Smokeloader Users Identified and Arrested in Operation Endgame – Source:hackread.com

TL;DR: The hammer’s coming down not just on malware creators but the users funding them. If you paid to compromise others, your info might’ve been in that seized database and law enforcement is knocking.

Authorities across North America and Europe have started arresting users of the now-defunct Smokeloader botnet, marking a shift in cybercrime enforcement. These individuals paid for access to infected computers and used them to deploy malware, including ransomware, spyware, and cryptominers.

The action is part of a follow-up to Operation Endgame, a major takedown in May 2024 that dismantled the infrastructure behind Smokeloader, IcedID, SystemBC, Bumblebee, and Pikabot.

Unlike the original operation, which focused on malware operators, this phase targets the customers who bought access from Smokeloader’s pay-per-install service run by a cybercriminal known as “Superstar.”

Evidence Came From Seized Botnet Database

During the 2024 takedown, law enforcement obtained backend databases showing who had purchased access to the infected machines. Investigators matched usernames and payment info to real identities. Some suspects believed they were safe, only to be approached months later with search warrants or formal charges.

In several cases, as per Europol’s press release, suspects cooperated and provided investigators with digital evidence. Others were found to be reselling Smokeloader access for profit.

Smokeloader Still Active Despite Takedown

Although the Smokeloader infrastructure was disrupted in May 2024, the malware continues to circulate. In February 2025, customers of Ukraine’s largest bank, PrivatBank, were hit by a large-scale phishing campaign that delivered Smokeloader.

Earlier, in December 2024, the malware was used in targeted attacks exploiting Microsoft Office vulnerabilities to infect Windows systems and steal browser credentials.

The investigation remains open. Authorities are working through leads, with more actions expected. A dedicated website, operation-endgame.com, has been launched to collect tips and issue updates.

Jake Moore, cybersecurity advisor at ESET, called the operation “a significant disruption to cybercrime networks,” but warned that prosecution will depend on solid evidence.

“This kind of international coordination is difficult to pull off,” Moore said. “But the real challenge now is in court—tying devices and data to criminal intent.”

Law enforcement involved in the operation includes agencies from the U.S., Canada, Germany, France, the Netherlands, Denmark, and the Czech Republic, coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT).