2024.5.30, Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.
Largest ever operation against botnets hits dropper malware ecosystem
International operation shut down droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee leading to four arrests and takedown of over 100 servers worldwide
Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.
This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.
The coordinated actions led to:
4 arrests (1 in Armenia and 3 in Ukraine)
16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
Over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States and Ukraine
Over 2 000 domains under the control of law enforcement
Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.
What is a dropper and how does it work?
Malware droppers are a type of malicious software designed to install other malware onto a target system. They are used during the first stage of a malware attack, during which they allow criminals to bypass security measures and deploy additional harmful programs, such as viruses, ransomware, or spyware. Droppers themselves do not usually cause direct damage but are crucial for accessing and implementing harmful softwares on the affected systems.
SystemBC facilitated anonymous communication between an infected system and a command-and-control servers. Bumblebee, distributed mainly via phishing campaigns or compromised websites, was designed to enable the delivery and execution of further payloads on compromised systems. SmokeLoader was primarily used as a downloader to install additional malicious softwares onto the systems it infects. IcedID (also known as BokBot), initially categorised as a banking trojan, had been further developed to serve other cybercrimes in addition to the theft of financial data. Pikabot is a trojan used to get initial access to infected computers which enables ransomware deployments, remote computer take-over and data theft. All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain.
Droppers’ operation phases
Infiltration: Droppers can enter systems through various channels, such as email attachments, compromised websites, they can also be bundled with legitimate software.
Execution: Once executed, the dropper installs the additional malware onto the victim’s computer. This installation often occurs without the user’s knowledge or consent.
Evasion: Droppers are designed to avoid detection by security software. They may use methods like obfuscating their code, running in memory without saving to disk, or impersonating legitimate software processes.
Payload Delivery: After deploying the additional malware, the dropper may either remain inactive or remove itself to evade detection, leaving the payload to carry out the intended malicious activities.
Endgame doesn’t end here
Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.
Command post at Europol to coordinate the operational actions
Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation. To support the coordination of the operation, Europol organised more than 50 coordination calls with all the countries as well as an operational sprint at its headquarters.
Over 20 law enforcement officers from Denmark, France, Germany and the United States supported the coordination of the operational actions from the command post at Europol and hundreds of other officers from the different countries involved in the actions. In addition, a virtual command post allowed real-time coordination between the Armenian, French, Portuguese and Ukrainian officers deployed on the spot during the field activities.
The command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer of seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States and Ukraine. Eurojust supported the action by setting up a coordination centre at its headquarters to facilitate the judicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest Warrants and European Investigation Orders.
National authorities at the core of Operation Endgame
EU Member States:
Denmark: Danish Police (Politi)
France: National Gendarmerie (Gendarmerie Nationale) and National Police (Police Nationale); Public Prosecutor Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit; Paris Judicial Police (Préfecture De Police de Paris)
Germany: Federal Criminal Police Office (Bundeskriminalamt), Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center
Netherlands: National Police (Politie), Public Prosecution Office (Openbaar Ministerie)
Non-EU Member States:
The United Kingdom: National Crime Agency
The United States: Federal Bureau of Investigation, United States Secret Service, The Defense Criminal Investigative Service, United States Department of Justice
Authorities involved in local coordination centres for Operation Endgame:
Portugal: Judicial Police (Polícia Judiciária)
Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора); National Police (Національна поліція України); Security Service (Служба безпеки України)
—
Operation Endgame | Botnets disrupted after international action
Continuing a string of successful botnet takedowns, on Thursday, May 30th 2024, a coalition of international law enforcement agencies announced “Operation Endgame”. This effort targeted multiple botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as some of the operators of these botnets. These botnets played a key part in enabling ransomware, thereby causing damages to society estimated to be over a hundred million euros. This coordinated effort is the largest operation ever against botnets involved with ransomware.
A consistent tactic: stolen credentials
A significant part of operating cybercrime infrastructure like these botnets relies on the use of stolen credentials. Threat actors acquire these credentials by operating remote access tools (RATs) and infostealers; they then use these newly-compromised accounts to further spread malware, or to gain initial access into networks and organizations. These accounts have been shared with Spamhaus, who will help with remediating them.
Operation Endgame: victims’ account remediation
Before getting into the details and the takedown tale, here’s an outline of what assistance we will be providing to support with remediation efforts.
The botnet operators in question relied on compromised accounts to target victims and spread malicious emails. If a receiver interacted with one of these emails, it is highly likely that their device was infected. As a result, they probably became part of the targeted botnets.
The authorities have provided Spamhaus with data pertaining to these compromised accounts, to assist with the remediation effort.
Over the coming days, Spamhaus will notify email service providers, hosting companies, and other parties responsible for these accounts.
We request that organizations contacted by Spamhaus take action as quickly as possible to secure the accounts in question via a simple password reset, as these accounts are still circulating!
For more information see our Operation Endgame remediation page.
The takedown tale
After the previous dismantling of botnets Emotet (2021) and Qakbot (2023), international law enforcement again joined forces in the largest international operation to date, consisting of seven investigations into various suspects and botnets. The criminal organizations behind the botnets had been spreading malware for years via hundreds of millions of phishing emails, thus forming an extensive and complex network to abuse victims’ computer systems. This relates to the IcedID botnets, Smokeloader botnets, SystemBC botnets, Pikabot, Trickbot and the remnants of the Bumblebee botnet. It is estimated that several million infected computers have been identified worldwide in the past year.
Of special note is the connection to ransomware – todays most harmful and dangerous type of cybercrime. The botnets targeted in Operation Endgame all played a critical part in enabling ransomware to be deployed at organisations and governments worldwide. Besides that, they also play a key role in supporting various kinds of financial fraud in addition to other types of cybercrime.
Now, with thanks to Operation Endgame, more than 100 computer servers worldwide have been taken offline, and more than 2,000 domain names have been taken over. Of the various botnets, more than ten thousand infected computer systems could be disinfected by uninstalling the malware.
The investigations revealed that one of the main suspects has earned 69 million euros in cryptocurrency from his criminal activities and this will be seized as soon as possible. The joint actions were carried out by authorities in the Netherlands, Germany, France, Denmark, United States, and the United Kingdom with support from Europol and Eurojust. In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches, or the seizure and downing of servers.
In an effort to keep the general public up to date on what’s being done to combat these types of cybercrime, and to also further shine light on some of the threat actors who have not been arrested, the coalition has created a special website for this operation: Operation Endgame.
IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee – what are they?
These are the botnets targeted by Endgame and have been around for some time. They have all prominently featured in our malware statistics and Botnet Threat Updates.
IcedID was first observed in 2017, initially recognized as a banking malware, it also acts as a loader for other malware, including ransomware. With three distinct variants now identified, and hundreds of active campaigns over the last few years, it is no surprise why this was a target of Operation Endgame.
Smokeloader is a generic backdoor with a range of capabilities that depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity, like pay-per-install (PPI) campaigns.
SystemBC is a malware that was first seen in 2019 that turns infected computers into SOCKS5 proxies, and can infect Linux and Windows systems alike. It is a versatile bit of kit that can be used differently depending on the threat actor’s goals – be that to forward traffic, or to download and execute additional payloads. Over the past 30 days, malware samples observed by our partner, abuse.ch, relating to SystemBC have increased by +700% at the time of publishing.
Pikabot was the spotlight feature in our most recent Botnet Threat Update as a Top 10 malware associated with botnet command and controllers (C&Cs). It comprises a range of features, including downloader/installer, a loader, and a core backdoor component, many of which play straight into the hands of operators involved with initial access to later deploy ransomware.
Bumblebee was first discovered in September 2021. It is a loader capable of downloading and executing additional payloads, such as CobaltStrike, Silver, and Meterpeter, and has been acting as the initial access point for ransomware deployments.
The disruption of theses malware families and their operators cannot have come soon enough. We are deeply grateful to all those involved, with a special hat-tip to our trusted partner, abuse.ch who also supported these efforts; we look forward to supporting the ongoing remediation efforts.
—
史上最大规模反僵尸网络行动重创恶意软件生态系统
国际行动关闭了包括 IcedID、SystemBC、Pikabot、Smokeloader 和 Bumblebee 在内的植入者,逮捕了四人,并关闭了全球 100 多台服务器
—
打击恶意软体 欧洲刑警组织逮4人、切断逾百伺服器
(法新社海牙30日电) 欧洲联盟(EU)旗下欧洲刑警组织(Europol)今天宣布,当局已在一场打击恶意软体的跨国行动中逮捕4人,并关闭或切断超过100台涉案伺服器。
欧洲刑警组织指出,这是「针对僵尸网路(botnet,常用以部署勒索软体),历来规模最大的行动」,警方在4个不同国家展开16次搜查,并在亚美尼亚和乌克兰逮捕4名嫌犯。
本次行动的代号为「终局行动」(Operation Endgame),由法国、德国及荷兰主导。
除了被捕的4人,另外8名尚未落网的嫌犯也将被列入欧洲通缉名单。
欧洲刑警组织表示,「本次行动聚焦逮捕高价值目标(High Value Target)、中断犯罪基础设施运作,以及冻结非法所得,以切断犯罪行动。这个方式已对全球病毒植入程式(dropper)生态系产生冲击」。病毒植入程式是指将恶意软体植入目标系统的一种软体。
遭攻击的伺服器位于欧洲数国、美国及加拿大。
2024.5.3, De FIOD heeft op maandag 29 april een 26–jarige man aangehouden. Hij wordt verdacht van oplichting, verduistering en witwassen. Het onderzoek richt zich op een grootschalige oplichting rondom het vermeende gokplatform ZKasino. In dit gokplatform is wereldwijd meer dan 30 miljoen Amerikaanse dollars aan cryptovaluta geïnvesteerd door slachtoffers. Dit geld staat tot op heden vast in hun cryptovalutawallets, waarvoor speciale sleutels nodig zijn.
ZKasino scam suspect arrested, $12.2M seized by Dutch authorities
Authorities seized $12.2 million worth of digital assets, real estate and luxury cars during the arrest.
Dutch authorities arrested a man suspected of being involved with the scam surrounding the ZKasino online gambling platform.
The Fiscal Information and Investigation Service (FIOD) arrested the 26-year-old on April 29, who is suspected of fraud, embezzlement and money laundering.
The Dutch authorities seized over 11.4 million euros ($12.2 million) worth of crypto, real estate and luxury cars, according to a May 3 report by FIOD.
This marks the first arrest in the ZKasino fraud case, where investors lost at least $33 million of digital assets. The platform initially promised users their investment back within 30 days. However, the smart contract suggests that the platform never intended to return the funds, according to Dutch authorities.
The suspect’s detention was extended by 14 days for investigative purposes.
While the suspect’s identity is yet to be confirmed, some crypto community members on X have been speculating on his identity.
ZKasino: From investment to exit scam
ZKasino first presented itself as an emerging blockchain-based gambling platform, attracting deposits from investors and promising returns within a month. The platform went live on April 20, attracting over 10,515 Ether from over 10,000 investors.
Investor concerns intensified on April 20 after an on-chain transaction showed ZKasino moving all 10,515 ETH into the Lido staking protocol.
Users also noticed it had changed the wording on its website, removing a statement that said the ETH “would be returned.”
Adding fuel to the fire, in a March X post, ZKasino claimed to have closed a Series A investment round at a $350 million valuation with backing from crypto exchange MEXC and venture firm Big Brain Holdings, among others.
Big Brain Holdings subsequently clarified that it had not invested in ZKasino, “which appears to be fraudulent,” despite receiving a pro-rata token distribution offer from the platform.
—
More than 11 million euros seized and man arrested in investigation into gambling platform scam
On Monday 29th of April, the FIOD arrested a 26-year-old man who is suspected of fraud, embezzlement and money laundering. The investigation focuses on a large-scale scam surrounding the alleged gambling platform ZKasino. On this gambling platform, more than 30 million US dollars in crypto currency has been invested by victims worldwide.
In the investigation, a house was searched and digital data carriers were seized. Over 11,4 million euros worth of various assets, including real estate, a luxury car and various crypto currencies were seized. The suspected was brought before a magistrate and his detention was extended by fourteen days for investigative purposes.
The criminal investigations started on the 25th of April, following reports on platform X (previously twitter) and information from intelligence departments of the FIOD. ZKasino presented itself as a gambling platform and blockchain casino. Investors were led to believe that they would get their investments back within 30 days. That did not happen. The smart contract was set up in such a technical way that suggests that this return was not intended. This could indicate a modus operandi called rug pull (see box text).
During the investigation the FIOD worked closely with staff from the Financial Crime Compliance and Investigations Team of cryptocurrency exchange Binance, which helped secure millions of euros in cryptocurrencies.
The FIOD’s investigation team, together with the Office of the Public Prosecutor, has been conducting digital financial investigations during the last days. In the process, they managed to get in touch with those involved in this scam. In order to return the millions that were deposited by the victims, it is technically necessary for the people involved in this fraud to cooperate. Therefore, this has been explicitly communicated to them. More arrests are not ruled out.
—
Ruim 11 miljoen beslag en aanhouding in onderzoek naar oplichting op gokplatform
De FIOD heeft op maandag 29 april een 26–jarige man aangehouden. Hij wordt verdacht van oplichting, verduistering en witwassen. Het onderzoek richt zich op een grootschalige oplichting rondom het vermeende gokplatform ZKasino. In dit gokplatform is wereldwijd meer dan 30 miljoen Amerikaanse dollars aan cryptovaluta geïnvesteerd door slachtoffers. Dit geld staat tot op heden vast in hun cryptovalutawallets, waarvoor speciale sleutels nodig zijn.
Een woning is doorzocht en hierbij is beslag gelegd op fysieke en digitale administratie, en digitale gegevensdragers. Ook is beslag gelegd op ruim 11,4 miljoen euro aan diverse vermogensbestanddelen, waaronder onroerend goed, een luxe auto en diverse cryptovaluta. De verdachte is 2 mei voorgeleid aan de rechter-commissaris en zijn hechtenis is verlengd met veertien dagen.
Het strafrechtelijk onderzoek startte op 25 april, na signalen op het platform X (voorheen Twitter) en informatie vanuit intelligence-afdelingen van de FIOD. ZKasino presenteerde zichzelf als gokplatform en blockchain-casino. Investeerders werd voorgehouden dat zij hun investeringen binnen 30 dagen terug zouden krijgen. Dat is echter niet gebeurd. De technische manier waarop het smart contract op de blockchain was ingericht, doet ook vermoeden dat die teruggave niet de bedoeling was. Dit zou kunnen wijzen op een modus operandi die rug pull (zie kadertekst) wordt genoemd.
In het onderzoek is nauw samengewerkt met medewerkers van het Financial Crime Compliance and Investigations Team van het cryptohandelsplatform Binance, waardoor miljoenen euro’s in cryptovaluta konden worden veiliggesteld.
Het onderzoeksteam van de FIOD heeft samen met het Functioneel Parket de afgelopen dagen digitaal financieel onderzoek gedaan. Het is daarbij gelukt om in contact te komen met betrokkenen van deze oplichting. Voor het kunnen retourneren van de ingelegde miljoenen naar de slachtoffers is het technisch noodzakelijk dat de betrokkenen van deze oplichting hun medewerking verlenen. Dit is hen dan ook uitdrukkelijk meegedeeld. Meer aanhoudingen worden niet uitgesloten.
—
荷蘭財政情報調查局:逮捕涉嫌參與 ZKasino 詐騙案件嫌疑人
荷蘭財政情報調查局逮捕了一名涉嫌已逮捕參與 ZKasino 詐騙案件的 26 歲嫌疑人,並查獲了價值 1140 萬歐元的資產,包括房地產、一輛豪華汽車和各種加密貨幣。
4 月 21 日,去中心化投注平台 ZKasino 被指跑路,項目方通過橋接獎勵活動吸納了約 3320 萬美元的以太坊,卻在活動結束後刪除了返還以太坊的承諾。ZKasino 官方未提及何時開放提款,資金去向未明。社區質疑該項目存在欺詐行為,已有用戶報警維權。
—
ZKasino 詐騙案背後嫌疑人落網於荷蘭,幣安從中協助調查
荷蘭金融犯罪調查機構 FIOD 發布新聞稿表示在當地逮捕了一名涉及 ZKasino 詐騙案件的男子,並沒收其價值 1,140 萬歐元的資產,目前該案仍在調查中。
內容目錄
1.ZKasino 詐騙案
2.荷蘭當局逮捕 ZKasino 團隊
2.1嫌犯於荷蘭落網
2.2幣安協助調查
ZKasino 詐騙案
Web3 博弈平台 ZKasino 原本承諾用戶跨鏈並質押 ETH 後將給予 ZKAS 代幣作為行銷獎勵。不料獎勵活動到期後,平台上用戶質押的 ETH 全部以折價轉換為 ZKAS 代幣,且鎖倉時間長達 15 個月以上,讓用戶質押變成強制 IDO。
ZKasino 案件涉及 3,500 萬美元的資產遭到詐騙,荒謬的是團隊在事後竟然以沒有發生任何事情的姿態,繼續在推特上發布消息並忽略用戶所有關於還款的請求。
ZKasino 案件引起市場的關注。其中包含 Vitalik 也注意到此事件,並表示零知識證明已經變成一個行銷與詐騙的噱頭,ZKasino 根本就沒有使用到相關技術。
荷蘭當局逮捕 ZKasino 團隊
嫌犯於荷蘭落網
荷蘭金融犯罪調查機構 FIOD 表示已經於本週逮捕賭博平台詐騙案 26 歲嫌犯,調查中查獲逾 1,100 萬歐元贓款,包括房地產、一輛豪華汽車和各種加密貨幣。
ZKasino 的官方推特於 4/25 已停止更新。出於調查目的,荷蘭當局將嫌犯的拘留期限延長十四天。
幣安協助調查
該調查始於四月 25 日,在調查過程中,FIOD 與幣安金融犯罪合規團隊密切合作,才得以追蹤鏈上資產最終的去向。
目前該案件仍在調查中,且不排除會帶捕更多嫌疑人士,還給用戶一個公道。
发表回复