Berlin – In an unprecedented international operation, law enforcement agencies from Europe and North America have dismantled a major Russian-led cybercrime network linked to widespread malware attacks that have disrupted businesses, governments, and infrastructure across the globe.
The coordinated takedown, dubbed Operation Endgame, targeted the leadership and infrastructure of groups behind infamous malware strains such as Qakbot, Danabot, Trickbot, and Conti. These tools have been responsible for large-scale ransomware attacks, data theft, and espionage against more than 300,000 systems worldwide.
Led by Germany’s Federal Criminal Police Office (BKA), the operation involved authorities from the United States, United Kingdom, Canada, France, Denmark, and the Netherlands. Arrest warrants were issued for 20 suspects, while the U.S. unsealed indictments against 16 individuals, revealing names long known to cybersecurity professionals.
Among those charged are Rustam Rafailevich Gallyamov, Aleksandr Stepanov (aka “JimmBee”), and Artem Kalinkin (aka “Onix”), all accused of operating malware frameworks and monetizing stolen data through blackmail and fraud. The network’s reach spanned continents, with the malware often sold on Russian-language cybercrime forums.
Central to the investigation is Vitalii Nikolayevich Kovalev, alias “Stern” or “Ben,” a Russian national alleged to be a key figure behind the Conti ransomware group. Kovalev is believed to have orchestrated hundreds of ransomware attacks and built a digital extortion empire with crypto holdings estimated at €1 billion.
Evidence presented by the BKA indicates that Kovalev and others controlled cyberattacks that targeted critical sectors such as healthcare, finance, and government systems, especially during the COVID-19 pandemic. A special espionage variant of Danabot reportedly targeted military and diplomatic institutions, with data routed to servers inside Russia.
From 2010 to 2022, the Conti group honed its operations to a professional level, weaponizing ransomware-as-a-service and exploiting vulnerabilities across global supply chains. These actors largely operated from within Russia and, in some cases, Dubai, shielded by limited cross-border enforcement.
Though extradition remains unlikely, experts argue that public exposure of these figures undermines their anonymity and impairs their operations. “This is about cutting off influence and reputation. If they can’t be jailed, they can be identified and isolated,” one cyber policy advisor said.
Operation Endgame marks a significant moment in the global effort to combat organized cybercrime. It signals a more aggressive and unified response to transnational cyber threats—an approach experts believe will be critical as ransomware and digital espionage continue to evolve.
