Full Report
Dutch, US and Finnish investigators have taken cybercrime service AVCheck offline
Analysis Summary
# Incident Report: Takedown of Prolific Counter AV Service AVCheck
## Executive Summary
A coordinated international law enforcement effort, led by the Dutch Police with assistance from American and Finnish agencies, successfully took down AVCheck, a major Counter Antivirus (CAV) service used by malware developers. The operation disrupted a key part of the cybercrime ecosystem by preventing adversaries from testing their malware against commercial antivirus tools. Law enforcement exploited administrative security failures to seize servers and user databases, gathering crucial evidence against administrators and users of linked illicit services (Cryptor.biz and Crypt.guru).
## Incident Details
- **Discovery Date:** Not explicitly stated (Takedown announced Friday, June 2, 2025)
- **Incident Date:** Takedown occurred prior to June 2, 2025. The 'incident' refers to the law enforcement action.
- **Affected Organization:** AVCheck (illicit service provider), Cryptor.biz, and Crypt.guru.
- **Sector:** Cybercrime Infrastructure Support
- **Geography:** International operation (Netherlands, USA, Finland).
## Timeline of Events
### Initial Access (Law Enforcement Operation)
- **Date/Time:** Prior to June 2, 2025 (Announcement date).
- **Vector:** Exploitation of administrative security mistakes made by the AVCheck administrators ("The admins did not provide the security they promised").
- **Details:** Law enforcement gained unauthorized access to the infrastructure hosting AVCheck, Cryptor.biz, and Crypt.guru.
### Lateral Movement
- Not applicable to the illicit service itself, but law enforcement gained control over servers hosting the service and the associated user database.
### Data Exfiltration/Impact (Law Enforcement Seizure)
- **Details:** Servers hosting AVCheck were taken offline. The user database, containing information about usernames, was seized.
### Detection & Response
- **How it was discovered:** Part of a long-term investigation by Dutch National High Tech Crime Unit, American, and Finnish law enforcement.
- **Response actions taken:** Coordinated international operation to seize infrastructure and user data.
## Attack Methodology (By Cybercriminals utilizing AVCheck)
| Category | Method |
| :--- | :--- |
| **Initial Access** | Not specified regarding criminal access *to* AVCheck, but AVCheck's function was enabling criminal initial access by testing evasive malware. |
| **Persistence** | Not applicable to the takedown event. |
| **Privilege Escalation**| Not applicable to the takedown event. |
| **Defense Evasion** | The primary *purpose* of AVCheck was to allow users to test malware against AV systems to design more covert offerings (Defense Evasion). |
| **Credential Access** | Not applicable. |
| **Discovery** | Not applicable. |
| **Lateral Movement** | Not applicable. |
| **Collection** | Not applicable. |
| **Exfiltration** | The service itself did not exfiltrate data, but enabled malware authors to plan effective malicious data theft. |
| **Impact** | Enabled global cybercrime activities by reducing the chance of initial detection for novel malware. |
## Impact Assessment
- **Financial:** Undisclosed, but disruption of a "prolific" service implies significant prevention of future financial crime.
- **Data Breach:** Seizure of user databases from AVCheck, Cryptor.biz, and Crypt.guru, yielding usernames and potentially other user intelligence.
- **Operational:** Disruption of a key component of the cybercrime ecosystem, hindering the development of new, undetectable malware.
- **Reputational:** Positive outcome for the involved law enforcement agencies. Negative impact on cybercriminals who relied on the service.
## Indicators of Compromise
*Note: Since this was a law enforcement seizure, IoCs provided here relate to the seized infrastructure rather than a single breach.*
- **Network indicators (Defanged):** Seized servers associated with AVCheck, Cryptor.biz, and Crypt.guru.
- **File indicators:** Seized server images and user database data.
- **Behavioral indicators:** Use of CAV services to test evasion techniques against security products.
## Response Actions
- **Containment measures:** Taking the AVCheck, Cryptor.biz, and Crypt.guru servers offline.
- **Eradication steps:** Seizure of the service infrastructure and databases.
- **Recovery actions:** Intelligence gathered is being used for future investigations ("collected important evidence about the administrators and users").
## Lessons Learned
- **Key takeaways:** Vulnerabilities in operational security (OpSec) by cybercriminals (failing to provide promised security) can be exploited by law enforcement. International cooperation (US, Finland, Netherlands) is vital for dismantling complex cybercrime infrastructure.
- **What could have been done better:** Not detailed, as this was a successful enforcement action.
## Recommendations
- **Prevention measures for similar incidents:** Security vendors and platform administrators must maintain rigorous security standards, as operational failures can lead to compromise and seizure by law enforcement. Law enforcement should continue to actively hunt for and exploit weaknesses in the infrastructure of cybercrime enablers.