Cyber cops plead for info on elusive Emotet mastermind

Follows arrests and takedowns of recent days

After the big dog revelations from the past week, the cops behind Operation Endgame are now calling for help in tracking down the brains behind the Emotet operation.

The international law enforcement alliance has highlighted "Odd" – an individual who has adopted many monikers over the years, but is thought to be behind one of the largest and most recognizable botnets in history.

The short episode released by the team behind Operation Endgame simply walks the audience through the very, very topline backstory of Emotet – basically that it was taken down twice and Odd is still on the loose – before asking for information about who he is, who he's working with, and what he's currently working on.

The call follows this week's multiple arrests, takedowns, and seizures related to many of the world's most notorious malware dropper operations, as outlined in two other episodes Operation Endgame put on the web.

However, reading a little between the lines, we can deduce that Operation Endgame isn't starting from a completely blank slate.

For starters, Operation Endgame specifies pronouns – he/his/etc, indicating they have a vague idea that Odd is a man. The following questions about who he's working with and what's up to now also suggest they know he's not a lone wolf and may be working on other things besides Emotet.

We asked Operation Endgame for a little more information about what's going on behind the scenes but at the time of writing, the last we heard is that it's still deciding on whether to get back to us with comment.

Despite spinning up around a decade ago, very little is known about the Emotet operation and who's behind it.

According to ESET, it's run by a group tracked either by the name "Mealbybug" or the far less catchy TA542, depending on who you talk to. CISA's account of the operation, however, makes no mention of either group, or any reference to the person/people behind it. So, take from that what you will.

What's better understood about the botnet is the sheer scale and threat it presented to the cybersecurity landscape over the years. Starting as a banking trojan from the outset, Emotet evolved into one of the most pervasive botnets on the web, serving as a facilitator and means for distributing other forms of malware, malware droppers, and subsequently ransomware.

Law enforcement had their first crack at taking down Emotet in January 2021, and some countries also used the botnet's own infrastructure to spread a malware-wiping DLL to machines infected with Emotet. It was a controversial step taken by German authorities and one that others, like the UK, chose not to emulate.

Emotet spun up again in November of that year following a ten-month outage, using the Trickbot infrastructure to spread – a role reversal of its first life which instead saw Trickbot spread using Emotet's infrastructure.

However, despite running into the following year, it ultimately never grew back to its original grand scale and as of today, all of Emotet's C2 servers are offline.

Whether Operation Endgame is a little more in the know about Odd's current activities than it's letting on is up for debate. We know that these kinds of joint law enforcement bust jobs have aimed to dial up the psychological pressure on its targets of late. 

First with LockBit – taunting its alleged leader with leaks spread out over a prolonged period. Now with Operation Endgame's Netflix-ification of its announcements coming in episodes that are part of what seems like multiple seasons. 

Authorities are using cybercriminals' own tropes against them, including the trademark countdown timers of ransomware artists and extortionists of other flavors. It's clearly an intimidation tactic they're using as the crackdown on cybercrime continues.

Per the countdown timer on Operation Endgame's website, the next announcement is due on June 5. ®

More about


Send us news

Other stories you might like