An international law enforcement operation dismantled four websites offering “crypting” and counter-antivirus (CAV) services, crucial tools that cybercriminals use to make malware undetectable to security software.
The coordinated takedown, part of the wider Operation Endgame campaign, marks another blow to the ransomware and malware ecosystem following recent actions against Danabot, SmokeLoader, and other platforms.
According to court filings, law enforcement agents conducted undercover purchases on the targeted websites, analyzed the purchased tools, and uncovered ties to known ransomware groups attacking victims worldwide, including in the Houston area. Linked email addresses and other digital evidence strengthened connections between these services and prominent cybercriminal operations.
U.S. Department of Justice
One of the most prominent services taken down was AVCheck, identified by Dutch national police (Politie) as one of the largest international CAV providers. Based in Driebergen, the Netherlands, the service allowed malware developers to test whether their malicious software could evade detection by major antivirus products, a critical step before launching real-world attacks. Team High Tech Crime of the Dutch National Police, working under the national prosecutor’s office, led the takedown efforts alongside U.S. and Finnish counterparts.
Authorities describe AVCheck as a key facilitator in the cybercrime ecosystem. By helping threat actors fine-tune their malware to bypass security measures, the service enabled cybercriminals to stealthily gain initial access to corporate and personal networks, where they could exfiltrate data, deploy ransomware, or escalate attacks. Dutch investigators revealed they also collected evidence on the operators and customers of AVCheck, as well as two related crypting services: Cryptor.biz and Crypt.guru.
The seizures occurred on May 27 as part of Operation Endgame, a sweeping multinational effort launched in 2024 to dismantle the infrastructure supporting malware delivery and initial access brokerage. While earlier phases of Operation Endgame targeted botnets like Danabot and SmokeLoader, this latest action focused on the enablers, the crypting and CAV services that ensure malware can slip past defenses undetected. FBI Houston Special Agent in Charge Douglas Williams underscored the significance of this shift, stating that taking down these “lethal tools” strikes at the foundation of modern cyberattacks.
Beyond simply pulling AVCheck offline, Dutch authorities implemented broader interventions, including setting up decoy login pages to identify and warn users of the service. They also collaborated with antivirus vendors as part of “Project Melissa,” a joint public-private effort to reduce abuse of legitimate antivirus products by cybercriminals.
Leave a Reply