{"id":3395,"date":"2025-06-02T12:01:39","date_gmt":"2025-06-02T12:01:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3395"},"modified":"2025-06-02T12:01:39","modified_gmt":"2025-06-02T12:01:39","slug":"fbi-cracks-down-on-crypting-crew-in-a-global-counter-antivirus-service-disruption","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3395","title":{"rendered":"FBI cracks down on crypting crew in a global counter-antivirus service disruption"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The US law enforcement, in coordination with global efforts, has disrupted counter-antivirus (CAV) operations by shuttering four leading domains offering these services.<\/p>\n<p>According to a Department of Justice (DOJ) press release, the seizure of these domains and their associated servers was part of an effort to disrupt the \u201conline software crypting syndicate\u201d helping cybercriminals evade detection.<\/p>\n<p>Crypting scrambles malware codes to avoid antivirus scans, and when paired with CAV software, helps attackers slip past defences and gain unauthorized access to systems.<\/p>\n<p>\u201cCybercriminals don\u2019t just create malware; they perfect it for maximum destruction,\u201d said the release, citing FBI Houston Special Agent in Charge Douglas Wiliams. \u201cBy leveraging counter antivirus services, malicious actors refine their weapons against the world\u2019s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims\u2019 systems.\u201d<\/p>\n<p>The FBI Houston helped cripple the global cyber syndicate, seize its most lethal tools, and neutralize the threat it posed to millions around the world, the statement added.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>AVCheck among the seized services<\/h2>\n<p>While the DOJ <a href=\"https:\/\/www.justice.gov\/usao-sdtx\/pr\/websites-selling-hacking-tools-cybercriminals-seized\" target=\"_blank\" rel=\"noopener\">release<\/a> did not include the names of the domains seized, a separate announcement from the Dutch authorities confirmed the seizure involved leading crypting domains, including AVCheck[.]net, Cryptor[.]biz, and Crypt[.]guru, each of which now displays a seizure notice saying \u201cThis website has been seized\u201d.<\/p>\n<p>The authorities called AVCheck \u201cone of the largest CAV services.\u201d According to <a href=\"https:\/\/web.archive.org\/web\/20250504103839\/https:\/avcheck.net\/\">screenshots<\/a> captured by the Wayback Machine (maintained by <a href=\"https:\/\/www.csoonline.com\/article\/3573962\/internet-archive-breached-twice-within-days.html?utm=hybrid_search\">Internet Archive<\/a>), AVCheck allowed cybercriminals to test their malware and domains or IP for evasion with 26 popular antivirus engines.<\/p>\n<p>After using AVCheck to identify detection points, criminals turned to crypting services like Cryptor.biz and Crypt.guru to alter the code so antivirus programs wouldn\u2019t recognize it.<\/p>\n<p>\u201cTaking AVCheck offline is an important step in the fight against organised cybercrime,\u201d Matthijs Jaspers, team lead of the High Tech Crime Team of the Netherlands Police\u2019s National Investigations and Special Operations, <a href=\"https:\/\/www.politie.nl\/en\/news\/2025\/may\/30\/key-service-for-malware-developers-taken-offline.html\" target=\"_blank\" rel=\"noopener\">said<\/a>. \u201cbecause it disrupts the activities of cybercriminals in the earliest stages and prevents victims.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><strong>Takedown was part of \u2018Endgame\u2019 operation<\/strong><\/h2>\n<p>According to the Dutch officials\u2019 statement, the seizure is closely linked to Operation Endgame<em>, <\/em>a law enforcement operation that conducted the <a href=\"https:\/\/www.csoonline.com\/article\/2132427\/operation-endgame-deals-major-blow-to-malware-distribution-botnets.html?utm=hybrid_search\">largest botnet takedown<\/a> exactly a year ago.<\/p>\n<p>The DOJ said that undercover purchases and service analysis confirmed that the websites supported cybercrime. Court documents alleged investigators linked emails and data to ransomware groups targeting victims globally.<\/p>\n<p>\u201cModern criminal threats require modern law enforcement solutions,\u201d the statement added, citing US Attorney Nicholas J Ganjei. \u201cAs cybercriminals have become more sophisticated in their schemes, they have likewise become more advanced in their efforts to avoid detection.\u201d<\/p>\n<p>With this syndicate shut down, there is one less provider of malicious tools for cybercriminals out there, Ganjei added. In January, the FBI had led a <a href=\"https:\/\/www.csoonline.com\/article\/3813190\/fbi-takes-down-cracked-to-and-nulled-to-in-a-global-law-enforcement-operation.html?utm=hybrid_search\">coordinated takedown<\/a> of similar cybercrime sites, crypting services included, such as Cracked.to, and Nulled.to, in a global operation, dubbed Talent.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US law enforcement, in coordination with global efforts, has disrupted counter-antivirus (CAV) operations by shuttering four leading domains offering these services. According to a Department of Justice (DOJ) press release, the seizure of these domains and their associated servers was part of an effort to disrupt the \u201conline software crypting syndicate\u201d helping cybercriminals evade [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3396,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3395","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3395"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3395"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3396"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}