A major cybercrime network behind global ransomware and spyware attacks has been taken down by an international task force. Led by Germany’s Federal Criminal Police Office (BKA), the operation involved law enforcement from the U.S., UK, Canada, France, Denmark, and the Netherlands.
Together, these countries coordinated efforts to disrupt a large Russian-led hacking operation. The crackdown included 20 international arrest warrants and criminal charges filed in the U.S. against 16 suspects. Officials believe this group was responsible for more than 300,000 malware infections and ransom payments worth millions of dollars.
The operation marks one of the most effective actions yet taken against international cybercrime.
The suspects are linked to powerful malware tools such as Qakbot and Danabot. These programs infected systems around the world, allowing hackers to steal data, lock files, and demand ransom in cryptocurrency. Several attacks also targeted military agencies and humanitarian groups, adding to the seriousness of the crimes.
Investigators believe the hackers used stolen data for both money and intelligence. Malware helped them break into sensitive computer networks and copy private documents. The stolen information was stored on servers in Russia, making it hard to recover or trace.
German and U.S. officials identified key suspects behind the campaigns. Among them is Rustam Rafailevich Gallyamov, based in Moscow, and Aleksandr Stepanov, known online as “JimmBee,” from Novosibirsk. Another key figure, Artem Kalinkin, used the alias “Onix.” All three are accused of building and spreading malware that affected thousands of victims.
Authorities also named Vitalii Nikolayevich Kovalev, a central figure in the ransomware group known as Conti. He reportedly operated under the aliases “Stern” and “Ben” and led attacks that earned the group nearly €1 billion in cryptocurrency. Kovalev is also linked to other criminal groups called Royal and Blacksuit.
These hacking groups were not just small teams of criminals. According to investigators, they worked in a highly organized way—similar to companies—with clear leadership, shared tools, and planned campaigns. Their malware was even advertised on forums in Russian, where others could buy or rent it.
Germany launched its investigation, known as Operation Endgame, in 2022. The goal was to fight back against the rising number of ransomware attacks hitting businesses, hospitals, and governments. With the help of its international partners, Germany’s BKA was able to trace the malware, follow the money, and name those responsible.
Holger Münch, head of the BKA, said cooperation across countries was key to the success. While many suspects remain in Russia or Dubai—places unlikely to allow extradition—publicly naming them makes it harder for them to hide, travel, or move money.
The BKA has now added another name to its most-wanted list: Roman Mikhailovich Prokop, a Ukrainian national. He is suspected of helping run the Qakbot malware used in attacks across Europe and North America.
Law enforcement believes this crackdown has done serious damage to the global malware network. Naming suspects and freezing their accounts limits their power and sends a strong warning to others in the cybercrime world.
“With Operation Endgame 2.0, we’ve shown that cybercriminals cannot hide forever,” said Münch. “We will keep exposing and pursuing them—no matter where they operate.”
Legal action is now underway. Prosecutors in multiple countries are preparing cases related to cyber extortion, organized hacking, and international computer crime. These cases could lead to long prison sentences if suspects are caught.
Experts say the arrests and charges are a major step forward in the fight against online crime. They show that global law enforcement can track, trace, and disrupt even the most skilled hacker networks.