Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike



A coordinated law enforcement operation named MORPHEUS has taken down nearly 600 servers used by cybercriminal groups in connection with the Cobalt Strike attack infrastructure. According to Europol, this operation, conducted between June 24 and 28, targeted outdated, unlicensed versions of the Cobalt Strike red teaming framework.

Of the 690 IP addresses reported to online service providers across 27 countries for criminal activity, 590 are no longer accessible. The joint operation began in 2021, led by the U.K. National Crime Agency (NCA), with participation from authorities in Australia, Canada, Germany, the Netherlands, Poland, and the U.S. Additional support came from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea.

Developed by Fortra (formerly Help Systems), Cobalt Strike is a widely used tool for adversary simulation and penetration testing, helping IT security professionals identify security weaknesses. However, cracked versions have been misused by malicious actors for post-exploitation purposes, as noted by Google and Microsoft.

“Cobalt Strike is the Swiss army knife of cybercriminals and nation-state actors,” said Don Smith, vice president of threat intelligence at SecureWorks, in a statement. He highlighted its frequent use by cybercriminals and nation-state actors, including Russian and Chinese groups, in ransomware and cyber espionage campaigns.

Trellix data indicates that the U.S., India, Hong Kong, Spain, and Canada are among the most targeted countries by threat actors using Cobalt Strike. Most of the Cobalt Strike infrastructure is hosted in China, the U.S., Hong Kong, Russia, and Singapore.

A report from Palo Alto Networks Unit 42 details the use of a payload called Beacon, which employs text-based profiles called Malleable C2 to modify Beacon’s web traffic characteristics to evade detection.

Paul Foster, director of threat leadership at the NCA, remarked on the dual nature of Cobalt Strike, noting that illegal versions have lowered the barrier to entry for cybercrime, enabling damaging ransomware and malware attacks with minimal technical expertise. Such attacks can cost companies millions in losses and recovery efforts.

In related developments, Spanish and Portuguese law enforcement arrested 54 individuals for crimes against elderly citizens through vishing schemes, posing as bank employees to steal personal information. The stolen details were used to access victims’ bank accounts and make unauthorized withdrawals and purchases, resulting in €2,500,000 in losses.

Europol reported that the criminals funneled the illicit funds through an intricate money laundering scheme involving multiple Spanish and Portuguese accounts and a network of money mules.

Similar efforts by INTERPOL have targeted human trafficking and online scam networks. In Laos, Vietnamese nationals were coerced into creating fraudulent online accounts for financial scams under the guise of high-paying jobs. Victims worked long hours and had their documents confiscated, with families extorted up to USD $10,000 for their return to Vietnam.

INTERPOL’s Operation First Light, conducted in 61 countries, aimed at disrupting phishing, investment fraud, fake online shopping sites, romance, and impersonation scams. It resulted in the seizure of $257 million in assets, freezing of 6,745 bank accounts, the arrest of 3,950 suspects, and the identification of 14,643 other potential suspects globally.