In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Behind many successful cyberattacks is a crypting service quietly doing the dirty work, one that rarely makes the headlines.
In recent years, these services have been used more widely by groups who want to avoid detection. The growing use of this tactic is contributing to the rising cost of cybercrime, which is projected to climb from $11.9 trillion in 2026 to $19,7 trillion globally by 2030, according to CybersecAsia.
To disrupt this supply chain, the US Department of Justice (DoJ), in coordination with several law enforcement agencies, recently seized four domains offering crypting services.
Here’s a look at how crypting services operate, the role they play in today’s malware economy, and why this takedown marks a shift in how authorities are tackling cybercrime.
Key Takeaways
- Crypting services help cybercriminals hide malware from antivirus software and are central to today’s malware economy.
- These services are widely advertised on the dark web and are affordable, making them accessible even to low-skilled attackers.
- The US DoJ and international partners are clamping down on crypting syndicates, with four domains already seized.
- This seizure signals a shift toward disrupting the early supply chain of cybercrime, not just the end attacks.
- Removing access to crypting services raises the cost and risk for attackers, weakening the broader cybercrime ecosystem.
How Crypting Works & Its Role in the Malware Supply Chain
Malware does not need to be complex to be effective. What matters most is that it stays hidden long enough to do damage.
Crypting services are built for this purpose. They help attackers disguise malicious code so it can pass through antivirus software and intrusion detection systems without being flagged.
The process often begins with a cybercriminal submitting a malicious file to a crypting provider/crypter. That file is then encrypted using symmetric or asymmetric algorithms. Once crypted, the file is tested against multiple antivirus engines like AVCheck[.]net, Kaspersky Internet Security, Malwarebytes Anti-Malware, etc., to be sure it can’t be detected by these antivirus/malware engines.
As expected, many crypting services are advertised openly on the dark web. In 2023, automated threat intelligence platform FalconFeeds.io highlighted on X a listing for what was described as a “fully polymorphic crypting/packing service.” The cost was $300, putting it within reach of low-skilled attackers.
A user in the hackers forum is promoting his Fully Undectable (FUD) service. They offer FUD crypting / packing services for.exe and.dll malware. Unique private builds, polymorphic for continuous undetectability#DarkWeb #Malware #CyberRisk #CTI pic.twitter.com/HbsgoNc24K
— FalconFeeds.io (@FalconFeedsio) July 14, 2023
This low entry threshold makes crypting a key part of the malware economy, especially as attackers adjust to stronger detection tools
Chainalysis has linked the growth of crypting services to a broader trend of professionalization across the cybercrime economy. In its recent report, it pointed to platforms like Huione Guarantee, which offer payment and laundering infrastructure for illicit services, including crypting.
Until recently, most crackdowns on cybercriminals focused on the visible layers of attack – ransomware operators, phishing campaigns, or botnet controllers. But that strategy is now shifting.
Through a coordinated effort known as Operation Endgame, the US and several European governments are targeting the early stages of the malware supply chain, starting with initial access malware and the tools that keep it hidden.
According to a press release by the US Attorney’s Office, Southern District of Texas, the DoJ, working with the FBI, Europol, and international partners, has seized four domains offering crypting services to cybercriminals. These domains – AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru – have been taken offline and now display a seizure notice.
From the investigation, authorities found that these platforms offered services including counter-antivirus (CAV) tools, helping attackers obfuscate hundreds of thousands of malware samples to evade detection.
Undercover purchases were also carried out to confirm that the services were explicitly designed to support cybercriminal activities.
Court documents show that the crypting syndicates were tied to known ransomware groups that have targeted victims around the world, including in the United States.
US Attorney Nicholas J. Ganjei, who is associated with the case, said the operation was designed to disrupt not only individual attackers but also the infrastructure they rely on.
He said:
“Modern criminal threats require modern law enforcement solutions. As cybercriminals have become more sophisticated in their schemes, they have likewise become more advanced in their efforts to avoid detection. As such, our law enforcement efforts must involve striking not just at the individual fraudster or hacker, but the enablers of these cybercriminals as well.”
Why the Takedown Is a Turning Point in Cybercrime Strategy
For years, efforts to tackle cybercrime have largely focused on the aftermath. Investigations zeroed in on ransomware groups, phishing operators, and stolen data markets. Crypting services rarely made that list. That’s what makes this seizure different.
The sites taken down weren’t just websites but part of the technical backbone that many attacks depend on. Shutting them down removes a layer of protection that attackers count on.
There’s also a growing recognition that the cybercrime economy relies on specialization. Malware makers, laundering platforms, access brokers, and crypters all contribute to the broader ecosystem.
Rather than operating as isolated actors, many cybercriminals outsource key parts of their operations. Targeting one of those shared dependencies not only affects more than a single group but also echoes across multiple campaigns.
While this takedown alone won’t dismantle the crypting market, it has the potential to introduce more friction into a system that depends on speed and reliability.
And as more investigations target these supporting services, the cost of staying undetected begins to rise. That change could change the way cybercrime is carried out in the years ahead.
The Bottom Line
This latest FBI operation reminds us that cybercrime is driven and sustained by a network of tools, services, and support systems that often operate in the background.
Disrupting those systems makes the entire process more difficult for bad actors, especially those relying on off-the-shelf services to operate under the radar. As more pressure is applied to these foundational layers, the cybercrime ecosystem begins to lose some of its efficiency and scale. While this single effort won’t stop malware-driven attacks entirely, it could slow them down.
FAQs
What is a crypting service in cybercrime?
Why are crypting services dangerous?
What crypting services domains were taken down by the US FBI?
References
- Can yearly cybercrime costs be forecast based on a linear trajectory? (Cybersec Asia)
- Southern District of Texas | Websites selling hacking tools to cybercriminals seized (United States Department of Justice)
- 2025 Crypto Crime Trends from Chainalysis (Chainalysis)
