FlagThis - #takedown

Law enforcement agencies across North America and Europe have taken action against users of the Smokeloader botnet in a follow-up to Operation Endgame, a major takedown that occurred in May 2024. This new phase targets the demand side of the cybercrime economy, focusing on individuals who purchased access to compromised computers through Smokeloader’s pay-per-install service, which was operated by the cybercriminal known as "Superstar". Authorities have arrested at least five individuals, conducted house searches, and interrogated suspects linked to the use of the Smokeloader botnet. In addition to arrests, servers used by the Smokeloader botnet's customers have also been seized.

Evidence used to identify and apprehend the Smokeloader users came from backend databases obtained during the initial Operation Endgame takedown. These databases contained information about who had purchased access to the infected machines, allowing investigators to match usernames and payment information to real-world identities. The customers of the Smokeloader botnet were using the access to deploy various types of malware, including ransomware, spyware, and cryptominers for their own illicit activities. Some suspects were found to be reselling the Smokeloader access for profit, adding another layer to the investigation.

The investigation remains open, and authorities are continuing to work through leads, with more actions expected. Europol has launched a dedicated website, operation-endgame.com, to collect tips and provide updates on the operation. Law enforcement agencies are sending a clear message that they are committed to disrupting the cybercrime ecosystem by targeting not only the operators of malicious services but also the individuals who use and fund them. Officials said that the malware's customers faced various consequences ranging from "knock and talks," full house searches, all the way to arrests.


References :

• bsky.app: In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet's customers and detained at least five individuals.
• cyberinsider.com: Nearly a year after the landmark Operation Endgame dismantled the infrastructure behind several major malware droppers, law enforcement agencies have launched a follow-up offensive targeting of the demand side of the cybercrime economy. Authorities across Europe and North America arrested five individuals, conducted house searches, and interrogated suspects linked to the use of the SmokeLoader … The post appeared first on .
• Metacurity: ICMYI, Operation Endgame bust a boatload of customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar' as outlined in the joint operation's season two premiere video episode.
• BleepingComputer: Police detains Smokeloader malware customers, seizes servers
• CyberInsider: ‘Operation Endgame’ Leads to Five Arrests in SmokeLoader Botnet Crackdown
• DataBreaches.Net: Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns
• hackread.com: Smokeloader Users Identified and Arrested in Operation Endgame
• www.scworld.com: Operation Endgame follow-up cracks down on Smokeloader botnet
• The Register - Security: Officials teased more details to come later this year Following the 2024 takedown of several major malware operations under Operation Endgame, law enforcement has continued its crackdown into 2025, detaining five individuals linked to the Smokeloader botnet.…
• hackread.com: Smokeloader Users Identified and Arrested in Operation Endgame
• www.itpro.com: Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting
• The Hacker News: Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence

Classification:

• HashTags: #Botnet #Cybercrime #OperationEndgame
• Company: Operation Endgame
• Target: Smokeloader Customers
• Attacker: Smokeloader
• Product: Smokeloader
• Feature: law enforcement
• Malware: Smokeloader
• Type: Legal
• Severity: Legal

Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.

Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.


References :

• cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
• gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
• www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
• www.scworld.com: Zservers/XHost servers dismantled by Dutch police
• Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
• BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
• CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
• DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
• www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
• Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
• securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers

Classification:

• HashTags: #Cybercrime #Takedown #Hosting
• Company: ZServers/XHost
• Target: Cybercriminals
• Product: Hosting
• Malware: LockBit
• Type: Hack
• Severity: Major

A global police operation involving agencies from Europe, Japan, the U.S., and the U.K. has successfully seized the dark web leak site of the 8Base ransomware gang. The takedown message displayed on the site was confirmed as legitimate by Lucy Sneddon, a spokesperson for the U.K.’s National Crime Agency. While the U.K. played a supportive role, other involved agencies have not yet commented. Security researchers first noticed the seizure notice earlier this week.

This operation is part of a larger effort targeting ransomware gangs. In a related development, authorities have arrested four suspected Phobos ransomware hackers in Phuket, Thailand. These individuals are accused of conducting cyberattacks on over 1,000 victims worldwide and extorting $16,000,000 worth of Bitcoin. The operation, codenamed "Phobos Aetor," involved raids across multiple locations.


References :

• CyberInsider: Phobos Ransomware Gang Dismantled in International Sting
• BleepingComputer: Police arrests 4 Phobos ransomware suspects, seizes 8Base sites
• BleepingComputer: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
• bsky.app: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base's dark web sites. The suspects are accused of conducting cyberattacks on over 1,000 victims worldwide.
• Carly Page: Mastodon post confirming the takedown of 8Base's leak site.
• techcrunch.com: TechCrunch reports on the global police operation seizing the 8base ransomware gang leak site.
• www.bleepingcomputer.com: BleepingComputer's report on the takedown of 8Base's dark web sites.
• DataBreaches.Net: Reports on police arresting 4 Phobos ransomware suspects and seizing 8Base sites.
• Threats | CyberScoop: cyberscoop article on 8base
• cyberscoop.com: Thai authorities detain four Europeans in ransomware crackdown
• Anonymous ???????? :af:: A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the seizure of 8Base’s dark web sites.
• The Register - Security: The Register: All your 8Base are belong to us: Ransomware crew busted in global sting
• securityaffairs.com: Report on the 8Base ransomware takedown highlighting the international collaboration.
• The Hacker News: The Hacker News: 8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation
• www.helpnetsecurity.com: The Thai police has arrested four individuals suspected of being the leaders of the 8Base ransomware group and of stealing approximately $16 million from 1,000+ victims they targeted with the Phobos ransomware.
• BleepingComputer: Police arrests 2 Phobos ransomware suspects, seizes 8Base sites - BleepingComputer
• socradar.io: International Operation Targets 8Base and Phobos Ransomware Gangs In a coordinated global effort, law enforcement agencies have successfully dismantled the dark web infrastructure of the 8Base ransomware gang and arrested four individuals linked to the Phobos ransomware.
• Help Net Security: 8Base ransomware group leaders arrested, leak site seized
• PCMag UK security: An international operation has dealt a major blow to a cybergang known as 8Base, which used the Phobos to infect hundreds of companies and organizations.
• techcrunch.com: Authorities arrest four suspected 8base ransomware operators in global takedown
• www.europol.europa.eu: Report on the global law enforcement operation that led to the arrests.
• Security Boulevard: Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians
• securityboulevard.com: With "Operation Phobos Aetor," international law enforcement, including the US DOJ and Europol, arrest four Russian nationals and seize infrastructure connected to the 8Bbase ransomware group, the largest affiliate of the prolific Phobos RaaS operation.
• securityaffairs.com: Global law enforcement operation targeting the 8Base ransomware gang and related criminal activity.
• Carly Page: A global law enforcement operation has led to the arrest of four individuals who authorities accuse of being key figures in the 8base ransomware operation. The four suspects are accused of amassing $16 million through ransomware attacks against more than 1,000 organizations globally
• www.csoonline.com: Law enforcement agencies from 14 countries collaborated in an investigation against the related Phobos and 8Base ransomware operations, arresting four suspects and seizing 27 servers, including the data leak and ransom negotiation websites.

Classification:

• HashTags: #8Base #Ransomware #LawEnforcement
• Target: 8Base Ransomware Gang
• Attacker: 8Base Ransomware Gang
• Malware: 8Base Ransomware
• Type: Ransomware
• Severity: Major