Operation Endgame 2.0: Europol Just Took Down 300 Servers and 20 Operators of the Ransomware Supply Chain

Europol and Eurojust executed Operation Endgame 2.0 from May 19 through May 22, 2026 — 300+ servers dismantled, 650 domains neutralized, 20 international arrest warrants, and €3.5 million in cryptocurrency seized across seven countries. The strategic target is the initial-access-broker layer that supplies ransomware affiliates. The doctrinal shift is the story.

THE HAGUE, NETHERLANDS — Between May 19 and May 22, 2026, law enforcement agencies from seven countries — Germany, France, Netherlands, Denmark, United Kingdom, United States, and Canada — coordinated by Europol and Eurojust, executed Operation Endgame 2.0: the second major phase of a multi-year transnational disruption program targeting the malware loaders and downloaders that initiate ransomware kill chains. The operation dismantled more than 300 servers, neutralized 650 domains, issued 20 international arrest warrants, and seized €3.5 million in cryptocurrency. Cumulative crypto seized across the full Operation Endgame program now exceeds €21.2 million. Targeted malware families include Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie — many of them successor variants that re-emerged after the original May 2024 Operation Endgame takedown. The structural focus of the new phase is the initial-access-broker (IAB) layer: the cybercrime-as-a-service segment that supplies foothold access to ransomware affiliates. The action lands one day after INTERPOL's Operation Ramz (May 18) and the same week as Microsoft DCU's Fox Tempest takedown (May 19), together representing the most aggressive transnational cyber-law-enforcement tempo in recorded history.

What Happened

The Operation

Operation Endgame 2.0 is the second major phase of the multi-year Europol-led disruption program first executed in May 2024. The original Operation Endgame took down predecessors of these same loader families; the May 2026 phase targets the successor variants that re-emerged in the intervening twenty-four months. Seven national law-enforcement agencies coordinated their May 19-22 action week through Europol's Joint Cybercrime Action Taskforce (J-CAT) at The Hague, with Eurojust providing the cross-border prosecution coordination layer. The combined effect over four days was 300+ server seizures, 650 domain neutralizations, 20 international arrest warrants, and €3.5 million in cryptocurrency seized.

The Targets

The malware families in scope — Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie — are the loaders and downloaders that supply ransomware affiliates with the initial foothold on victim networks. Most of these names are successor variants: Qakbot returned in late 2024 after the original Endgame takedown, Trickbot rebuilt its infrastructure under new operators, and Lactrodectus emerged as a Bumblebee successor. The May 2026 phase confirms that the disruption program is now operating as a sustained tempo against the *category* of initial-access malware, not a single one-shot takedown.

The Strategic Shift

The operationally significant detail is the target layer. The original Operation Endgame, Operation Cronos against LockBit, and Operation Eastwood against NoName057(16) targeted ransomware affiliates or DDoS operators directly. Operation Endgame 2.0 targets the initial-access-broker (IAB) tier upstream of the affiliate: the cybercrime-as-a-service vendors that sell foothold access. Europol's stated objective is to 'break the ransomware kill chain at its source' rather than prosecute the affiliates who deploy the encryption payload. This is the doctrinal evolution analysts will be reading the most carefully.

Scope and Impact

Operation Endgame 2.0 lands inside the most aggressive transnational cyber-law-enforcement tempo in the history of the discipline. The combined disruption volume across May 18 (INTERPOL Operation Ramz), May 19 (Microsoft DCU Fox Tempest), and May 19-22 (Europol Operation Endgame 2.0) is larger than any prior week in recorded cybercrime enforcement. For ransomware-affiliate threat models, the operational consequence is that the IAB market — the upstream supply chain that determines how many credentials affiliates can purchase per week — has just absorbed a coordinated multi-jurisdictional hit.

The IAB-layer focus is what makes Endgame 2.0 doctrinally different from the cycle's other operations. INTERPOL Operation Ramz targeted phishing-as-a-service and cyber-scam infrastructure across thirteen MENA countries. Operation PowerOFF unmasked 75,000 DDoS-for-hire customers across twenty-one nations. Endgame 2.0 sits one layer deeper in the cybercrime supply chain — at the loader-and-downloader infrastructure that feeds the ransomware affiliate market. Together the three operations cover three distinct vertical slices of the same illicit economy, executed in a single week.

Response and Attribution

Europol has not publicly named the twenty individuals subject to international arrest warrants. The 300+ seized servers and 650 neutralized domains are the operational scale; the named-actor disclosures will follow as prosecutions move forward. Each of the seven participating national authorities retains discretion to release country-level details; the German Federal Criminal Police, French Anti-Cybercrime Center, US FBI, and UK National Crime Agency typically follow up with public press releases within forty-eight hours of an Endgame action concluding.

The private-sector contribution pattern continues to mature. Spamhaus stood up a dedicated Endgame remediation portal for victim notification; Vectra AI and other threat-intelligence vendors provided IOC support during the action window. The same vendor-coordination model powered the Scattered Spider arrests and Tyler Buchanan guilty plea earlier this cycle. For defenders, the immediate action is to pull the published IOCs from Europol, Spamhaus, and participating-country CERTs as they release over the next 72 hours, and hunt across historical telemetry for any environment connections to the seized server pool inside the past 90 days.

The CyberSignal Analysis

Signal 01 — The Disruption Target Has Moved Upstream

Operation Endgame 2.0 confirms that European law enforcement is now treating ransomware as an initial-access-broker supply-chain problem rather than an affiliate-prosecution problem. The doctrinal shift matters because affiliates rotate faster than the IAB market does — a successful affiliate prosecution removes one operator while the IAB market continues supplying access to ten more. Disrupting the IAB tier compresses the upstream supply that funds the entire affiliate ecosystem. CISOs should adjust board-level threat reporting: ransomware risk is now meaningfully a function of *IAB market liquidity*, not just affiliate technique.

Signal 02 — Private-Sector Threat Intelligence Is Now a Structural Input to Multinational Enforcement

Spamhaus operating a dedicated Endgame remediation portal is the visible part of a deeper pattern. Across Operation Ramz, Operation PowerOFF, and now Operation Endgame 2.0, named private-sector threat-intelligence vendors have moved from advisory contributors to structural inputs. Kaspersky, Group-IB, Spamhaus, Vectra AI, and others are now the channels through which IOCs and victim-identification data reach the agencies that execute. CISOs in scope of victim notification should expect their commercial threat-intelligence vendors to be the channel through which Europol communicates downstream.

Signal 03 — Three Operations in One Week Means Threat-Intel Cycles Are Now Weekly

The tempo is the operational variable. Operation Ramz on May 18, Microsoft DCU's Fox Tempest takedown on May 19, and Operation Endgame 2.0 May 19-22 represent three distinct enforcement actions across three distinct cybercrime supply-chain layers in a single week. Defenders should plan threat-intelligence consumption around this cadence: disruption operations now cluster in announcement windows, and the IOCs and operator attributions that come out of them are most operationally useful in the 30 days immediately following announcement. Tune your weekly cycles, not monthly.

Sources