Over the last few weeks, arrests for prominent cyber criminals have been a common headline among news outlets, largely thanks to Operation Endgame. But what is Operation Endgame, and what does its success look like?

During the last few weeks, Ukrainian police arrested an individual suspected to be a member of Lockbit and Conti. The individual specialised in the development of cryptors which is used for the encryption of malware for defence evasion.

This follows a number of arrests made in the name of Operation Endgame, with many threat actors going to ground to avoid detection.

Operation Endgame has made waves globally for the successful takedowns of notorious botnets and bringing individuals participating in some of the most advanced cyber operations globally to justice.

To date, infrastructure and tooling have been tracked and taken down by law enforcement globally. In this most recent escalation, cyber teams from the Ukrainian police arrested an individual suspected of being a member of the Lockbit/Conti groups.

Lockbit has been a notorious ransomware group targeting organisations globally and have been operating over many years. Their activities have led to millions of pounds in ransomware payments being made to the operators, with high-profile attacks including Royal Mail and Boeing.

In total, analysis found that LockBit affiliates have made over £100 million in ransom payments, demonstrating the lucrative nature of malicious cyber operations.

This marks just one instance where arrests have been made in relation to threat actors. Just last month, YunHe Wang, and a Chinese national associated with the People’s Republic of China, was arrested on May 24t for being the administrator of the notorious residential proxy service known as 911 S5.

The service, which used over 19 million unique IP addresses and was classed as the world’s largest botnet, was finally dismantled.

Due to Operation Endgame, eight further individuals have been listed on Europol’s most wanted by Germany for their association with the notorious group Trikbot; all of these individuals are Russian nationals and currently residing in Russia.

As the operation continues, it is likely we are going to see further arrests and warrants issued for notable cyber criminals and threat actors.

Threat Intelligence teams have identified trends and activities made by existing threat groups off the back of Operation Endgame. The first example being the sudden departure of the ransomware group Shiny Hunters.

It is likely that, as time goes on, further groups and threat actors will start to lay low, in an attempt to avoid drawing attention from law enforcement. Threat Intelligence teams continue to monitor the situation and further developments off the back of Operation Endgame.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).