Police takes down AVCheck site used by cybercriminals to scan malware

An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild.

The service's official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).

According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus (CAV) services internationally, which helped cybercriminals assess the stealthiness and evasion of their malware.

"Taking the AVCheck service offline marks an important step in tackling organized cybercrime," stated Politie's Matthijs Jaspers.

"With this [action], we disrupt cybercriminals as early as possible in their operations and prevent victims."

Seizure notice on AVCheck.net
Source: BleepingComputer

The investigators have also found evidence linking AVCheck's administrators to crypting services Cryptor.biz and Crypt.guru. The former has also been seized by the authorities, while the latter is offline.

Crypting services help malware authors/operators encrypt or obfuscate their payloads to make them undetectable by antivirus, so they are part of the same ecosystem.

Cybercriminals use a crypting service to obfuscate their malware, test it on AVCheck or similar CAV services to see if it is undetectable, and only then do they deploy it against their targets.

Prior to the takedown of AVCheck, the police put up a fake login page that warned users who attempted to log in of the legal risks associated with using the service.

An announcement by the U.S. Department of Justice echos the statements of the importance of dismantling AVCheck and the encrypting services, which they say occurred on May 27, 2025.

"Cybercriminals don't just create malware; they perfect it for maximum destruction," said FBI Special Agent Douglas Williams.

"By leveraging counter antivirus services, malicious actors refine their weapons against the world's toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims' systems."

Uncovering the illegal nature of AVCheck and finding links to ransomware attacks targeting American entities was made possible by the work of undercover agents making purchases on these services, posing as clients.

"According to the affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime, reads the Department of Justice announcement.

"Court documents also allege authorities reviewed linked email addresses and other data connecting the services to known ransomware groups that have targeted victims both in the United States and abroad, including in the Houston area."  

This action was part of Operation Endgame, a large-scale international law enforcement action that recently seized 300 servers and 650 domains used to facilitate ransomware attacks.

The same operation previously disrupted the widely popular (among cybercriminals) Danabot and Smokeloader malware operations