A global coalition of law enforcement agencies from Europe and North America has dismantled a major Russian-led cybercrime network responsible for some of the most destructive malware operations in recent years.
The operation, coordinated under the leadership of Germanyās Bundeskriminalamt (BKA), involved police forces from the United Kingdom, Canada, Denmark, the Netherlands, France, Germany, and the United States.
The crackdown, dubbed āOperation Endgame,ā has led to the identification of 37 individuals alleged to be behind multiple cyberattacks targeting critical infrastructure, businesses, and governmental entities. International arrest warrants have been issued for 20 suspects, while US prosecutors have unsealed indictments against 16 individuals. The majority of the accused are believed to be residing in Russia.
The group is alleged to have developed and deployed several major malware families, including Qakbot, Danabot, Trickbot, and Conti. Among those charged are three individuals described as ringleaders of the Qakbot and Danabot operations: Rustam Rafailevich Gallyamov, 48, of Moscow; Aleksandr Stepanov, 39, known online as āJimmBeeā; and Artem Aleksandrovich Kalinkin, 34, known as āOnix,ā both of Novosibirsk.
Another key figure identified by the BKA is Vitalii Nikolayevich Kovalev, 36, a Russian national previously indicted in the United States. Described by German investigators as one of the āmost successful blackmailers in the history of cybercrime,ā Kovalev is believed to be a senior figure in the Conti ransomware syndicate. He is also linked to Trickbot and more recent groups such as Royal and Blacksuit, established in 2022. Kovalev is known to have operated under the aliases āSternā and āBenā and is believed to be based in Moscow. According to the BKA, his cryptocurrency holdings are valued at approximately ā¬1 billion.
Investigators assert that the groupās malware has infected more than 300,000 computers worldwide, with significant impacts reported in the United States, Australia, Poland, India, and Italy. According to the US Department of Justice, the DanaBot malware alone was used to facilitate both financial theft and espionage, with a separate variant targeting military and diplomatic entities. Data obtained from these attacks was reportedly routed to servers located in the Russian Federation.
In addition to Kovalev, German authorities have named Roman Mikhailovich Prokop, a 36-year-old Russian-speaking Ukrainian, as a wanted suspect believed to be a member of the Qakbot operation.
The scope of the cybercriminal activity attributed to the group is extensive. Between 2010 and 2022, the Conti group is alleged to have focused specifically on healthcare institutions in the United States, with a marked increase in attacks during the Covid-19 pandemic. US authorities had previously offered a reward of up to $10 million for information leading to the identification or location of the groupās leaders.
The malware tools employed by the network were reportedly advertised on Russian-language cybercrime forums. Investigators say that the group operated through a distributed infrastructure, controlling infected systems remotely and exfiltrating data with military-grade encryption. Several of the suspects are also believed to have been involved in gang-related activities and commercial extortion.
While extradition of the suspects from Russia remains unlikely, BKA President Holger MĆ¼nch stated that the identification of the perpetrators marked a significant blow to the network. āWith Operation Endgame 2.0, we have once again demonstrated that our strategies work ā even in the supposedly anonymous darknet,ā MĆ¼nch said.
The German-led operation was initiated in 2022, with Germany cited as a key target of the cybercriminals. BKA and its partners have emphasised that although many of the individuals named in arrest warrants remain beyond the reach of Western law enforcement, the publication of their identities significantly impairs their ability to operate.
Cyber-attacks originating from Russian-speaking criminal organisations have become an increasing concern for both national security and private enterprise. One of the most recent high-profile victims was British retailer Marks & Spencer, which suffered a breach earlier this month.
Officials in both Europe and the United States have reiterated the need for continued international cooperation in the fight against cybercrime. The dismantling of this network represents a rare victory in a field where perpetrators often operate across multiple jurisdictions with relative impunity.
The indictments, arrests, and public exposure of these suspects are intended not only to disrupt existing operations but to deter future cybercriminal activity by undermining the perception of safety within the dark webās illicit marketplaces.
Read also:
Russia Accused of Cyber Operation Targeting Military Aid Routes to Ukraine
