An international operation successfully took down AVCheck, a website used by cybercriminals to test whether their viruses were detected by the most common antivirus programs… before unleashing them. Yes, like a “secret lab” for malware.
Now, if you visit its official site, avcheck.net, all you’ll see is a huge seizure notice plastered with the logos of the U.S. Department of Justice, the FBI, the Secret Service, and the Dutch police. Not exactly subtle.
According to the Dutch police (Politie), AVCheck wasn’t just any site: it was one of the world’s largest services for hackers to test how “invisible” their malware was to antivirus software. Basically, a tool to fine-tune their attacks without getting detected.
“The takedown of AVCheck is a major step against organized cybercrime,” said Matthijs Jaspers, police spokesperson. “With this action, we managed to stop the criminals early and prevent further victims.” A key move that strikes right at the heart of how hackers prepare their attacks.
Seizure Notice on AVCheck.net
Investigators uncovered something more: the administrators of AVCheck weren’t acting alone. They were connected to two malware encryption services—Cryptor.biz and Crypt.guru. The former has already been seized by authorities, while the latter… simply vanished.
What did these services do? Essentially, they helped hackers disguise their viruses—“wrapping” them so they wouldn’t be detected by antivirus software. So yes, they were all part of the same ecosystem: one created the disguise (the crypter), and the other checked if it worked (AVCheck). A well-oiled operation.
The process went something like this: cybercriminals would take their malware, run it through one of these services to hide it, test it on AVCheck to ensure it remained undetected, and if everything checked out… they released it into the wild.
Before taking AVCheck down, the police went a step further: they set up a fake login page. Anyone trying to access the service was met with a direct warning about the legal consequences of using it. A little legal scare before the final takedown.
The U.S. Department of Justice also weighed in, confirming that the shutdown of AVCheck and its associated sites took place on May 27, 2025. In their words, it was a key step in curbing cybercrime.
“Cybercriminals don’t just create malware; they perfect it to cause maximum damage,” explained Douglas Williams, special agent with the FBI.
“With these services, they refine their tools to bypass the world’s most advanced security systems, evade firewalls, avoid forensic analysis, and leave chaos in their wake.”
How was all this discovered? Thanks to undercover work by agents posing as clients. They purchased services and analyzed them thoroughly, confirming that AVCheck and its partners weren’t just technical tools—they were purpose-built for cybercrime.
Investigators also examined emails and other data linking these services to known ransomware groups responsible for attacks in and outside the U.S., including incidents in Houston.
All of this is part of Operation Endgame, a large-scale international police offensive. So far, it has seized 300 servers and 650 domains used to launch ransomware attacks. And that’s not all: this operation has also dealt blows to well-known threats like Danabot and Smokeloader, two types of malware heavily used by criminal groups.
In short, AVCheck wasn’t an isolated case. It was part of a much broader network, and its takedown marks a significant milestone in the fight against malware and digital crime.