Do Son 
One of the most infamous underground services catering to cybercriminals—AVCheck—has come to an end. Its primary domain, avcheck.net, now displays a seizure banner adorned with the logos of the U.S. Department of Justice, the FBI, the Secret Service, and the Dutch National Police. This marks the culmination of an international operation conducted as part of a global crackdown on malware developers and operators.
AVCheck operated under the CAV—Counter Antivirus—model, serving as an online platform where cybercriminals could test their malware for stealth. Before unleashing a malicious file into the wild, its creators would assess how effectively it evaded detection. If security solutions flagged it, the malware would be modified and re-tested until it became entirely invisible to antivirus tools.
Shortly before its final takedown, the site’s homepage featured a decoy login form. Users attempting to sign in were met not with the service’s usual functionality, but with a stern warning about the legal consequences of using such tools. The purpose was twofold: to demoralize potential users and to collect technical data on visitors.
Simultaneously, authorities gathered evidence linking AVCheck’s operators to two other platforms within the same criminal ecosystem—Cryptor.biz and Crypt.guru. The former has also been seized by law enforcement, while the latter has ceased operations. Both specialized in encrypting malicious code—the next logical step after testing. These cryptors “wrap” malware in layers of obfuscation, allowing it to bypass even deep inspection mechanisms.
According to the FBI, such CAV services constitute the infrastructural backbone of the cybercriminal underworld. They do not merely facilitate the spread of malware; they enable attackers to refine it to perfection—tailoring evasion techniques against antivirus engines, firewalls, behavioral analysis systems, and intrusion detection tools. As a result, companies and individuals are confronted with precision-engineered threats that have been meticulously honed.
Undercover agents played a crucial role in dismantling AVCheck and its affiliated services. Posing as ordinary clients, they conducted controlled purchases on the platforms. These transactions provided critical insight into the internal workings of the services and yielded concrete evidence of their illicit intent. Analysis of associated email addresses, user accounts, and metadata led investigators to members of ransomware groups linked to attacks across the United States, including incidents in the Houston area.
According to the Department of Justice, the operation to dismantle AVCheck and its “sister” cryptor services concluded on May 27, 2025. The domain seizures were part of a sweeping international campaign known as Operation Endgame—a multi-phase enforcement effort through which authorities have already confiscated more than 300 servers and 650 domains tied to malware infrastructure supporting ransomware attacks.
Earlier phases of Operation Endgame had already neutralized the infrastructure of well-known malware strains such as Danabot and Smokeloader, both of which had been widely used in assaults on corporate networks and individual users across the globe.
Experts emphasize that the significance of AVCheck’s takedown lies not only in shuttering a single service, but in striking at the very model of early-stage attack preparation. By eliminating this testing tool, law enforcement agencies have effectively disrupted the research and development phase of cybercrime, reducing the quality and precision of campaigns from the outset.
For potential victims, this may translate into fewer breaches, diminished success in bypassing security systems, and a greater chance of thwarting infections. For the hackers, however, it means heightened risks—and steeper operational costs.
Donate