SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Europol Targets Customers of Smokeloader Pay-Per-Install Botnet

Law enforcement agencies in multiple countries have announced the arrests of users of the malicious Smokeloader botnet.

Law enforcement agencies in the US and six other countries have been identifying customers of the Smokeloader pay-per-install botnet and have made five arrests, Europol announced.

The Smokeloader botnet was disrupted in May 2024 as part of Operation Endgame and led to the destruction of the infrastructure of several malware droppers, including Bumblebee, IcedID, Pikabot, SystemBC, and Trickbot.

The botnet’s customers, Europol said on Wednesday, were registered in a database that was seized by law enforcement in May last year. This enabled follow-up actions against the botnet’s users, as authorities were able to link online personas with real-life individuals.

Several suspects called in for questioning cooperated with authorities and agreed to have their personal devices examined. Some of them resold services purchased from Smokeloader at a markup, Europol notes.

“Some of the suspects had assumed they were no longer on law enforcement’s radar, only to come to the harsh realization that they were still being targeted. Operation Endgame does not end today,” the European agency warned.

Law enforcement agencies in Canada, Czech Republic, Denmark, France, Germany, the Netherlands, and the US participated in this effort and insist they will continue to track down suspected users of these and other botnets and will announce new actions on the Operation Endgame’s dedicated website.

In September 2024, in partnership with Operation Endgame, the US Treasury sanctioned PM2BTC, UAPS, and Cryptex, three cryptocurrency exchanges associated with malicious activities, while the Dutch authorities seized web domains and/or infrastructure associated with them.

Two Russian nationals operating the exchanges, namely Sergey Sergeevich Ivanov and Timur Shakhmametov, were indicted in the US. Roughly a week later, Russian authorities arrested 96 suspects allegedly associated with the exchanges.

Advertisement. Scroll to continue reading.

Related: New Ballista IoT Botnet Linked to Italian Threat Actor

Related: BadBox Botnet Powered by 1 Million Android Devices Disrupted

Related: US Disrupts ‘Raptor Train’ Botnet of Chinese APT Flax Typhoon

Related: US Sanctions Three Chinese Men for Operating 911 S5 Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.