Smokeloader Users Identified And Arrested In Operation Endgame

TL;DR: The hammer’s coming down not conscionable connected malware creators but nan users backing them. If you paid to discuss others, your info might’ve been successful that seized database and rule enforcement is knocking.

Authorities crossed North America and Europe person started arresting users of nan now-defunct Smokeloader botnet, marking a displacement successful cybercrime enforcement. These individuals paid for entree to infected computers and utilized them to deploy malware, including ransomware, spyware, and cryptominers.

The action is portion of a follow-up to Operation Endgame, a major takedown successful May 2024 that dismantled nan infrastructure down Smokeloader, IcedID, SystemBC, Bumblebee, and Pikabot.

Unlike nan original operation, which focused connected malware operators, this shape targets nan customers who bought entree from Smokeloader’s pay-per-install work tally by a cybercriminal known arsenic “Superstar.”

Evidence Came From Seized Botnet Database

During nan 2024 takedown, rule enforcement obtained backend databases showing who had purchased entree to nan infected machines. Investigators matched usernames and costs info to existent identities. Some suspects believed they were safe, only to beryllium approached months later pinch hunt warrants aliases general charges.

In respective cases, arsenic per Europol’s press release, suspects cooperated and provided investigators pinch integer evidence. Others were recovered to beryllium reselling Smokeloader entree for profit.

Smokeloader Still Active Despite Takedown

Although nan Smokeloader infrastructure was disrupted successful May 2024, nan malware continues to circulate. In February 2025, customers of Ukraine’s largest bank, PrivatBank, were deed by a large-scale phishing run that delivered Smokeloader.

Earlier, in December 2024, nan malware was utilized successful targeted attacks exploiting Microsoft Office vulnerabilities to infect Windows systems and bargain browser credentials.

The investigation remains open. Authorities are moving done leads, pinch much actions expected. A dedicated website, operation-endgame.com, has been launched to cod tips and rumor updates.

Jake Moore, cybersecurity advisor astatine ESET, called nan cognition “a important disruption to cybercrime networks,” but warned that prosecution will dangle connected coagulated evidence.

“This benignant of world coordination is difficult to propulsion off,” Moore said. “But nan existent situation now is successful court—tying devices and information to criminal intent.”

Law enforcement progressive successful nan cognition includes agencies from nan U.S., Canada, Germany, France, nan Netherlands, Denmark, and nan Czech Republic, coordinated by Europol and nan Joint Cybercrime Action Taskforce (J-CAT).