April 10, 2025 As part of Operation Endgame, international law enforcement agencies have arrested a Burnaby, British Columbia resident accused of operating a vast network of infected computers used to distribute malware. The arrest, announced by the Royal Canadian Mounted Police (RCMP), is one of several global actions targeting not just the creators of malware services, but also their customers—marking a major shift in how cybercrime is being prosecuted.

Operation Endgame is a sweeping joint effort involving Canada, the United States, and five European countries. Authorities have focused on dismantling major malware loaders—automated systems that deliver ransomware and other malicious tools—but they’re now going further. Investigators have started charging individuals who used services like the Smokeloader botnet to deploy attacks.

The large cybercriminal gangs act like franchises. They develop the tools to use in attacks and provide the means to collect ransoms, usually in bitcoin. But they rely on a network of individuals who actual perform the attacks. And unlike the major gangs who often hide in countries that protect them like Russia and China, these individuals are often within the reach of law enforcement. But it’s still a major piece of police work to find and prosecute these individuals.

“This investigation is a clear example of the global reach and cooperation needed to tackle transnational cybercrime,” said Supt. Adam MacIntosh of the RCMP’s Federal Policing Cybercrime Investigative Team. The Burnaby suspect allegedly controlled thousands of compromised systems that could be activated to spread malware. Their operation linked directly into the broader infrastructure used by cybercrime networks targeted in Endgame.

By pursuing both the suppliers and users of malware tools, police hope to shrink the cybercrime ecosystem from both ends. The message is clear: buying access to these services could now land you in the same legal jeopardy as building them. This evolution in enforcement could alter the risk calculation for anyone considering paying to launch a ransomware or malware campaign.