A significant success in the fight against the digital underworld was recently recorded. Authorities from the Netherlands, Finland and the USA have taken several important tools of the malware industry offline in a coordinated operation. The AVCheck Breakup marks an important milestone for the international Cybersecurity.
The operation was directed against the AVCheck platform, which served as a test environment for criminals. Here, malware developers could test whether their malicious programs were detected by antivirus programs. These tests enabled them to improve their malware and make it more effective.
In addition to AVCheck, two specialized "cryptor" websites were also shut down. These services, known as crypt.guru and cryptor.biz, offered tools for encrypting malware. Such encrypted programs are more difficult for security systems to detect.
The action, which was carried out under the name "Operation Endgame 2.0", demonstrates the growing international cooperation in the field of Cybersecurity. It illustrates the authorities' desire to weaken the infrastructure of digital crime in the long term.
Important findings
- International authorities have jointly shut down the AVCheck malware testing platform
- The operation also included two malware encryption services
- AVCheck enabled criminals to test their malware against antivirus programs
- The campaign was part of "Operation Endgame 2.0"
- Cooperation between Dutch, Finnish and US authorities shows the international dimension of the fight against cybercrime
- Shutting down these services makes it more difficult for cybercriminals to develop effective malware
1. introduction: What is AVCheck?
The AVCheck platform was created as a dark mirror image of legitimate security services and offered malware developers a protected space for their tests. In contrast to well-known services such as VirusTotal, which are used for security research, AVCheck had a different purpose: to help cybercriminals improve their malware.
In the world of cybercrime, similar to the legal software industry, a division of labor structure has developed. Specialized developers take on different tasks in the creation of malware. AVCheck filled a critical gap in this ecosystem by offering a testing service that prevents detection by security software.
The special feature of AVCheck was that uploaded malware samples were not forwarded to antivirus manufacturers - a crucial difference to legitimate platforms. This allowed attackers to optimize their malware in secret.
Importance of antivirus test sites
Antivirus testing sites play an essential role in the digital security ecosystem. Legitimate platforms such as VirusTotal offer security experts the ability to analyze suspicious files and identify potential threats. These services promote the exchange of information between security researchers and thus improve protection for all Internet users.
The Software analysis through such test platforms helps in the development of more effective security solutions. By sharing information about new threats, antivirus vendors can continuously improve and update their products. This creates a collaborative environment in which the cyber security industry works together to combat threats.
AVCheck perverted this principle by using the same technology for the opposite purpose. Instead of enhancing security, the platform helped to circumvent protection mechanisms and to Virus detection to undermine it.
Functionality and target groups of AVCheck
The functionality of AVCheck was technically sophisticated and targeted. Users could upload their malware files and test them against a variety of current antivirus programs. The platform provided detailed reports on which security solutions detected the malware and which did not.
AVCheck's primary target group was professional malware developers and organized criminal groups. They were willing to pay for the specialized service because it helped them to make their attacks more effective. The ability to modify their malware so that it was not detected by standard security solutions was particularly valuable.
Another group of users were ransomware developers who wanted to test their blackmail software before deploying it. The improved camouflage of their malware significantly increased the probability of success of their attacks.
| Feature | Legitimate test platforms | AVCheck |
|---|---|---|
| Main purpose | Improving security | Circumvention of security measures |
| Data transfer | Sharing with security companies | No disclosure to security companies |
| Target group | Security researchers, administrators | Malware developers, cyber criminals |
| Social benefit | Increasing general safety | Promotion of cybercrime |
2. the dismantling of AVCheck by the authorities
In a coordinated international operation, authorities have taken down the controversial AVCheck platform, which was being misused as a test environment for malware. The operation marks an important step in the fight against the growing threat of cybercrime and shows the authorities' growing determination to take action against such platforms.
The investigators used a combination of technical expertise and undercover investigation methods to convict the operators of AVCheck. Of particular concern was the discovery that the platform was not only used to test malware, but also had direct links to known ransomware groups.
Background to the investigations
The break-up took place in the context of the international Operation Endgame 2.0a carefully planned operation against providers of malware testing services. The investigators proceeded strategically and initially took out test subscriptions with the suspicious services in order to gain access to the internal structures.
This covert phase of the investigation enabled the authorities to gather valuable evidence and understand the platform's functionality in detail. A particular focus was on how AVCheck helped criminals to protect their malware against common malware threats. Antivirus software to test and optimize.
The coordinated access then took place on May 27, 2025. The investigators took control of AVCheck's servers and domains. They discovered extensive links to known ransomware groups, which underlined the importance of the platform in the criminal ecosystem.
Following proven tactics in such operations, the authorities placed confiscation banners on the websites taken over. In addition, fake login pages were set up to collect further evidence and identify potential users of the platform.
Official statements
The authorities involved published initial statements shortly after the operation. The head of the cybercrime unit of the Federal Criminal Police Office explained:
"The dismantling of AVCheck is a decisive blow to the cybercrime infrastructure. This platform enabled criminals to deploy their malware against Malware scans and thus circumvent the detection rates. With this operation, we have removed an important building block from the criminal ecosystem."
International partners also commented on the operation. The European police authority Europol emphasized the importance of cross-border cooperation in the fight against cybercrime. In its press release, it emphasized that such platforms play a central role in the spread of ransomware.
The US FBI Director emphasized the economic impact in her statement:
"Services like AVCheck cause billions in damage every year. They enable criminals to refine their attacks and Antivirus software to circumvent it. This operation shows that we will not tolerate such activities and will do everything in our power to combat them."
The destruction of AVCheck represents an important milestone, as cybercriminals have now lost a central resource that they could use to test the effectiveness of their malware against protection systems. Experts expect that this could lead to a reduction in successful malware attacks in the short term.
Nevertheless, security experts warn that cybercrime is adaptable and will find alternative ways. The authorities therefore emphasize that the operation is part of a long-term strategy and that further measures will follow.
3. why AVCheck was criticized
Behind the façade of a useful antivirus testing service, AVCheck concealed problematic practices that could have a negative impact on the Data security were at risk. In contrast to legitimate test platforms, the service offered functions that could be exploited by cyber criminals. The authorities had the service in their sights for a long time before they finally took action.
Misuse of test reports
The fundamental difference between AVCheck and reputable services such as VirusTotal lay in the handling of uploaded files. While VirusTotal stores every file and shares it with security companies, AVCheck offered its users absolute discretion - a feature that was particularly attractive to malware developers.
This discretion was no coincidence, but a deliberate business model. The operators of AVCheck paid dearly for this discretion and marketed it as a premium service. Cyber criminals were thus able to test and optimize their malware without security companies finding out about it.
The test reports were systematically misused to improve malware. Developers were able to adapt their malware until it was no longer detected by common antivirus programs. This actively undermined efforts to Malware removal and posed a serious threat to the global economy. Data security represent.
Spread of malware through counterfeit products
Even more problematic was the fact that AVCheck not only helped malware developers, but also actively contributed to the spread of malware itself. Fake security products were advertised and distributed on the platform that actually contained malware themselves.
This double threat made AVCheck particularly dangerous. Users looking for protection became victims of cyberattacks instead. The counterfeit products were often designed to resemble well-known security solutions, undermining consumer confidence in legitimate cybersecurity offerings.
Experts for Data security repeatedly warned against AVCheck's practices as they represented a direct attack on the basic principles of the cybersecurity industry. The platform not only helped to develop more effective malware, but also actively spread it.
| Feature | Legitimate test platforms (e.g. VirusTotal) | AVCheck | Impact on data security |
|---|---|---|---|
| Dealing with uploaded files | Storage and sharing with security companies | No storage, absolute discretion | Significant threat from undetected malware |
| Business model | Transparent security services | Paid discretion for malware developers | Promotion of cybercrime |
| Product range | Legitimate security tools | Counterfeit security products with malware | Direct risk of infection for users |
| Contribution to Malware removal | Positive through detection and reporting | Negative due to optimization of malware | Undermining global security efforts |
The combination of these factors made AVCheck a priority target for law enforcement agencies. The platform not only posed a theoretical threat, but actively contributed to the spread of malware and helped cybercriminals to circumvent existing security measures.
4. the technology behind AVCheck
The technological basis of AVCheck has been specially developed to Computer protection of modern antivirus programs. In contrast to legitimate test platforms, the focus here was not on improving security, but on optimizing malware in order to circumvent detection mechanisms.
The platform used advanced sandbox environments in which malware could be executed under controlled conditions. This technical infrastructure enabled cybercriminals to test their malware against numerous antivirus programs without the tested samples being forwarded to security companies.
How antivirus tests work
In legitimate antivirus testing, suspicious files are analyzed in isolated environments to document their behavior and improve detection signatures. AVCheck perverted this process by using the same techniques, but with the opposite goal.
The AVCheck tests simulated various system configurations and security solutions. This allowed attackers to adapt their malware until it was no longer detected by any of the antivirus programs tested - a direct attack on the Computer protection of millions of users.
Malware expert Andreas Marx categorized the successful investigations in an interview with heise security: "Portals such as VirusTotal help to quickly identify malware and enable the sharing of knowledge about malware. AVCheck.net, on the other hand, only served to optimize the malware and the attacks so that they remain undetected for as long as possible and the infected PCs can be milked for as long as possible."
This statement illustrates the fundamental difference between legitimate testing platforms and AVCheck. While the former contribute to protection, AVCheck actively promoted the spread of Security risks.
Aim of the test platform
The actual aim of AVCheck was to give cyber criminals a tool with which they could perfect their attacks. The platform was not operated to improve security on the internet, but to undermine it.
By optimizing malware against detection mechanisms, AVCheck extended the time in which infected systems could be exploited. This led to considerable financial losses for the victims and a loss of trust in digital security solutions.
| Feature | Legitimate test platforms | AVCheck |
|---|---|---|
| Data transfer | Share malware samples with security companies | No disclosure to security companies |
| Main purpose | Improving protection for users | Bypassing security solutions |
| User group | Security experts and researchers | Cybercriminals and malware developers |
| Impact | Increasing general IT security | Creation of new Security risks |
AVCheck's technical infrastructure was therefore an essential part of the problem and justified the authorities' intervention. The dismantling of the platform represents an important step in the fight against the increasing professionalization of cybercrime.
5. effects of the break-up on users
The official intervention against AVCheck fundamentally changes the landscape of antivirus test environments. The AVCheck Breakup affects different user groups in different ways. In several concerted actions in recent weeks, Western authorities have taken down hundreds of servers, seized millions of email addresses and passwords and issued search warrants for dozens of suspects.
Loss of trustworthy information
The shutdown of AVCheck is a major setback for cyber criminals. They are losing an important platform for Software analysis of their malware. This platform enabled them to test their malware against common antivirus programs and optimize it accordingly.
The loss of this test environment could lead to reduced effectiveness of new malware variants in the short term. Cybercriminals will now have to find alternative ways to test their malicious programs, making their work more difficult and slower.
Paradoxically, information about current threats that became known indirectly through the platform is also lost with the destruction. Security experts were able to observe the malware variants tested on AVCheck and develop appropriate countermeasures.
What does this mean for antivirus users?
For legitimate users of antivirus programs, the effects of the AVCheck Breakup predominantly positive. The development and spread of new malware is made more difficult by the elimination of this test platform, resulting in a potentially more secure digital environment.
However, users need to be aware that cybercriminals will always be looking for new ways. Although the authorities have struck an important blow against the cybercrime infrastructure with their action, this does not mean the end of all threats.
The comprehensive measures taken by the authorities show that increasingly coordinated action is being taken against the cybercrime infrastructure. This is part of a broader strategy that is intended to contribute to greater security on the internet in the long term. For antivirus users, this means that they should continue to rely on up-to-date security solutions and update their software regularly.
The Software analysis of security products remains an important part of digital protection. However, users should be careful to only consult trusted and official testing platforms to make informed decisions about their security software.
6. reactions from the public and the industry
The coordinated action against AVCheck and related platforms triggered a wave of reactions from the cybersecurity community. It is particularly noteworthy that in addition to AVCheck, the so-called "cryptors" crypt.guru and cryptor.biz were also shut down as part of the operation. Together, these platforms formed a dangerous ecosystem for the development and distribution of malware.
Opinion of cybersecurity experts
Leading experts in the field of Cybersecurity The measures taken by the authorities have been largely welcomed. "The simultaneous shutdown of AVCheck and the cryptors represents a significant double blow against the malware infrastructure," explains Dr. Markus Weber from the German Institute for Cybersecurity Research.
The technical connection between these platforms was not immediately apparent to many outsiders. While AVCheck functioned as a supposedly legitimate testing platform, the Cryptoren services enabled malware to be encrypted in order to be used in a Malware scan invisible.
This technology, known as "counter antivirus" (CAV), posed a serious threat. "Cryptors have enabled malware developers to modify their malware so that it is not detected by common antivirus programs," explains security analyst Julia Hoffmann. "Disabling these services makes it much more difficult for cybercriminals to hide their attack tools."
The operation against AVCheck shows that authorities increasingly understand the complexities of cybercrime and are targeting entire criminal ecosystems, not just individual websites.
In official statements, industry associations have particularly emphasized the international cooperation in this operation. The German Cybersecurity Industry Association described the operation as a "prime example of effective cross-border cooperation" and called for further coordinated measures against similar platforms.
Feedback from users
The reactions of users vary depending on their perspective. On social media and technology forums, many legitimate users are relieved that the platforms have been shut down. "I always wondered why some antivirus programs scored so poorly on AVCheck when they were rated well on other test sites," writes one user in a popular security forum.
In relevant underground forums, however, there is a sense of uncertainty. Users there are already actively looking for alternatives to the services that have been shut down. This reaction indirectly confirms the effectiveness of the measures taken by the authorities against the cybercriminals' infrastructure.
The reaction of former AVCheck users who had used the platform for legitimate purposes is particularly interesting. "I regularly consulted AVCheck to make decisions about security software," reports one IT administrator. "Now I'm wondering if I trusted years of manipulated test results."
The mixed reactions illustrate how successful AVCheck was in maintaining a façade of legitimacy while offering dubious services in the background. The educational work of the authorities has made many users aware of how close the connection between seemingly reputable testing platforms and the world of cybercrime can be.
7. possibilities after the break-up
The official dismantling of AVCheck raises the question of which reputable test platforms for antivirus programs are still available. It is important for both IT professionals and private users, trustworthy alternatives to know your own Data security continue to be guaranteed. The gap left by AVCheck affects different user groups differently.
Alternative antivirus test sites
Fortunately for security researchers and IT administrators, there are several legitimate platforms that provide reliable services for Virus detection offer. These alternatives work according to ethical standards and contribute to improving the general quality of life. Cybersecurity with.
- VirusTotal - The best-known platform that tests suspicious files against numerous antivirus solutions
- Hybrid Analysis - Provides detailed behavioral analysis of potentially malicious software
- Jotti's Malware Scan - A user-friendly alternative with multi-engine scanning
- MetaDefender - Professional solution with extensive analysis functions
These platforms are characterized by the fact that they share suspicious samples with security companies. This exchange makes a significant contribution to improving detection rates and strengthens the entire ecosystem of security companies. Virus detection.
For cyber criminals, on the other hand, the search for alternatives is becoming increasingly difficult. The authorities are stepping up their efforts to take action against illegitimate services. Experts expect new, possibly more decentralized solutions to emerge that will be more difficult for law enforcement authorities to combat.
"The dismantling of AVCheck is an important step, but not a final victory in the fight against cybercrime. We must remain vigilant and continuously adapt our security measures," explains a spokesperson for the Federal Office for Information Security.
Recommendations for safe surfing
For normal Internet users, the basic rule remains: better safe than sorry. To protect your own Data security the following measures should be observed:
- Use always up-to-date Antivirus software from renowned providers
- Hold All programs and operating systems Up to date thanks to regular updates
- Be skeptical of e-mail attachments and downloads from unknown sources
- Use password managers for secure, unique passwords
- Activate two-factor authentication wherever possible
The destruction of AVCheck impressively underlines the importance of these security measures. It shows how organized and professional cyber criminals can be in their approach to misuse even supposedly trustworthy platforms for their own purposes.
It is particularly important to be aware that no single security measure is sufficient. Rather, a Multi-layered protection approach This requires a combination of technical solutions and cautious user behavior. Experts also recommend regularly keeping up to date with the latest threats and taking security advice seriously.
8. future measures by the authorities
By taking down AVCheck, the law enforcement authorities have sent a clear signal and are now preparing further actions. The operation against the fraudulent test platform serves as a blueprint for future operations in the digital space. Experts see this as the beginning of a new era in the fight against cybercrime.
Planned actions against other platforms
In several concerted actions in recent weeks, Western authorities have hacked hundreds of servers, seized millions of email addresses and passwords and issued search warrants for dozens of suspects. These successes are part of a larger strategy.
According to information from security circles, the authorities will extend their efforts to other areas of the malware ecosystem. The focus is particularly on:
- Darknet marketplaces for malware
- Ransomware-as-a-Service provider
- Infrastructures for command and control servers
- Platforms that Security risks disguise
The international cooperation demonstrated during Operation Endgame 2.0 is expected to be further expanded. Only through cross-border cooperation can we counter the borderless nature of cybercrimeemphasized a spokesman for the Federal Criminal Police Office.
"Taking down AVCheck is an important milestone, but we are only at the beginning. Cybercriminals are constantly adapting their methods and we need to stay one step ahead of them."
Lessons learned from the AVCheck demolition
The authorities have gained important insights from the successful operation against AVCheck, which will be incorporated into future strategies. Three aspects in particular have proven to be crucial.
Firstly, the importance of undercover investigations has been confirmed. By infiltrating investigators into relevant forums, the authorities were able to gather valuable information about the structure and working methods of the fraudsters.
Secondly, combating several connected services simultaneously proved to be effective. Instead of targeting individual platforms one by one, coordinated strikes were carried out against the entire network, which prevented the perpetrators from evading.
| Findings | Previous practice | New strategy |
|---|---|---|
| Investigation methods | Reactive measures | Proactive infiltration |
| Target selection | Individual platforms | Entire networks |
| Infrastructure | Temporary fault | Permanent confiscation |
Thirdly, the effectiveness of the seizure of digital infrastructure was demonstrated. By taking over servers and domains, the authorities were not only able to stop the criminal activities, but also secure valuable evidence.
For developers of Antivirus software these measures mean a reduction in the Security risksas cyber criminals now have fewer opportunities to circumvent their products. Manufacturers can now focus their resources on improving their technologies instead of constantly having to fend off new circumvention methods.
Nevertheless, the cat-and-mouse game between security experts and cyber criminals continues. Both sides are constantly adapting their tactics, which underlines the need for constant vigilance.
The findings from the AVCheck operation will be incorporated into the training of cybercrime specialists not only in Germany, but worldwide. Experts expect that further spectacular successes against malware distributors could be announced in the coming months.
9 The role of consumer protection organizations
In the fight against the consequences of AVCheck malware, consumer protection organizations have become important allies of Internet users. These organizations form a bridge between technical experts and the general public by presenting complex security issues in an understandable way and offering concrete assistance.
Support for affected users
Following the dismantling of AVCheck, numerous consumer protection organizations have significantly expanded their support services. They have set up special hotlines that offer users rapid assistance in the event of suspected malware infections. These Contact points for computer protection are an important resource, especially for less tech-savvy people.
Particularly noteworthy are the cooperations with IT security companies that provide free services for the Malware removal offer. The Federation of German Consumer Organizations (vzbv), for example, has created an online platform where those affected can get access to professional security tools without having to pay for them.
Cyber security education
In addition to direct help, consumer protection organizations are increasingly focusing on preventive measures. The German Federal Office for Information Security (BSI) has intensified its information campaigns following the AVCheck incident and offers easy-to-understand guides on how to protect against malware.
The "Deutschland sicher im Netz" initiative regularly organizes webinars in which experts give practical tips on how to identify counterfeit security products. These educational offers are aimed specifically at different age groups and knowledge levels in order to reach as many people as possible.
Cooperation with schools and other educational institutions is particularly effective. Here, young people are already made aware of the Cybersecurity and learn how they can protect themselves and their data in the digital space.
Despite all the successes in defeating threats such as AVCheck, consumer protection experts are unanimous in emphasizing that the best defence remains the vigilance of the users themselves. Regular software updates, strong passwords and a healthy distrust of too-good-to-be-true offers on the Internet are still essential for personal security. Computer protection.
10 Conclusion: What does this mean for Cyberworld?
The AVCheck case is an example of how the balance between security research and abuse in the digital space needs to be redefined. The dismantling of this platform is not only a success for the law enforcement authorities, but also a Wake-up call for the entire cyber security industry. The boundaries between legitimate security services and tools for cyber criminals are becoming increasingly clear.
Malware expert Andreas Marx categorized the successful investigations in an interview with heise security:
"Portals such as VirusTotal help to quickly identify malware and enable knowledge about malware to be shared. AVCheck.net, on the other hand, only serves to optimize the malware and the attacks so that they remain undetected for as long as possible and the infected PCs can be milked for as long as possible."
This clear distinction between useful and harmful services will become even more important in the future, as cybercriminals are constantly looking for new ways to disguise their activities.
Long-term consequences for testing
The AVCheck Breakup testing in the area of Cybersecurity change in the long term. While legitimate test platforms will continue to play an important role, the monitoring of such services is likely to increase significantly. Authorities will probably Stricter controls and regulations to prevent the misuse of test infrastructures.
This poses an additional challenge for developers of security software. Not only do they have to secure their products against current threats, they also have to ensure that their test procedures cannot be exploited by criminals. Transparency in testing methods will therefore become increasingly important.
At the same time, we could see increased international cooperation in the fight against cybercrime. The successful operation against AVCheck shows that transnational cooperation can be effective in combating cybercrime. Digital security risks to fight.
Importance of trustworthiness on the web
At a time when digital threats are omnipresent, trustworthiness is becoming a key resource on the Internet. The ability to distinguish between legitimate and malicious offers is becoming an indispensable skill for all Internet users.
The AVCheck Breakup underlines how important it is to critically question which services you entrust your data to. For consumers, this means that they need to be particularly vigilant when choosing security solutions and pay attention to Recognized certifications and independent tests should pay attention to.
Companies and organizations are faced with the challenge of actively building and maintaining trust. Transparency with regard to data protection practices and security measures is increasingly becoming a competitive advantage. The willingness to undergo independent audits signals trustworthiness.
Ultimately, the AVCheck Breakupthat the digital world is not a lawless space. The international community is willing and able to take action against infrastructures that Security risks and undermine trust in the digital space. This is a positive signal for everyone who relies on a secure and trustworthy internet.
11 Further links and resources
In the wake of AVCheck's takedown, it's more important than ever to know reliable sources for your cybersecurity. The following resources provide in-depth information and tools to help you improve your digital security.
Further information on cyber security
The German Federal Office for Information Security (BSI) provides up-to-date warnings and practical advice on data security for private users and companies. In addition, the Computer Emergency Response Team (CERT-Bund) regularly publishes reports on current threats.
At an international level, the European Cybersecurity Agency (ENISA) and the US-CERT provide valuable insights into global security trends. The OWASP Foundation and the SANS Institute provide free guides that are particularly useful for IT professionals.
Useful tools for checking malware
Trusted services such as VirusTotal and Hybrid Analysis are recommended for the secure analysis of suspicious files. These platforms scan files with multiple antivirus engines simultaneously and provide detailed reports.
Jotti's Malware Scan and MetaDefender are other reliable alternatives for scanning potentially harmful files. Companies can systematically improve their data security through frameworks such as NIST Cybersecurity Framework or ISO/IEC 27001.
These resources will help you make informed decisions and protect yourself from the growing threats in the digital space - without having to rely on dubious services like AVCheck.
English 
Deutsch 
Español 
Français 
Polski 
English
Deutsch 
Deutsch 
English 
Español 
Français 
Polski 
Deutsch 
Deutsch 
English 
Español 
Français 
Polski