 2024 disruptions, focusing on: Bumblebee (which had reconstituted), Latrodectus, DanaBot, WarmCookie, plus indictments connected to Qakbot and TrickBot even though those were no longer actively operating.
"This new phase demonstrates law enforcement's ability to adapt and strike again, even as cybercriminals retool and reorganise. By disrupting the services criminals rely on to deploy ransomware, we are breaking the kill chain at its source." — Europol Executive Director Catherine De Bolle
The Malware Families Targeted in Phase Two
DanaBot was the centerpiece of Phase Two. First identified in 2018 as a Delphi-based banking trojan, it had evolved into a full Malware-as-a-Service platform with keylogging, screen recording, credential theft, browser injection, and remote access capabilities. Controlled by a Russia-based syndicate, DanaBot infected over 300,000 computers globally and caused an estimated $50 million in damages. It had maintained an average of 150 active command-and-control servers per day, with roughly 1,000 daily victims across more than 40 countries. The US Department of Justice unsealed charges against 16 defendants, naming Aleksandr Stepanov ("JimmBee") and Artem Aleksandrovich Kalinkin ("Onix"), both of Novosibirsk, Russia, as key figures. A vulnerability in DanaBot's own C2 infrastructure, discovered by Zscaler researchers, allowed investigators to gain three years of internal operational visibility that directly enabled the identification of suspects.
Latrodectus is a sophisticated loader first observed in 2023, used by threat actors including TA578 in phishing campaigns. It bears structural similarities to IcedID and can execute commands, steal data, deploy additional malware, and maintain persistence through scheduled tasks with encrypted C2 communications.
WarmCookie is a backdoor distributed via phishing emails using job-related lures, enabling remote access, data theft, and further malware deployment via botnet C2.
Qakbot's alleged principal developer, Russian national Rustam Rafailevich Gallyamov, was indicted in Phase Two. Gallyamov and associates used Qakbot to deliver ransomware including Prolock, Doppelpaymer, REvil, Conti, Black Basta, and Cactus across companies in the United States and Canada. Qakbot had been temporarily disrupted in Operation Duck Hunt in August 2023 but never fully eliminated.
CrowdStrike noted that DanaBot's disruption carries particular significance beyond the criminal dimension: the operation was also used in DDoS attacks against Ukraine's Ministry of Defense in 2022 and targeted government officials in the Middle East and Eastern Europe, making it a case where Russian eCrime infrastructure overlaps with state-adjacent activity.
The Strategic Logic: Why Target Droppers
Previous high-profile botnet disruptions — Emotet in 2021, Qakbot in 2023 — produced measurable but temporary results. Emotet returned within months. Qakbot's operators regrouped. The cycle of disruption and reconstitution is well-documented. What differentiates Operation Endgame is the explicit, multi-phase, sustained structure — and the stated intent to pursue not just infrastructure but the people running it and buying from it, at every tier of the supply chain.
The focus on droppers and initial access malware reflects a calculated targeting logic. Ransomware deployment is the visible end of a long chain. The earlier in that chain law enforcement can disrupt, the broader the effect: a single dropper operation services many ransomware affiliates simultaneously. Taking down SmokeLoader or DanaBot does not just hurt one ransomware group — it starves access to every group that was using that service as an on-ramp.
The psychological dimension adds a layer that pure infrastructure seizure lacks. Europol has used seized domain pages to mock criminals, published named suspects' photos on Most Wanted lists before arrests, and sent personalized messages to known actors indicating they are under surveillance. The intent is to accelerate the collapse of trust within criminal ecosystems — making affiliates uncertain whether their operators have been compromised, and making operators uncertain whether their affiliates are informants.
The resilience problem is real. Bumblebee was targeted in Phase One and appeared in Phase Two's target list a year later. Several loaders disrupted in 2024 had returned by mid-2025. Shadowserver's CEO noted that some loaders "returned" after the Phase One takedowns. Infrastructure can be rebuilt faster than investigations can proceed. This does not undercut the value of the operations, but it does mean defenders cannot treat takedown announcements as resolved threats.
The Private Sector Role
Operation Endgame required sustained private-sector participation in a way that distinguishes it from earlier botnet operations. Phase One involved Proofpoint providing technical malware analysis and C2 infrastructure pattern identification to law enforcement. Phase Two drew on contributions from Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and Zscaler, among others. Spamhaus coordinated victim notification and credential remediation in both phases, using law enforcement-shared data to alert administrators whose systems had been compromised.
Zscaler's three years of internal DanaBot visibility — obtained through a vulnerability in DanaBot's own C2 servers — directly enabled suspect identification. Team Cymru's infrastructure mapping contributed to understanding how DanaBot's C2 tier structure operated. ESET provided technical analysis of malware and backend infrastructure. This is not peripheral support — it is the kind of long-term intelligence accumulation that makes named indictments possible rather than anonymous infrastructure takedowns that leave operators free to rebuild.
Key Takeaways
- Droppers are the ransomware supply chain's critical first link: Disrupting a widely-used loader does not just hurt one ransomware group. It removes access infrastructure that serves the entire ecosystem. This is why targeting this layer at scale matters more than it might appear from a single malware takedown announcement.
- Takedowns are a beginning, not an end: Emotet came back. Qakbot came back. Bumblebee appeared in both Phase One and Phase Two target lists. Operations of this kind create operational disruption and investigative leverage — they do not permanently retire the people behind them.
- The demand side is now a target: The January 2025 follow-up explicitly pursued customers of disrupted services. This is a meaningful escalation. If purchasing access to compromised infrastructure carries the same investigative risk as operating it, the economics of the criminal market change.
- Intelligence accumulation takes years: The DanaBot indictments were made possible by three years of C2 visibility. The Phase One seized database enabled Phase Two identity linkage. Operations of this sophistication require sustained, multi-year intelligence work — not just technical takedown execution.
- For defenders, the risk is gap management: During the window between a major dropper takedown and successor infrastructure coming online, attack volume in those channels dips. That window is real but short. Threat actors retool faster than defenders typically adjust their detection logic. The time to harden detection for successor loaders is during the disruption, not after the next campaign appears.
Operation Endgame is ongoing. Europol has described it as a long-term operation with additional phases in development. The dedicated operation website continues to update with new actions. The Europol Internet Organised Crime Threat Assessment released in June 2025 placed initial access brokers at the center of the threat landscape — signaling continued law enforcement focus on this tier for the foreseeable future.