This page is a sub page of the case file for case DIVD-2025-00018 - Victim Notification Operation Endgame, which contains the general information about this case.
Email credentials of your organisation were found in a botnet in Operation Endgame
If you received a notification from us with the subject Stolen email credentials found for your organisation in Police operation - DIVD-2025-00018 it means that one or more credentials for email access for a domain associated with your organisation have been found in a Botnet by the Dutch police.
What does this mean?
What we know for sure is that combinations of email addresses and passwords that are associated with a domain belonging to your organisation were used by criminals operating a botnet. They likely used these credentials or the associated email accounts to interact with their victims, or spread malware or phishing campaigns.. These credentials where likely obtained by means of information stealing malware.
What should you do?
Given that these credentials have been found by law enforcement, in a recent police operation:
- Determine the severity of this situation based on the number of credentials we emailed you about.
- Investigate the accounts of these users for suspicious activities like large volumes of sent messages, or unusual log in times, or unusual mail rules.
- Consider scanning the devices of these users with malware detection tools.
- Dual factor authentication can stop an attacker that uses a compromised username and password combination from abusing the account implement two-step verification in as many places as possible.
- Consider reporting this event to the appropriate authorities, e.g. law enforcement, privacy and other regulators.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2025-00018@csirt.divd.nl.
For more information, see the main case file.