SecurityX Report: U.S. DoJ and Global Partners Seize Domains Supporting Cybercrime Crypting Services
In a major coordinated international effort, law enforcement agencies from multiple countries have successfully dismantled a global cybercrime operation offering crypting services designed to keep malware undetected by antivirus software.
On May 27, 2025, the U.S. Department of Justice (DoJ) announced the seizure of four domains—AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru—that were instrumental in delivering these services to cybercriminals. The operation was carried out in close cooperation with authorities from the Netherlands and Finland, and supported by France, Germany, Denmark, Portugal, and Ukraine.
“Crypting is the process of using software to make malware difficult for antivirus programs to detect,” explained the DoJ. “These services, including counter-antivirus (CAV) tools, are used by threat actors to obfuscate their malware and enable unauthorized system access.”
The seized domains now display law enforcement seizure notices. Investigators conducted undercover purchases to analyze the functionality and intent of the services. Dutch officials identified AvCheck as one of the largest CAV services globally.
Archived data from AvCheck[.]net shows the platform marketed itself as a “high-speed antivirus scantime checker”, allowing users to scan files against 26 antivirus engines, and domains/IPs against 22 AV and blocklist sources.
These actions are part of Operation Endgame, a multinational campaign launched in 2024 to disrupt global cybercrime infrastructure. This domain seizure marks the fourth major takedown in recent weeks, following actions against Lumma Stealer, DanaBot, and numerous infrastructure elements used for ransomware distribution.
“Cybercriminals don’t just create malware—they optimize it,” said FBI Houston’s Special Agent Douglas Williams. “By using CAV services, they fine-tune malware to bypass the world’s most advanced defenses and wreak havoc.”
In related developments, eSentire has reported on PureCrypter, a malware-as-a-service (MaaS) platform used to distribute information stealers like Lumma and Rhadamanthys, primarily via the ClickFix initial access vector.
Marketed on Hackforums[.]net by a threat actor known as PureCoder, PureCrypter is sold for $159 (3 months), $399 (1 year), or $799 (lifetime). It is distributed via the Telegram channel @ThePureBot, which also offers other malicious tools such as PureRAT and PureLogs.
Although users must agree to a Terms of Service stating the tools are for educational use only, the capabilities suggest otherwise. The malware includes advanced evasion techniques such as:
- AMSI bypass
- DLL unhooking
- Anti-VM and anti-debugging measures
- NtManageHotPatch API patching for Windows 11 24H2, enabling process hollowing injection
Despite marketing claims of “Fully UnDetected” (FUD) malware—often based on AvCheck results—independent analysis via VirusTotal has revealed significant detection by major AV/EDR solutions, exposing a false sense of stealth.
📌 SecurityX Insight:
This takedown reflects the growing precision and collaboration among global law enforcement agencies in tackling the infrastructure that supports cybercrime. While developers of crypters continue to evolve their techniques, the international cybersecurity community is adapting just as quickly—turning the tide against “invisible” malware.
