Full Report
In May 2025, a coalition of law enforcement agencies took down the criminal infrastructure behind the malware used to launch ransomware attacks in a new phase of "Operation Endgame". This followed the first Operation Endgame exercise a year earlier, with the latest action resulting in 15.3M victim email addresses being provided to HIBP by law enforcement. A further 43.8M victim passwords were also provided for HIBP's Pwned Passwords service.
Analysis Summary
# Incident Report: Operation Endgame 2.0 Data Exposure
## Executive Summary
This report details the data exposure resulting from the successful law enforcement takedown of the criminal infrastructure behind the malware used in the "Operation Endgame" ransomware campaign in May 2025. Law enforcement provided the compromised credentials of approximately 15.4 million victims to HIBP for inclusion in their data breach checking service. The primary impact is widespread credential exposure, necessitating immediate password changes by affected users.
## Incident Details
- Discovery Date: 23 May 2025 (Date data was added to HIBP)
- Incident Date: Approximated to May 2025 (When the criminal infrastructure was taken down and data was supplied)
- Affected Organization: Individual victims of the Operation Endgame cybercrime syndicate/malware.
- Sector: Multiple sectors targeted by ransomware operations.
- Geography: Not explicitly stated, presumed global given the nature of ransomware operations.
## Timeline of Events
### Initial Access
- Date/Time: Prior to May 2025 (During the active ransomware campaigns)
- Vector: Operation Endgame malware infrastructure (Likely associated with ransomware infection chains).
- Details: Attackers utilized malware infrastructure (which was subsequently dismantled) to compromise victim systems and exfiltrate data.
### Lateral Movement
- *Not detailed in the source material, as the scope is data exposure from a prior criminal infrastructure takedown.*
### Data Exfiltration/Impact
- Data compromised included **15.3 million email addresses** and **43.8 million associated passwords** (though HIBP integrated 15.4 million affected accounts).
- Impact is the exposure of credentials used in the original ransomware victimization, now accessible for future misuse.
### Detection & Response
- Detection: Law enforcement agencies successfully took down the criminal infrastructure of Operation Endgame in May 2025.
- Response actions taken: Law enforcement seized the victim data and shared it with HIBP for public notification.
## Attack Methodology
- Initial Access: Attack through malware infrastructure associated with the Operation Endgame ransomware campaign (specific vector not detailed, likely phishing, exploiting vulnerabilities, or drive-by downloads preceding the data theft).
- Persistence: *Not detailed.*
- Privilege Escalation: *Not detailed.*
- Defense Evasion: *Not detailed.*
- Credential Access: Compromise of credentials occurred during the initial ransomware infections by the Operation Endgame actors.
- Discovery: *Not detailed.*
- Lateral Movement: *Not detailed.*
- Collection: Email addresses and passwords were collected by the criminal group.
- Exfiltration: Data was likely exfiltrated to the Operation Endgame infrastructure prior to the law enforcement seizure.
- Impact: Exposure of victim credentials leading to potential further account compromise if users reused passwords.
## Impact Assessment
- Financial: Not specified, but the preceding ransomware attacks would have involved significant financial impact on victims.
- Data Breach: **15.4 million** victim email addresses and associated passwords.
- Operational: No direct operational impact on the reporting entity (HIBP) or the original victims at the time of data release, beyond the necessary remediation steps.
- Reputational: Low direct reputational impact on victims, but increased awareness of ongoing cyber threats.
## Indicators of Compromise
- *This data release is a summary of prior compromises, not an active intrusion. Therefore, specific, actionable IOCs for a current attack are not applicable. The compromised accounts themselves are the IOCs.*
- Behavioral indicators: Identification of accounts previously associated with the Operation Endgame ransomware victim set.
## Response Actions
- Containment measures: Law enforcement action effectively contained the criminal infrastructure associated with the malware operation.
- Eradication steps: The primary eradication step was the seizure and disruption of the malware command-and-control infrastructure.
- Recovery actions: Affected users are advised to:
1. Change passwords associated with the newly exposed credentials immediately.
2. Enable Two-Factor Authentication (2FA) on all relevant accounts.
## Lessons Learned
- Law enforcement collaboration, demonstrated by Operation Endgame, is crucial for dismantling large-scale cybercrime infrastructure and ensuring victim data remediation.
- The long tail of data exposure means credentials compromised during high-profile, coordinated attacks (like ransomware campaigns) can resurface months or years later.
- Reliance on single passwords across multiple services poses a significant, persistent risk even after the primary threat actor infrastructure is neutralized.
## Recommendations
- Individuals must adopt unique, strong passwords for every service, ideally managed via a password manager.
- All services supporting 2FA must have this security layer enabled for exposed accounts to mitigate credential reuse risks.
- Organizations should continue to monitor threat intelligence regarding large data dumps resulting from law enforcement actions.