Law enforcement authorities in Europe have disclosed the identities of eight individuals allegedly linked to several high-profile malware loader families hit as part of “Operation Endgame” involving police from multiple countries across the world.
The suspects are accused of being key players in the distribution and administration of notorious malware loaders including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot. These malware families have long been instrumental in stealing user data, spreading other types of malware, and facilitating phishing schemes, among other nefarious activities.
Operation Endgame has targeted major droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. As part of the operation dubbed “Operation Endgame,” law enforcement agencies carried out a series of actions, leading to the takedown of over 100 servers globally and the arrest of four individuals, including one in Armenia and three in Ukraine.
The authorities conducted 16 searches in Armenia, the Netherlands, Portugal, and Ukraine, and took control over 2,000 domains used by cyber criminal networks. Europol has been actively monitoring financial accounts associated with the suspects, with one account alone reportedly amassing over €69 million (approximately $75 million) from illicit activities.
Europol has named Airat Rustemovich Gruber, 42, from Russia, as the administrator of the Smokeloader botnet. Active since 2011, Smokeloader has been used to compromise machines for data theft and the installation of additional malware for a fee.
Seven other Russian nationals are suspected to be connected to the TrickBot cybercrime gang. They are: Oleg Vyacheslavovich Kucherov, Sergey Valerievich Polyak, Fedor Aleksandrovich Andreev, Georgy Sergeevich Tesman, and Anton Alexandrovich Bragin. Their roles ranged from seeking new infection methods and targeting victims to testing the malware, obfuscating TrickBot's code, and enhancing its administrative panel.
Additionally, Andrei Andreyevich Cherepanov and Nikolai Nikolaevich Chereshnev have been identified as crypters for TrickBot, responsible for disguising the malware's code. Chereshnev also managed the group's VPN infrastructure.