A coordinated law enforcement effort has resulted in the disruption of nearly 600 servers linked to the misuse of the penetration testing tool Cobalt Strike by cybercriminals.

The action, dubbed ‘Operation Morpheus, led by the UK’s National Crime Agency (NCA), took place between June 24 and 28, targeting these unlicensed versions of Cobalt Strike. Law enforcement identified and flagged known IP addresses and domain names associated with criminal activities for online service providers to disable. This led to the identification of 690 IP addresses across 27 countries, 593 of these addresses had been successfully taken down.

For years, cybercriminals have been using unlicensed versions of Cobalt Strike, downloaded from illegal marketplaces and the dark web, as a primary tool for network intrusion and ransomware deployment. Unlicensed versions of Cobalt Strike have been linked to some of the most significant cyber incidents in recent years, including RYUK, Trickbot, and Conti ransomware attacks.

The operation was a joint effort involving Europol for international coordination, along with the FBI, Australian Federal Police, Royal Canadian Mounted Police, German Federal Criminal Police Office (Bundeskriminalamt), Netherlands National Police (Politie), and the Polish Central Cybercrime Bureau.