Over 15M Emails and 43M Passwords Added to HIBP Following Recent Operation Endgame Action

• North of 15 million breached email addresses were discovered thanks to a new phase of Operation Endgame.
• Almost 44 million stolen passwords were also added to the Pwned Passwords service.
• The law enforcement operation dismantled the criminal infrastructure behind Qakbot, Trickbot, HijackLoader, and more.

Law enforcement provided Have I Been Pwned (HIBP) with 15.4 million victim email addresses and 43.8 million passwords for the Pwned Passwords service following Operation Endgame 2.0, which occurred last week.

A major outcome of this coordinated action involved the transfer of vast amounts of compromised data to public exposure databases. The data was added to HIBP on May 23, 2025.

Spearheaded by agencies across North America and Europe, this action targeted the backbone of ransomware delivery and credential theft operations.

Building on the successes of the first Operation Endgame in 2024, the latest crackdown focused on takedowns of multiple malware strains, most notably the DanaBot malware-as-a-service (MaaS) platform. 

The US Department of Justice announced indictments against 16 Russian nationals connected to DanaBot, a group linked to credential theft, banking fraud, and a sophisticated affiliate network selling illicit access for thousands of dollars per month. 

The decisive law enforcement moves were facilitated in part by operational errors from DanaBot affiliates, several of whom inadvertently exposed their own identities by infecting their personal devices.

The scale of the operation was unprecedented. Authorities seized nearly 300 servers and over 650 domains supporting malware like Qakbot, Bumblebee, Trickbot, Lactrodectus, HijackLoader, and Warmcookie. 

Twenty suspects were arrested and €3.5 million in cryptocurrency seized. Intelligence gathering was supported by cybersecurity firms including ESET, Microsoft, Proofpoint, and Lumen.