Home Europol shuts down almost 600 IP addresses in Cobalt Strike cybercrime crackdown

Europol shuts down almost 600 IP addresses in Cobalt Strike cybercrime crackdown


  • Europol's Operation MORPHEUS dismantled nearly 600 IP addresses misusing Cobalt Strike.
  • The operation, led by the UK's NCA, involved international cooperation from 27 countries.
  • Cobalt Strike, a legitimate security tool, is often exploited by cybercriminals for ransomware attacks.

Nearly 600 IP addresses have been dismantled by Europol as part of a concerted effort to tackle cybercrime involving the misuse of the Cobalt Strike security tool. The operation, dubbed Operation MORPHEUS, took place between June 24 and June 28, targeting older, unlicensed versions of the tool commonly used in criminal activities.

“Throughout the week, law enforcement flagged known IP addresses associated with criminal activity, along with a range of domain names used by criminal groups, for online service providers to disable unlicensed versions of the tool. A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down,” Europol said in a statement.

Operation MORPHEUS was mainly led by the UK’s National Crime Agency (NCA) and involved major contributions from authorities across Australia, Canada, Germany, the Netherlands, Poland, and the United States. Europol’s European Cybercrime Centre (EC3) also played a role in coordinating international efforts and liaising with private sector partners.

Paul Foster, the NCA’s threat leadership director, said that although Cobalt Strike is a legitimate piece of software, cybercriminals have been exploiting its use for “nefarious purposes”.

He added: “Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery.

“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”

What is a Cobalt Strike attack?

Cobalt Strike, developed by Fortra, is a legitimate and widely used cybersecurity tool designed to help IT security professionals in performing attack simulations to uncover vulnerabilities. However, it can be exploited maliciously when in the hands of cybercriminals. Reports suggest that cracked copies of older versions like Ryuk, Trickbot, and Conti have been used in several high-profile malware and ransomware cases.

To counteract this threat, Fortra has collaborated with law enforcement to safeguard the legitimate usage of its software. “Fortra has taken significant steps to prevent the abuse of its software and has partnered with law enforcement throughout this investigation to protect the legitimate use of its tools,” Europol stated.

The operation was said to be successful due to the cooperation of private industry partners such as BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation. The partners provided scanning, telemetry, and analytical tools to identify and curb the malicious use of Cobalt Strike.

Europol’s EC3 has supported this project since it was launched in September 2021, providing analytical and forensic assistance. The Malware Information Sharing Platform was also used extensively, with over 730 threat intelligence pieces shared, containing almost 1.2 million indicators of compromise.

This coordinated crackdown is part of a broader strategy enabled by Europol’s amended Regulation, which strengthens its ability to support EU Member States by fostering cooperation with the private sector. This strategic approach has significantly enhanced the resilience of Europe’s digital ecosystem against cyber threats.

Featured image: Ideogram

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Suswati Basu
Tech journalist

Suswati Basu is a multilingual, award-winning editor and the founder of the intersectional literature channel, How To Be Books. She was shortlisted for the Guardian Mary Stott Prize and longlisted for the Guardian International Development Journalism Award. With 18 years of experience in the media industry, Suswati has held significant roles such as head of audience and deputy editor for NationalWorld news, digital editor for Channel 4 News and ITV News. She has also contributed to the Guardian and received training at the BBC As an audience, trends, and SEO specialist, she has participated in panel events alongside Google. Her…

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.