An international law enforcement operation has disrupted a major Russian-led cybercrime group responsible for ransomware and spying attacks around the world. The effort was led by Germany’s Federal Criminal Police Office (BKA) and supported by agencies in the United States, United Kingdom, France, Canada, Denmark, and the Netherlands.
The operation resulted in 20 arrest warrants and 16 indictments in the United States. Investigators say the group hacked more than 300,000 systems globally and stole millions through ransomware attacks. The criminals used malware to lock systems and demanded payment to restore access.
Authorities identified several key suspects believed to be leading the group. Rustam Rafailevich Gallyamov from Moscow, Aleksandr Stepanov known as “JimmBee,” and Artem Aleksandrovich Kalinkin known as “Onix,” both from Novosibirsk, were named as top figures. They allegedly built and spread malware programs that helped them steal personal and financial data from victims across the world.
Another major suspect, Vitalii Nikolayevich Kovalev, is accused of leading the Conti ransomware group. He is said to have used the names “Stern” and “Ben” to hide his identity. Investigators believe he was involved in hundreds of ransomware attacks that earned nearly €1 billion in cryptocurrency. He is also linked to newer criminal groups using Royal and Blacksuit malware.
Some of the malware was used not only to steal money but also to spy on important institutions. Targets included military organizations, embassies, and international charities. Officials reported that the stolen data was stored on servers located in Russia. The malware was sold on Russian-speaking forums and the group operated like a business with roles, planning, and secure communication.
The crackdown was part of Operation Endgame, a project launched by Germany in 2022 after a rise in cyberattacks. BKA President Holger Münch said international cooperation was the key to success. Although many suspects remain in countries that do not allow extradition, naming them publicly has already caused problems for them. Their ability to travel and operate online has been reduced.
Another suspect, Roman Mikhailovich Prokop, a Ukrainian national, is now listed as one of Europe’s most wanted cybercriminals. He is suspected of working with the Qakbot malware group, which played a large role in recent ransomware attacks.
Officials admit that not all suspects can be arrested right away. Still, they say the operation has already reduced the group’s ability to act. By freezing funds and cutting off access to criminal tools, the group’s reach has been limited.
The investigation will continue with legal cases being built against the accused for cyberextortion, organized crime, and international criminal activity. Operation Endgame 2.0 is expected to follow, aiming to go even further in breaking up the network.
This international action is part of a growing global effort to fight cybercrime. Attacks on schools, hospitals, governments, and companies have increased in recent years. Police forces and cybersecurity experts agree that more teamwork between countries will be needed to stop future threats.