Enforcement Strategy

Operation Endgame: the layer it cannot reach

It is the best campaign of its kind ever run against the machinery beneath ransomware. It dismantles the infrastructure, and increasingly the money. The one dependency that decides whether the rest grows back, the protection itself, sits outside its target set by design.

By Reno June 19, 2026 10 min read Open Research
The enabling layer, severed nodes below an intact roof · illustration

On June 17 and 18, 2026, police in Canada and the Netherlands struck SocGholish, the framework that hijacks legitimate WordPress sites and serves fake browser-update lures to push infostealers and remote-access tools onto victims. They took down 106 servers and domains, cleaned 14,971 compromised sites, and disinfected 2,488 computers worldwide using a technique built to block re-infection. Confirmed reporting

That was Phase 4 of Operation Endgame, the largest sustained law enforcement campaign ever aimed at the layer beneath ransomware. Since May 2024 it has run four named phases plus two significant sub-actions, all coordinated through Europol and Eurojust. Its organizing idea is correct and important: ransomware is not a series of discrete attacks but a service economy, and that economy runs on a small set of shared dependencies. Endgame attacks the dependencies. Confirmed reporting

A campaign can take down everything it can reach and still leave standing the one dependency that decides whether the rest grows back.

This dispatch is not a critique of competence. By every operational measure Endgame is the best effort of its kind that has ever been mounted. It is a question of target set. The campaign reaches the infrastructure and, increasingly, the money. The third dependency, the protection that keeps the human operators beyond arrest, is structurally out of range. That gap is the difference between attrition and collapse.

The three things ransomware rests on

A Russian-nexus ransomware operation does not stand on its encryptor. It stands on three load-bearing dependencies. The Money: the exchanges, OTC desks, and mule networks that turn extortion proceeds into spendable value. The Metal: the bulletproof hosting, droppers, loaders, and botnets that deliver and control the intrusion. The Krysha, the roof: the active protection the Russian state extends to its crews, meaning shelter from extradition, immunity from domestic enforcement, and a license to operate against targets in the West.

Endgame is built for the Metal. It has learned, impressively, to reach into the Money. It cannot, by design, touch the Krysha. The first two are made of servers, domains, tokens, and bank rails, all of which sit in places a coalition of Western agencies can seize, sanction, or freeze. The third is a political fact inside a non-cooperating jurisdiction, and no takedown reaches it. Analyst inference

What it does, and does well

The record is genuinely strong, and it has widened over time from infrastructure toward people and money. Phase 1 (May 2024) was billed as the largest-ever operation against botnets: it dismantled the droppers IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, took down more than 100 servers and over 2,000 domains, and produced four arrests. Europol reported that one operator alone had earned more than 69 million EUR renting out criminal infrastructure. Confirmed reporting

Phase 2 (May 2025) hit the successor loaders, took down 300 servers and 650 domains, and issued 20 arrest warrants against 37 identified suspects, with the U.S. Justice Department unsealing charges against 16 Russian DanaBot operators and the Qakbot leader. Phase 3 (November 2025) expanded to 11 countries and dismantled the Rhadamanthys infostealer, the VenomRAT remote-access trojan, and the Elysium botnet, taking down 1,025 servers. Each phase removes a category of shared tooling that many crews depend on, so the effect is ecosystem-wide rather than aimed at a single ransomware brand. That is the right way to think about the problem. Confirmed reporting

Fig. 1 · Servers taken down per phase (the reachable layer)
100+
Phase 1May 2024
Europol
300
Phase 2May 2025
Europol / DOJ
1,025
Phase 3Nov 2025
Europol
106
Phase 4Jun 2026
RCMP
Server-takedown counts are an infrastructure metric: they measure the reachable layer removed, not ransomware incidence or ecosystem revenue. Phase 4 also cleaned 14,971 compromised sites and disinfected 2,488 computers. Sources: Europol, U.S. DOJ, RCMP releases.

Into the money

The most structurally significant moves were not the server seizures but the reach into the cash-out layer. In September 2024 a coordinated U.S. Treasury action sanctioned the exchange Cryptex (linked to more than 51.2M USD in ransomware-derived funds) and issued a FinCEN order naming PM2BTC a "primary money laundering concern," only the second-ever use of that Section 9714(a) mechanism. Two Russian nationals were indicted, the State Department posted a 10M USD reward, and partners seized roughly 7M EUR in crypto. Confirmed reporting

The campaign also began pursuing the demand side. Investigators used a seized Smokeloader customer database to identify and detain five people who had bought botnet access, some reportedly cooperating. Renting access, in other words, now carries personal exposure. Attacking the cash-out and the customers, not just the tooling, is exactly the higher-leverage targeting the ecosystem is most vulnerable to, because one laundering service or one loader supports many crews at once. Confirmed reporting cooperation: credible

The September 2024 action is worth reading not for the headline but for the pattern it exposes.

U.S. Treasury · Coordinated Action on Russian Money-Laundering Rails, Sep 26, 2024
OFAC: sanctions on Cryptex (51.2M+ USD ransomware-linked; 720M+ USD related flow)
FinCEN: order naming PM2BTC a "primary money laundering concern" (Sec. 9714(a), 2nd ever use)
Indicted: Sergey Ivanov ("Taleon") and Timur Shakhmametov, both Russian nationals
State Dept: up to 10M USD reward for information on Ivanov
Seized: infrastructure and ~7M EUR in crypto (Dutch FIOD, U.S. Secret Service)
Status of named operators: at large, in Russia
Source: U.S. Treasury / FinCEN release, Sep 26, 2024. Public action record, reproduced for analysis. The reward exists because arrest does not.

The dependency it cannot reach

Look at who gets charged. The indicted operators are overwhelmingly Russian nationals, and Treasury's own language frames Russia as a safe harbor. The pattern repeats at every phase: infrastructure is seized, money is frozen, names are published, rewards are posted, and the people behind the names stay where they are. A reward notice is the tell. You offer 10 million dollars for information on someone you cannot simply arrest. Confirmed reporting

This is the Krysha, and it is the load-bearing dependency precisely because the other two rebuild so fast. Successor loaders re-emerged in the window between Phase 1 and Phase 2. On the money side, the lesson from the Garantex takedown is even sharper: the exchange brand was seized in March 2025 and a renamed successor was online within days, because the settlement rail underneath it was never reachable. The Metal and the Money are replaceable front-ends. The roof is not rebuilt because it was never knocked down. Credible reporting

Servers seized is an activity. An operator in a courtroom is an outcome. The gap between them is the roof.

None of this is a hidden flaw in Endgame. Europol and Treasury say it plainly: the campaign's central constraint is that the human layer sits in jurisdictions that will not cooperate. The point worth pressing is what follows from that admission. If the binding constraint is the protection, then a campaign optimized around everything except the protection is optimized around the replaceable parts. Analyst inference

Attrition, not collapse

That makes Endgame's value real but attritional. It raises operating costs, shortens the lifespan of infrastructure, exposes customers and operators by name, and signals durable, coordinated attention rather than one-off raids. Those are worth having. What they do not do, on the current evidence, is end the service economy, because supply rebuilds wherever the operators remain beyond reach. Analyst inference

There is also a measurement problem worth naming. The figures the campaign reports, servers down, sites cleaned, domains seized, crypto frozen, are activity metrics for the reachable layer. The metric that would actually settle whether the ecosystem is degrading is an outcome metric: ransomware incidence, victim counts, and total proceeds over time. We do not yet have published outcome data showing those falling in step with the takedowns. Until that link is demonstrated rather than assumed, success against infrastructure should not be read as success against ransomware. Analyst inference

What would move the equation

Reaching the Krysha is not a takedown problem, so it will not be solved with better takedowns. It is a problem of raising the cost of the protection to the protectors: instruments aimed at the institutions, financiers, and state-linked entities that make the safe harbor possible, rather than at the tooling the safe harbor shelters. Endgame's expansion into sanctions and indictments is the beginning of that toolset. The open question is whether it points those tools at the roof or keeps pointing them at the rooms underneath it. Analyst inference

The near-term indicator is simple to watch. SocGholish-style activity tends to re-emerge under a renamed framework within the usual post-takedown window. If it does, that is one more confirmation that the campaign is winning the fight it can reach while the fight that decides the outcome stays off the board. The ecosystem map tracks each of these dependencies as nodes, with the protection layer marked as the edge no current operation severs. The next dispatch follows the Krysha itself.

Sourcing & confidence

This dispatch draws on primary releases from Europol, the U.S. Department of Justice, the U.S. Treasury (OFAC and FinCEN), and the RCMP, cross-checked against the project's own Operation Endgame brief and Garantex / Grinex exchange work. All operational figures are as reported by those agencies. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation, indictment, or agency release.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Operation EndgameEuropolOFACSocGholishEvil CorpKryshaDisruption