AMSTERDAM – Dutch law enforcement officials have arrested a 33-year-old man suspected of operating AVCheck, a notorious “counter-antivirus” service used by cybercriminals to test and refine malware. The arrest, carried out by the Royal Netherlands Marechaussee at Schiphol Airport on Sunday evening, represents a major victory for Operation Endgame, the international coalition targeting the infrastructure of the global cybercrime economy.
The Arrest
The suspect, a Dutch national whose identity has been withheld, was taken into custody immediately upon his arrival from the United Arab Emirates (UAE). The Dutch Public Prosecution Service (Openbaar Ministerie) confirmed the individual had been under international surveillance following the seizure of the AVCheck platform in May 2025.
Authorities seized data storage devices during the arrest, which are now undergoing forensic analysis. The suspect allegedly deregistered from the Netherlands and relocated to the UAE shortly after the platform was taken offline last year. He returned to Dutch soil this week, leading to his immediate apprehension.
Understanding AVCheck
For years, AVCheck operated as a critical “quality assurance” platform for the dark web. Unlike legitimate scanning services like VirusTotal, which share file data with security vendors to improve detection, AVCheck offered a strict “no-distribute” policy. This allowed malware authors to test their code against top-tier antivirus engines without risking exposure or flagging their signatures to the security community.
The service was instrumental in the development of high-profile malware strains, including:
Lumma Stealer: An infostealer widely used to harvest credentials.
DanaBot: A banking trojan known for its evasion capabilities.
Rhadamanthys: A sophisticated stealer often distributed via malvertising.
By providing detailed feedback on which security engines detected their payloads, AVCheck allowed criminals to tweak their code—often using “crypting” services—until it was virtually undetectable.
Operation Endgame
This arrest marks the culmination of a technical takedown initiated last year, which serves as the human enforcement phase. In May 2025, a coordinated effort by the Dutch National Police, the FBI, and Finnish authorities seized the web domains and servers associated with AVCheck, alongside related “crypting” services Cryptor.biz and Crypt.guru.
The U.S. Department of Justice (DOJ) emphasized the strategic value of these seizures in charging documents filed in the Southern District of Texas. The operation specifically targeted the tools criminals use to bypass defenses.
“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” stated Douglas Williams, Special Agent in Charge at FBI Houston, following the initial seizure. “By leveraging counter-antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls and evade forensic analysis.”
Why It Matters
The detention of the alleged administrator offers law enforcement a rare opportunity to gather intelligence on the service’s user base. While server seizures disrupt operations, the physical arrest of an operator can yield encryption keys, financial logs, and customer lists that remain inaccessible through remote forensics.
Immediate Implications
Security professionals should monitor for:
Disrupted Supply Chains: Malware developers may experience temporary delays or reduced sophistication as they migrate to less reliable testing environments.
Intelligence Leads: If the suspect cooperates or if device analysis proves fruitful, data regarding the “VIP” users of AVCheck could lead to further indictments of ransomware affiliates and malware authors.
The investigation remains active. Forensic experts are currently analyzing the devices seized at Schiphol, and authorities have not ruled out further arrests as they examine the recovered data.
Sources
- https://hackread.com/operation-endgame-dutch-police-arrest-avcheck-operator/
- https://www.theregister.com/2026/01/13/avcheck_arrest/
- https://abit.ee/en/cybersecurity/hackers-and-attacks/avcheck-operation-endgame-cybercrime-arrest-amsterdam-malware-antivirus-cav-dutch-police-schiphol-ua-en
- https://thecyberwire.com/newsletters/daily-briefing/15/10
- https://www.justice.gov/usao-sdtx/pr/websites-selling-hacking-tools-cybercriminals-seized
