A Ransomware Gateway Gets Shut Down
On June 18, 2026, law enforcement from the Netherlands, Canada, the United States, and Germany — coordinated through Europol and Eurojust — dismantled a critical piece of global ransomware infrastructure. The operation cleaned SocGholish malware from 14,971 compromised WordPress websites, seized 106 servers and domains, and disinfected 2,488 individual computers. Dubbed "Season 3" of Operation Endgame, it was the most ambitious active remediation effort yet directed at infrastructure linked to Russia's Evil Corp criminal group — and it carried an unmistakable message: indictments and financial sanctions, by themselves, are not enough.
The scale requires emphasis. Dutch law enforcement did not merely catalogue the problem — they went website by website, stripped out the malware, and notified site owners to rotate credentials. "With these actions we deprive cybercriminals of access to infected computer systems," said Maikel Rollman of the Dutch National High Tech Crime Unit, adding that "this marks the beginning of further action against SocGholish."
How SocGholish Works
SocGholish — also known as FakeUpdates — has operated since at least 2017. Its attack chain begins with a legitimate website, typically a small WordPress-powered business, compromised through stolen or leaked credentials. Visitors see a convincing browser pop-up urging them to install a software update. They click; the malware installs; a covert channel opens. The victim's machine joins a botnet — a staging post for whatever the operators choose to deploy next.
That "next" is ransomware. The FBI's Cyber Division described the malware's role precisely: "The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage." Evil Corp has pushed DoppelPaymer, WastedLocker, Hades Ransomware, LockBit, and RansomHub through this single entry point. Disrupting SocGholish therefore attacks the common upstream dependency of multiple ransomware families at once.
The scale of exposure before the operation was severe. ShadowServer identified over 1.44 million WordPress sites carrying leaked credentials that were available for SocGholish exploitation as of May 2026. Infoblox estimated roughly 55 percent of cloud customers faced SocGholish exposure. The 14,971 sites remediated represent the most active portion of that pool — the ones already weaponised and delivering malicious payloads to real visitors.
The Evil Corp Problem — and Why Sanctions Were Not Enough
Fair-minded analysis requires acknowledging what the sanctions-first approach achieved. The U.S. Treasury's Office of Foreign Assets Control sanctioned Evil Corp in December 2019 for developing and deploying Dridex, a banking trojan that caused more than $100 million in losses across more than 40 countries. Those sanctions were consequential: they made it legally dangerous for ransomware affiliates operating within Western jurisdictions to pay Evil Corp ransoms or partner with them, and they contributed to the group's well-documented pattern of rebranding under new names to distance downstream affiliates from sanction exposure. The UK's National Crime Agency acted in coordination, and later trilateral action expanded the designated entity list.
But Evil Corp has operated since at least 2007. Seven years after the 2019 OFAC action, its infrastructure was active enough to require 14,971 remediations and the deployment of four national law enforcement agencies. Sanctions strip legitimacy, restrict financial channels, and complicate allied cooperation with sanctioned groups — but they are not a technical countermeasure. They do not take servers offline. They do not remove malware from a restaurant's WordPress installation in Utrecht or Ottawa.
What Season 3 Adds to the Enforcement Playbook
Operation Endgame represents a third model, distinct from prosecution-and-indict and sanctions-and-wait. It is persistent, iterative, technical disruption at scale, with victim notification built into the operational design. Compromised site owners were notified through HaveIBeenPwned, DIVD, Spamhaus, Shadowserver, and national CERTs. The RCMP's Inspector Kurt Bedford framed the logic clearly: "International law enforcement partnerships are essential in addressing cyber threats because they are complex and global in nature." His agency confirmed that SocGholish "has had an impact on all levels of Canadian society, from critical infrastructure, education, government and more."
That breadth matters. The botnet was not hitting only commercial targets. Government networks, hospitals, and schools in Canada and elsewhere used infrastructure that shared the same initial access vector as a neighbourhood pizza restaurant. Disrupting that single chokepoint — the SocGholish delivery layer — delivered security value across sectors simultaneously, without requiring each of those sectors to undergo a separate compliance audit.
The private sector was also embedded in the operation. Infoblox and Proofpoint contributed threat intelligence that guided the targeting. This is the enforcement model working as it should: law enforcement agencies providing legal authority and coordination, cybersecurity firms providing technical reach, and the combination achieving outcomes neither could alone.
The Right Policy Lesson Is Not More Mandates on Victims
The 14,971 infected sites were not run negligently. They were small businesses — restaurants, auto repair shops, local service providers — hacked through credential theft at scale. The appropriate policy response is not to impose new security audit mandates on every small business running a website, an approach that would impose crushing compliance costs on the very operators mentioned in law enforcement's own press releases as collateral victims.
The case for proportionate regulation points elsewhere: sustained investment in the kind of cross-border enforcement capacity that made Operation Endgame Season 3 possible. Running coordinated action across the Netherlands, Canada, the US, and Germany — with Europol, Eurojust, and a network of private-sector partners — is expensive and operationally complex. Keeping it funded and institutionalised is where policy attention belongs. Evil Corp will attempt to rebuild. The question is whether iterative, sustained disruption can impose costs faster than the group can reconstitute — and that is a resource question, not a regulatory architecture question.