The police arrested a man in Beverwijk in February of this year, who is suspected of having purchased malware. He presumably acquired installs for the botnet via Telegram. This gave him access to potentially hundreds of computers infected with Smokeloader malware, as revealed by research from Team High Tech Crime of the National Investigation and Intervention Unit. The suspect made his purchase via Telegram.

His arrest makes it clear that even as a consumer, you cannot go about your business online anonymously. During Operation Endgame in 2024, multiple botnets were dismantled in various countries that played a key role in global cybercrime. In this subsequent Endgame operation, investigations are particularly focused on the users of these botnets, who are also committing offenses.

Painful lesson
Law enforcement agencies will now and in the future take action against criminals who used the services that were taken offline during Operation Endgame, focusing on the demand side of the criminal ecosystem. Customers of crime as a service providers are now learning the painful lesson that these providers did not protect their customers personal data, making them easily traceable.

Law enforcement agencies in all involved countries have meticulously investigated all leads provided by Operation Endgame. In this way, they have been able to link online identities and usernames to the real identities of users. They have been summoned for questioning, and several suspects have cooperated with authorities by allowing the digital evidence on their personal devices to be examined. Some suspects have resold the services they obtained from Smokeloader for profit, leading to an additional round of investigation.

New actions
Some of the interrogated suspects thought they had remained off the radar of law enforcement. They came to the painful realization that this was not the case. Operation Endgame is not over yet. New actions will be published on the website operation-endgame.com. Additionally, suspects involved in these and other botnets who have not yet been arrested will be held accountable for their actions. Anyone with information regarding these botnets is urged to contact the authorities via this website.

Europol and the Joint Cybercrime Action Taskforce (J-CAT) managed by Europol continue to provide support for investigations related to Operation Endgame, including facilitating information exchange between the involved authorities and providing analytical and forensic support to investigators. To coordinate this operation, Europol has conducted coordination meetings and operational sprints from its headquarters in The Hague.