Nearly 600 IP addresses have been taken offline in an international police operation, Europol confirmed on Wednesday. The servers behind it ran license-free versions of the Cobalt Strike hacking tool and were used by criminals to launch cyberattacks.

The action against Cobalt Strike servers was also called Operation Morpheus. Europol writes in a press releaseThe operation was led by the UK’s National Crime Agency, in collaboration with international police forces and several private companies. The Dutch police also took part in the operation, which was coordinated by Europol. The operation aimed to combat criminal misuse of the Cobalt Strike tool, and was carried out between 24 and 28 June.

During Operation Morpheus, law enforcement flagged multiple IP addresses known to be associated with criminal activity, as well as domain names used by criminal organizations. This data can be used by online service providers to disable unauthorized versions of Cobalt Strike. A total of 690 IP addresses were made available, of which 593 had been taken offline by the end of the week.

Cobalt Strike is a legitimate tool for cybersecurity experts. The software is used to perform penetration tests to detect vulnerabilities in IT systems. Users pay an annual license fee and must first undergo a scan. However, there are also old, cracked versions of the software in circulation, which criminals can use to carry out real cyberattacks. The tool can be used to gain remote access to IT systems and install malware or ransomware there, for example. Illegal versions of Cobalt Strikes are linked to “several malware and ransomware investigations,” Europol wrote, including investigations into RYUK, Trickbot and Conti.