In a significant worldwide operation coordinated by Europol and Eurojust, legislation enforcement companies and personal sector companions have efficiently dismantled the DanaBot malware community.
This world effort, a part of the continued Operation Endgame, led to federal costs in opposition to 16 people, the neutralization of roughly 300 servers and 650 domains worldwide between Might 19 and 22, 2025, and the issuance of worldwide arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has additionally been seized in whole throughout Operation Endgame, together with EUR 3.5 million throughout this newest motion week.
The DanaBot malware, managed by a Russia-based cybercrime group, contaminated over 300,000 computer systems globally, inflicting at the least an estimated $50 million in damages via fraud and ransomware. Amongst these charged by the US Division of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, each from Novosibirsk, Russia, who stay at giant.
DanaBot’s Evolution Techniques
DanaBot, first recognized in Might 2018, operated as a malware-as-a-service (MaaS), renting its capabilities to different criminals. It was extremely versatile, stealing banking credentials, shopping historical past, and even cryptocurrency pockets info, whereas additionally providing distant entry, keylogging, and display screen recording. Preliminary infections usually got here through spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its unfold.
ESET, which has rigorously tracked DanaBot since 2018, confirmed its evolution right into a high banking malware, noting that nations like Poland, Italy, Spain, and Turkey had been traditionally amongst its most focused.
ESET researcher Tomáš Procházka added, “Aside from exfiltrating delicate knowledge, we now have noticed that Danabot can also be used to ship additional malware, which may embrace ransomware, to an already compromised system.”
Extra lately, a brand new model of DanaBot has been discovered hidden in pirated software program keys for “free VPN, anti-virus software program and pirated video games,” tricking customers downloading from bogus websites.
Past monetary crime, the investigation revealed DanaBot’s sinister twin objective. A variant, tracked by CrowdStrike as SCULLY SPIDER, focused navy, diplomatic, and authorities entities in North America and Europe for espionage, and was noticed by ESET launching DDoS assaults in opposition to targets like Ukraine’s Ministry of Protection following the Russian invasion.
In keeping with Europol’s press launch, this huge takedown is an proof to intensive worldwide cooperation. The investigation was spearheaded by the FBI’s Anchorage Subject Workplace and the Protection Legal Investigative Service (DCIS), with vital help from Germany’s Bundeskriminalamt (BKA), the Netherlands Nationwide Police, and the Australian Federal Police.
Europol and Eurojust supplied essential coordination, with a command publish at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.
Quite a few non-public cybersecurity firms supplied crucial technical help, together with Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Staff Cymru, and ZScaler. ESET Analysis particularly contributed technical evaluation of the malware and its backend infrastructure, together with figuring out DanaBot’s command and management servers.
German authorities will add 18 suspects to the EU Most Needed record from Might 23, 2025. This coordinated motion is a significant blow to cybercriminal networks, displaying the ability of worldwide partnerships in opposition to rising cybersecurity threats.
Operation Endgame is aimed toward breaking the “ransomware kill chain.” Up to now authorities have neutralised preliminary entry malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.
