An extensive international law enforcement initiative has successfully dismantled AVCheck, a notorious service that enabled cybercriminals to evaluate the detection capabilities of commercial antivirus software against their malware prior to its deployment. The official website, avcheck.net, now prominently features a seizure banner adorned with the emblems of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).
Significance of the Takedown
According to a statement from the Politie, AVCheck was among the largest counter antivirus (CAV) services globally, providing cybercriminals with critical insights into the stealth and evasion tactics of their malware. Matthijs Jaspers of Politie remarked, “Taking the AVCheck service offline marks an important step in tackling organized cybercrime. With this action, we disrupt cybercriminals as early as possible in their operations and prevent victims.”
Source: BleepingComputer
Investigators have uncovered connections between AVCheck’s administrators and crypting services such as Cryptor.biz and Crypt.guru. The former has also been seized by law enforcement, while the latter is currently offline. These crypting services play a crucial role in the cybercrime ecosystem, allowing malware authors to encrypt or obfuscate their payloads, rendering them undetectable by antivirus solutions.
Typically, cybercriminals utilize a crypting service to obfuscate their malware, subsequently testing it on AVCheck or similar CAV platforms to ensure its undetectability before launching attacks against their targets.
Undercover Operations and Legal Actions
Prior to the takedown, law enforcement agencies implemented a deceptive login page that alerted users of the legal ramifications associated with using AVCheck. The U.S. Department of Justice has echoed the importance of dismantling AVCheck and its associated encrypting services, with actions reported to have taken place on May 27, 2025.
FBI Special Agent Douglas Williams emphasized the gravity of the situation, stating, “Cybercriminals don’t just create malware; they perfect it for maximum destruction. By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems.”
The investigation into AVCheck’s illicit activities and its connections to ransomware attacks targeting American entities was facilitated by undercover agents posing as clients and making purchases from these services. The Department of Justice’s announcement noted, “According to the affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime.” Furthermore, court documents allege that investigators reviewed linked email addresses and other data tying these services to known ransomware groups that have targeted victims both domestically and internationally, including in the Houston area.
Operation Endgame
This operation is part of Operation Endgame, a comprehensive international law enforcement effort that recently resulted in the seizure of 300 servers and 650 domains used to facilitate ransomware attacks. This initiative has previously disrupted the widely utilized Danabot and Smokeloader malware operations.
