Law enforcement authorities from nine countries recently executed the latest phase of Operation Endgame, a significant international action designed to combat cybercrime. This operation successfully dismantled core components of the Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware operations by taking down over 1,000 servers. Coordinated by Europol and Eurojust, the joint action received vital support from multiple private sector partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender, highlighting a unified front against sophisticated digital threats.
Between November 10 and 14, 2025, police officers carried out searches at 11 separate locations across Germany, Greece, and the Netherlands. Beyond the 1,025 servers taken offline, authorities also seized 20 malicious domains. Crucially, this phase of Operation Endgame led to the arrest of a key suspect in Greece on November 3, 2025, who is believed to be connected to the distribution of the VenomRAT remote access trojan. This confirmed BleepingComputer’s earlier report that the Rhadamanthys infostealer operation had been disrupted, with its customers acknowledging they could no longer access their command and control servers.
Europol detailed the sheer scale of the dismantled criminal infrastructure, revealing it comprised hundreds of thousands of infected computers containing millions of stolen credentials. They emphasized that many victims were entirely unaware their systems had been compromised. A single main suspect behind the infostealer had reportedly gained access to over 100,000 crypto wallets belonging to these victims, holding potential assets valued at millions of euros. Following the takedown, the developer of Rhadamanthys voiced their suspicion in a Telegram message that German law enforcement was responsible, noting that German IP addresses had connected to web panels hosted in EU data centers just prior to the loss of access.
In light of the extensive breach, Europol advised the public to use resources like politie.nl/checkyourhack and haveibeenpwned.com to determine if their computers were among those infected by the targeted malware strains. These tools help victims take immediate steps to secure their data and systems. The ongoing Operation Endgame has proven to be a consistent and effective effort, previously seizing over 100 servers used by various other major malware operations, including IcedID, Bumblebee, Pikabot, Trickbot, and SystemBC.
The collective impact of Operation Endgame continues to broaden, having targeted not only infostealers and botnets but also ransomware infrastructure, the AVCheck site, and customers and servers associated with the Smokeloader botnet. Other significant malware operations that have been disrupted by the joint action include DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC. The efforts extend beyond server takedowns, as evidenced by a related action in April 2024, when Ukrainian cyber police arrested a Russian man in Kyiv for collaborating with the Conti and LockBit ransomware operations to create antivirus-evading malware.
Reference:
