RCMP Works With International Operation to Target Russia-Based Cybercrime Network

6/20/2026|Updated: 6/20/2026

0:00

The RCMP has joined law enforcement agencies in the United States and other countries in dismantling a Russia-based cybercrime group accused of using malware to target WordPress users worldwide.

Operation Endgame sought to disrupt the malware framework SocGholish, which tricked users into downloading malicious files under the guise of legitimate computer updates, according to a June 18 RCMP news release.

The investigation found that SocGholish had infected thousands of WordPress sites, and would spread to the computers of visitors to those sites with the aim of gaining access to their data.

WordPress is a free, open-source content management system used to build, manage, and publish websites.

Evil Corp, the Russia-based cybercrime group behind SocGholish, the Dridex banking trojan, and other malware frameworks, has been sanctioned by U.S. authorities. The group has allegedly used phishing emails to install malware, enabling it to siphon funds from victims’ bank accounts, causing more than US$100 million in confirmed losses globally.

During Operation Endgame, members of the RCMP’s Cybercrime Investigation Team in Vancouver worked with Dutch police to develop a disruption technique to interrupt SocGholish, the release says. The Cybercrime Investigation Team removed SocGholish from 2,488 computers worldwide, and took action on 14,971 websites that will also prevent future reinfection with the malware.

The operation is ongoing and involves police authorities in Denmark, the Netherlands, Germany, France, the UK, Belgium, Australia, the United States, and Canada, and is supported by Europol and Eurojust, the release says.

“SocGholish has been a constant threat since 2017 and is used to install malware on users, including various ransomware strains that have been employed to attack critical infrastructures. This has resulted in many victims,” a dedicated website for the operation says.

The website offers tips to prevent infection, advising users to never trust pop‑ups that appear in their web browser, not trust updates that are “overly flashy and scream for immediate action,” ensure installation of an up-to-date virus scanner and leave it enabled during the installation of new software, and only trust updates from an official source like system settings or an app store.

“SocGholish has had an impact on all levels of Canadian society, from critical infrastructure, education, government and more. All compromised Canadian entities have been notified through Operation Endgame today,” Federal Policing Pacific Region Cyber and Financial Investigation Teams Inspector Kurt Bedford said.

“Through collaboration with our international partners, we share intelligence, expertise, and best practices to disrupt cyber threats which transcend all borders. I’m extremely proud of the work that’s been done and the role the RCMP had in bringing this operation to a conclusion.”

The FBI, one of the partners in Operation Endgame, also issued a public service announcement warning about criminal organizations’ use of traffic distribution systems like that used to install SocGholish.

We had a problem loading this article. Please enable javascript or use a different browser. If the issue persists, please visit our help center.