The US has taken down an antivirus-scanning service that cybercriminals used to improve their malware and beat detection on PCs.

The site, AvCheck.net, had been around for years, offering registered users access to a wide range of antivirus-scanning engines. But the domain has since been replaced with a seizure notice from the US Justice Department, FBI, and Dutch National Police. 

“This domain has been seized in accordance with a seizure warrant issued in the United States District Court for the Southern District of Texas as part of a coordinated law enforcement operation,” the seizure banner says. 

(Credit: DOJ)

The Justice Department has since announced it seized AvCheck.net along with three other domains involved in helping cybercriminals refine and “obfuscate” their malware.

“Authorities made undercover purchases from seized websites and analyzed the services, confirming they were designed for cybercrime,” the department said. “Court documents also allege authorities reviewed linked email addresses and other data connecting the services to known ransomware groups that have targeted victims both in the United States and abroad, including in the Houston area.”  

(DOJ)

On the same day, Dutch National Police confirmed it had worked with the US and Finnish Police to take down AvCheck.net. Dutch police also described the site as “one of the largest Counter Antivirus (CAV) services used by cybercriminals around the world.”

“​​A CAV service allows malware developers to test if their malware will be detected by various antivirus programs,” Dutch police said. “A good CAV service is essential for carrying out malware attacks, as it allows criminals to access the networks of their victims undetected.”

AvCheck (Credit: Internet Archive)

Archived pages for AvCheck.net show it offered registered users access to 26 antivirus engines, including for Avast, Bitdefender, Kaspersky, and others. In return, the site charged varying rates for the number of scans needed.

Dutch police expect the takedown to disrupt cybercriminal groups. The agency also mentioned a “wider intervention” that involved “creating a fake login page to confront, warn, and deter users of AVCheck.” A screenshot of the fake logins says international law enforcement shut down AvCheck by “exploiting the mistakes of [admins who] did not provide the security they promised.”

“Law Enforcement took the servers of AVCheck offline and seized the user database with user information,” including usernames, email addresses, payment information and more, according to the page, which also included a Russian language translation. Dutch Police said the takedown was linked to Operation Endgame, which involved international law enforcement dismantling the internet infrastructure for several Windows-based malware strains last year. 

It’s not the first time investigators have gone after an antivirus service for hackers. In 2018, the US convicted a Latvian hacker for running a malware testing service called Scan4you.

Editor’s note: This story has been updated with the Justice Department’s announcement.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan