Europol arrests five smokeloader users and seizes servers in a renewed manhunt
- Marijan Hassan - Tech Journalist
- 4 days ago
- 2 min read
Law enforcement agencies across Europe and North America have struck another blow against the cybercrime ecosystem, arresting five users of the Smokeloader malware and seizing infrastructure tied to the infamous pay-per-install botnet. The action marks the latest phase in the ongoing Operation Endgame, a sweeping international crackdown on malware distribution networks.
Following the dismantling of major malware droppers like IcedID, SystemBC, Pikabot, Bumblebee, and Smokeloader in May 2024, authorities have shifted their focus. They are now after the demand side of the crime-as-a-service model, i.e., those who purchased access to compromised machines.
The suspects arrested this week had used Smokeloader to deploy malicious software for a range of criminal purposes, including keylogging, webcam spying, ransomware attacks, and cryptomining. Law enforcement identified the individuals through a database seized during the original Operation Endgame raids, which documented the customers of “Superstar,” the alleged operator of Smokeloader.
“These users thought they could quietly rent access to infected machines and fly under the radar,” said a Europol spokesperson. “What they didn’t realise is that their data was in the hands of criminals who ultimately gave them up.”
In several cases, customers of Smokeloader had resold access to the infected machines, profiting from the service while expanding the botnet’s reach. Some of those detained have since cooperated with authorities, providing access to evidence stored on personal devices.
The operation was coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT), which facilitated intelligence sharing and forensic support. Operational sprints were held at Europol headquarters in The Hague to align cross-border efforts.
Europol emphasized that the investigation is ongoing and more arrests are expected. A dedicated website - operation-endgame.com- has been launched, allowing the public to provide information or seek contact with authorities.
“Operation Endgame does not end today,” Europol said in a statement. “Those who thought they were safe are now facing the consequences. More actions will follow.”
