An international law enforcement operation has effectively dismantled AVCheck, a service that allowed cybercriminals to test whether their malware could elude detection by commercial antivirus software before it was deployed in attacks. The official domain of AVCheck, avcheck.net, now displays a seizure banner that features the crests of several authorities, including the U.S. Department of Justice, the FBI, and the Dutch police (Politie).
According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus services globally, crucial for cybercriminals seeking to evaluate the stealth and evasiveness of their malware. “Taking the AVCheck service offline marks an important step in tackling organized cybercrime,” stated Matthijs Jaspers of the Politie. He further emphasized that this action disrupts the operations of cybercriminals at an early stage, helping to protect potential victims from attacks.
Investigators have revealed connections between AVCheck and various crypting services, including Cryptor.biz and Crypt.guru. These crypting services assist malware authors in encrypting or obfuscating their payloads, making them undetectable by antivirus programs, thus forming part of the same ecosystem relied upon by cybercriminals. The takedown of AVCheck followed a police intervention that included the establishment of a fake login page to alert users about the legal implications of utilizing the service.
The U.S. Department of Justice highlighted the significance of dismantling both AVCheck and the associated encrypting services, which occurred on May 27, 2025. “Cybercriminals don’t just create malware; they perfect it for maximum destruction,” remarked FBI Special Agent Douglas Williams. Authorities noted that the operational efforts were bolstered by undercover agents who posed as clients to uncover the illicit nature of AVCheck, which was found to have links to ransomware attacks targeting U.S. entities. This operation is part of a broader initiative dubbed Operation Endgame, which has already led to the seizure of 300 servers and 650 domains used for facilitating ransomware attacks.