Blog

Operation Endgame: Breaking ransomware’s supply chain

Color illustration of a digital chain.

When ransomware dominated headlines in 2023 and 2024, defenders were stuck reacting to the latest victim. But in 2025, law enforcement flipped the script again. Operation Endgame did not just take down a single ransomware gang. It went after the infrastructure that fuels ransomware itself: the loaders, botnets, and brokers that sell access to infected networks around the world.

This was the moment defenders stopped chasing the fire and started cutting off the oxygen.

The malware middlemen

Ransomware groups rarely break in themselves. Instead, they rely on initial access malware such as Bumblebee, IcedID, SystemBC, DanaBot, and Pikabot to do the dirty work. These infections quietly spread through phishing and malicious ads, then auction off access to the highest bidder. Those buyers are the ransomware affiliates who encrypt and extort.

Think of it as ransomware’s supply chain: a global black market of compromised systems ready for rent.
By targeting that hidden layer, Operation Endgame attacked the real foundation of the ransomware economy.

How the operation unfolded

Launched in May 2024 and coordinated by Europol, Eurojust, the FBI, and agencies across Europe and North America, Operation Endgame became the largest cybercrime takedown in history. The first phase dismantled major botnets and arrested developers tied to ransomware delivery tools.

Then came Operation Endgame 2.0, from May 19 to 22, 2025, which doubled the scale of disruption:

  • 300 servers and 650 domains were dismantled
  • €21.2 million in cryptocurrency seized
  • 20 international arrest warrants issued
  • Several suspects added to the EU Most Wanted List
  • Infrastructure for major malware families including Bumblebee, Lactrodectus, Qakbot, HijackLoader, DanaBot, Trickbot, and Warmcookie neutralized

The FBI also unsealed indictments against key developers, including Rustam Rafailevich Gallyamov, the alleged creator of Qakbot.

For once, it was not just affiliates getting caught. It was the engineers and financiers who built the ecosystem.

Breaking the kill chain at the source

Traditionally, defenders and responders focused on the final stages of ransomware: encryption, negotiation, and recovery.

Endgame reversed that logic. By eliminating the brokers who sold initial access, it broke ransomware’s kill chain before it began.

Europol described it perfectly: “Removing the first domino.”

This new approach shifts cyber defense from reaction to preemption by targeting infrastructure before it is weaponized.

Technical and financial fallout

The technical effects were immediate. Within days, IcedID and SystemBC command servers went silent. Spamhaus and other partners confirmed a sharp drop in global phishing and loader distribution.

Financially, the hits ran deep. By freezing cryptocurrency and dismantling laundering hubs, law enforcement cut off the money trail that sustained ransomware groups. It was not just about arrests. It was about suffocating their economy.

Even better, shared telemetry allowed remediation partners to notify victims and close exposed accounts. Entire infection chains that once fed ransomware-as-a-service models suddenly went dark.

Lessons in global collaboration

Endgame proved that public-private partnerships work.

The Joint Cybercrime Action Taskforce (J-CAT) at Europol acted as the nerve center, linking dozens of national agencies with security vendors and intelligence researchers in real time.

When fragments of WarmCookie or Lactrodectus reappeared online, coordinated takedowns kept them from regaining momentum. A public portal, operation-endgame.com, now provides live updates, IOCs, and arrests, showing how transparency strengthens global resilience.

Not the end but a turning point

Ransomware groups such as LockBit, Akira, and RansomHub are still active, but Endgame made their jobs harder, slower, and more expensive. Without reliable loaders or access brokers, affiliates are forced to rebuild networks from scratch.

In the weeks after the operation, global telemetry showed a clear dip in ransomware campaigns and credential-stealing malware. The infrastructure that once fueled constant infections had been fractured. It was not the end of ransomware, but it was proof that coordinated disruption works.

Still, defenders must stay alert. Experts warn that variants of Bumblebee and Lactrodectus could reemerge as modular, “as-a-service” loaders optimized for resilience. Every disruption buys time. What defenders do with that time determines how long the advantage lasts.

The new playbook for cyber defense

Operation Endgame is already a template for future cyber operations. Three principles stand out:

  1. Attack upstream: Disrupt the brokers, not just the payloads.
  2. Collaborate early: Fuse intelligence from private sector telemetry and law enforcement to act faster.
  3. Stay transparent: Public visibility turns global defense into a shared mission.

Flipping the script for good

If LockBit’s takedown showed that individual ransomware gangs can be hacked, Operation Endgame proved the ecosystem itself can be compromised.

By focusing on ransomware’s underlying infrastructure, defenders demonstrated that prevention at scale is possible. Endgame showed that collective intelligence and coordination can weaken the business model behind cyber extortion.