Malware disruption and victim notification.
In May 2024, an international law-enforcement coalition led by Europol conducted "Operation Endgame," the largest-ever operation against botnets, dismantling dropper/botnet malware (IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, Trickbot) tied to at least 15 ransomware groups. Credentials seized from the malware infrastructure were provided to Have I Been Pwned, which loaded ~16.5 million email addresses and ~13.5 million unique passwords (marked subscription-free for domain owners to search) so victims could be notified. This is a law-enforcement-sourced malware-victim credential dataset, not a breach of a single organization; the underlying exposure stems from infostealer/botnet infections on victim devices.
ObscureIQ assessment: Exposure of this data can identify individuals involved in cybercrime, enable prosecution, and create downstream risks including retaliation, doxxing, or intelligence exploitation.
The dataset represents victims whose credentials were stolen by botnet/dropper malware and seized during the takedown. Have I Been Pwned loaded ~16.5 million email addresses and ~13.5 million unique passwords (flagged subscription-free) so affected people and organizations could learn they were compromised. For those victims, the underlying malware infection implies broad credential-theft exposure and credential-stuffing/account-takeover risk; the law-enforcement action and notification are mitigations.
Operation Endgame is a coordinated international law-enforcement action (led by Europol with global partners) that, beginning in May 2024, dismantled major malware "dropper"/botnet infrastructure (IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, Trickbot) linked to numerous ransomware groups. It is a takedown operation, not a breached entity.
Law enforcement operations aggregate intelligence from seized infrastructure, including logs, user identifiers, IP addresses, and operational metadata tied to criminal networks.
In its May 2024 phase, Operation Endgame took down ~100+ servers and seized 2,000+ domains; subsequent phases (through 2025) dismantled additional infrastructure such as the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet (1,025+ servers). Law enforcement provided seized victim credentials to Have I Been Pwned for notification.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Malware / Infostealer.
If you believe your information may be included:
In May 2024, an international law-enforcement coalition led by Europol conducted "Operation Endgame," the largest-ever operation against botnets, dismantling dropper/botnet malware (IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, Trickbot) tied to at least 15 ransomware groups. Credentials…
Verified fields include Email Address, Password.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation