In a significant worldwide operation coordinated by Europol and Eurojust, legislation enforcement companies and personal sector companions have efficiently dismantled the DanaBot malware community.
This international effort, a part of the continued Operation Endgame, led to federal fees towards 16 people, the neutralization of roughly 300 servers and 650 domains worldwide between Could 19 and 22, 2025, and the issuance of worldwide arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has additionally been seized in complete throughout Operation Endgame, together with EUR 3.5 million throughout this newest motion week.
The DanaBot malware, managed by a Russia-based cybercrime group, contaminated over 300,000 computer systems globally, inflicting a minimum of an estimated $50 million in damages via fraud and ransomware. Amongst these charged by the US Division of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, each from Novosibirsk, Russia, who stay at massive.
DanaBot’s Evolution Techniques
DanaBot, first recognized in Could 2018, operated as a malware-as-a-service (MaaS), renting its capabilities to different criminals. It was extremely versatile, stealing banking credentials, looking historical past, and even cryptocurrency pockets data, whereas additionally providing distant entry, keylogging, and display recording. Preliminary infections typically got here through spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its unfold.
ESET, which has rigorously tracked DanaBot since 2018, confirmed its evolution right into a high banking malware, noting that international locations like Poland, Italy, Spain, and Turkey have been traditionally amongst its most focused.
ESET researcher Tomáš Procházka added, “Other than exfiltrating delicate information, we’ve got noticed that Danabot can be used to ship additional malware, which may embody ransomware, to an already compromised system.”
Extra lately, a brand new model of DanaBot has been discovered hidden in pirated software program keys for “free VPN, anti-virus software program and pirated video games,” tricking customers downloading from bogus websites.
Past monetary crime, the investigation revealed DanaBot’s sinister twin objective. A variant, tracked by CrowdStrike as SCULLY SPIDER, focused navy, diplomatic, and authorities entities in North America and Europe for espionage, and was noticed by ESET launching DDoS assaults towards targets like Ukraine’s Ministry of Protection following the Russian invasion.
Based on Europol’s press launch, this large takedown is an proof to intensive worldwide cooperation. The investigation was spearheaded by the FBI’s Anchorage Subject Workplace and the Protection Felony Investigative Service (DCIS), with important help from Germany’s Bundeskriminalamt (BKA), the Netherlands Nationwide Police, and the Australian Federal Police.
Europol and Eurojust supplied essential coordination, with a command put up at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.
Quite a few non-public cybersecurity corporations supplied essential technical help, together with Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Group Cymru, and ZScaler. ESET Analysis particularly contributed technical evaluation of the malware and its backend infrastructure, together with figuring out DanaBot’s command and management servers.
German authorities will add 18 suspects to the EU Most Needed listing from Could 23, 2025. This coordinated motion is a significant blow to cybercriminal networks, exhibiting the facility of worldwide partnerships towards rising cybersecurity threats.
Operation Endgame is aimed toward breaking the “ransomware kill chain.” Thus far authorities have neutralised preliminary entry malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.
