An international law enforcement operation has taken down AVCheck, a platform used by cybercriminals to verify if their malware could bypass commercial antivirus software detection before its deployment. The website avcheck.net now features a seizure notice displaying the insignias of the US Department of Justice, the US Federal Bureau of Investigation (FBI), the US Secret Service, and the Dutch police, known as Politie.
According to a statement on the Politie website, AVCheck ranked among the largest counter antivirus services globally, aiding cybercriminals in evaluating the stealth and evasion capabilities of their malware.
“Taking the AVCheck service offline marks an important step in tackling organised cybercrime,” stated Politie’s Matthijs Jaspers. “With this [action], we disrupt cybercriminals as early as possible in their operations and prevent victims.”
Investigators have discovered links between AVCheck’s administrators and the crypting services Cryptor.biz and Crypt.guru. Cryptor.biz has been seized by authorities, while Crypt.guru is currently offline. Crypting services play a role in helping malware creators encrypt or obfuscate their payloads, making them undetectable by antivirus software. This forms part of a broader ecosystem where cybercriminals use crypting services to disguise their malware, test it on platforms like AVCheck, and deploy it only when it remains undetected.
Law enforcement warns users of legal risks before AVCheck shutdown
Before AVCheck’s takedown, law enforcement placed a fake login page on the site to warn users of the legal risks associated with its use. An announcement from the US Department of Justice highlights the significance of dismantling AVCheck and the related encrypting services, stating that the operation took place on 27 May 2025.
“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” said FBI Houston Special Agent Douglas Williams. “By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems. As part of a decisive international operation, FBI Houston helped cripple a global cyber syndicate, seize their most lethal tools, and neutralize the threat they posed to millions around the world.”
Undercover agents, posing as clients and making purchases on these services, have revealed the illegal nature of AVCheck and discovered connections to ransomware attacks on American entities.
“According to the affidavit filed in support of these seizures, authorities made undercover purchases from seized websites and analysed the services, confirming they were designed for cybercrime,” reads the Department of Justice announcement. “Court documents also allege authorities reviewed linked email addresses and other data connecting the services to known ransomware groups that have targeted victims both in the United States and abroad, including in the Houston area.”
Recently, the FBI issued a warning about the Silent Ransom Group (SRG), which has intensified its extortion activities targeting law firms throughout the US over the last two years. Also referred to as Luna Moth, the group uses methods like callback phishing and social engineering to unlawfully access legal practices’ systems, with the objective of stealing sensitive data for ransom.
Read more: FBI alerts law firms to rising threat of Silent Ransom Group’s extortion tactics
