In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet’s customers and detained at least five individuals.

During Operation Endgame last year, more than 100 servers used by major malware loader operations (e.g. IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, SystemBC) were seized.

In a press release today, Europol informs that the operation continues as law enforcement officers analyze the data from the seized servers and are tracking down customers of the malicious businesses.

The agency did not provide any details about the detained individuals, and says that the investigation also led to interrogations and server takedowns.

According to the investigators, Smokeloader was run by a threat actor using the alias ‘Superstar,’ who provided the botnet as a pay-per-install service that permitted customers access to the victims’ machines.

“In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks’” - Europol

Smokeloader was used for various cybercriminal activities, from deploying ransomware and running cryptominers to accessing webcams and logging keystrokes.

A database seized during Operation Endgame included customers registered for Smokeloader botnet services, allowing officers to track down cybercriminals by linking their online aliases to real-life individuals.

Some of the suspects chose to cooperate with law enforcement and allowed the examination of digital evidence present on their personal devices.

Since Operation Endgame continues, Europol set up a dedicated website to share the latest news on the investigation of criminal activities.

Furthermore, to better understand the stages of the operation, Europol published a series of animated videos depicting officers’ activity and how they are tracking down Smokeloader affiliates and customers.

European Union’s agency encourages anyone with information about the criminal activities investigated to contact authorities through the Operation Endgame website, which is also conveniently translated into Russian.

Following the massive takedown of malware loader operations last year, a set of sanctions were imposed against six individuals involved in cyberattacks affecting systems relating to “critical infrastructure, critical state functions, the storage or processing of classified information and government emergency response teams in EU member states.”

The U.S. Treasury also sanctioned cryptocurrency exchanges Cryptex and PM2BTC that multiple cybercrime groups, including Russian ransomware gangs, used to launder funds.