Almost 600 Malicious Cobalt Strike Instances Taken Down After Europol and UK NCA Operation

Written by Lore Apostol
Last updated July 4, 2024

A disruptive action led by the UK National Crime Agency and coordinated by Europol flagged 690 IP addresses associated with Cobalt Strike criminal activity to 129 online service providers in 27 countries between June 24 and 28. By the end of the week, 593 of these addresses had been taken down.

This action was part of Operation Morpheus and represents the apex of an elaborate investigation started in 2021. It targeted older, unlicensed versions of the penetration testing tool that checks for vulnerabilities in a company’s network and helps improve cybersecurity, which hackers abused to conduct cyberattacks.

Law enforcement notified service providers of known IP addresses associated with instances of malicious Cobalt Strike software and several domains used by cybercriminal groups.

Since the mid-2010s, cybercriminals have been downloading pirated and unlicensed versions of pen-testing software from illegal marketplaces and the Dark Web. 

Legal Cobalt Strike versions offer tools, guides, and videos that threat actors easily exploit for cyberattacks. These make for a great network intrusion tool that helps deploy ransomware at speed and scale without requiring much sophistication or money.

Authorities participating in the investigation were the Australian Federal Police (AFP), the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office, The Netherlands National Police, the Polish Central Cybercrime Bureau, the U.K. National Crime Agency (NCA), and the U.S. Department of Justice and Federal Bureau of Investigation (FBI).

Authorities from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea also supported the disruption activity.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: