The End of AVCheck — The Main Virus Incubator Wiped Off the Digital Map
The service is gone, but the traces remain. And along them, hunters with FBI mandates are already moving in.
One of the most well-known underground services for cybercriminals — AVCheck — is no more. Its main domain, avcheck.net, now displays a seizure banner featuring the logos of the U.S. Department of Justice, FBI, Secret Service, and Dutch Police. This is the result of an international operation conducted as part of the global crackdown on malware developers and operators.
AVCheck operated under the CAV (Counter Antivirus) model — an online platform where cybercriminals could pre-test their malware for stealth. Before releasing a file "into the wild," its authors would test how well it evaded security measures. If the tool was detected, it would be modified and retested until it became fully undetectable by antivirus systems.
Shortly before its final takedown, the AVCheck homepage displayed a fake login form. Instead of gaining access to the usual service functionality, visitors were met with a warning about the legal consequences of using such tools. The goal: to both demoralize potential users and gather technical data on visitors.
At the same time, investigators gathered evidence linking the AVCheck operators to two other services from the same criminal ecosystem — Cryptor.biz and Crypt.guru. The former has also been seized by authorities; the latter has gone offline. Both specialized in encrypting malicious code — the next logical step after testing. These "cryptors" would pack malware in such a way that it remained hidden even under deep inspection.
According to the FBI, CAV services like these form the infrastructure backbone of the cybercriminal world. They don’t just enable malware deployment — they allow attackers to perfect their tools, selecting the most effective ways to bypass antivirus software, firewalls, analytics systems, and behavioral detectors. As a result, companies and individuals are faced with high-precision, thoroughly refined cyber weapons.
The AVCheck takedown was made possible by undercover agents who managed to make multiple purchases on these platforms while posing as regular customers. These transactions revealed the inner workings of the services and helped gather proof of their criminal nature. Analysis of email addresses, linked accounts, and other metadata led investigators to members of cybercriminal groups involved in ransomware attacks — including incidents on U.S. soil, particularly in the Houston area.
According to the U.S. Department of Justice, the takedown of AVCheck and its "sister" cryptor services was completed on May 27, 2025. The domain seizures were part of a large-scale international campaign known as Operation Endgame — a multi-phase law enforcement initiative that has already taken down more than 300 servers and 650 domains supporting malware infrastructure tied to ransomware campaigns.
Earlier in the same operation, the infrastructures of notorious malware strains Danabot and Smokeloader were dismantled — both heavily used in attacks on corporate networks and private users around the world.
Experts note that the significance of AVCheck’s shutdown lies not just in eliminating one service — it’s a blow to the entire early-stage attack preparation model. By destroying this testing tool, law enforcement is directly intervening in the R&D phase of cybercrime, reducing the overall quality and effectiveness of attacks from the outset.
For potential victims, this could mean fewer intrusions, fewer successful evasions of security systems, and a better chance of preventing infections. For the hackers — increased risk and operational costs.
