Image: Adobe Stock
Operation Endgame targeted the infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet ecosystem known as Elysium.
Europol has revealed a sweeping international operation that dismantled critical infrastructure supporting several of the world’s most pervasive cybercriminal tools.
Conducted between 10 and 13 November 2025, the latest phase of Operation Endgame targeted the infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet ecosystem known as Elysium. Together, these tools had infected hundreds of thousands of computers globally and enabled large-scale credential theft, remote control of victim systems, and the resale of stolen data in illicit markets.
The coordinated action resulted in the takedown or disruption of more than 1,025 servers worldwide, 20 domain seizures, and the arrest of one key suspect in Greece earlier in the month. Authorities say these actions strike at the technological backbone that allowed multiple cybercriminal groups to operate with scale and anonymity.
Operation Endgame is jointly coordinated by Europol and Eurojust and brings together law enforcement and judicial authorities from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. More than 30 public and private partners assisted in the operation.
Private-sector contributors included cybersecurity organizations such as Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender. Their involvement reflects a growing model of hybrid public-private cybercrime suppression where industry, with advanced telemetry and threat intelligence, aids law enforcement in reaching international servers that criminals attempt to obscure.
The scale of cooperation underscores the complexity of modern cybercrime, which rarely adheres to national borders. Infrastructure often spans dozens of countries, cloud providers, and compromised devices belonging to unsuspecting victims.
The operation yielded:
• 1 arrest in Greece.
• 11 searches (1 in Germany, 1 in Greece, 9 in the Netherlands).
• Over 1,025 servers taken down or disrupted.
• 20 domains seized.
The tools targeted in this phase of Operation Endgame are among the most widely used in the global cybercrime economy.
Rhadamanthys is an infostealer, a type of malware designed to silently extract sensitive data such as passwords, session tokens, cryptocurrency wallet keys, and browser autofill content. Once stolen, these digital assets are sold or used to commit fraud, drain accounts, or access internal corporate systems.
VenomRAT is a Remote Access Trojan (RAT) enabling criminals to remotely control infected computers. Such tools give threat actors persistent access, allowing them to deploy further malware, conduct espionage, or use compromised machines as stepping stones into larger networks.
Elysium is a botnet infrastructure that links victims’ machines into controlled networks, enabling distributed attacks, anonymity services, and scalable malware deployment.
Europol noted that many victims were unaware their systems were infected. The main suspect behind the infostealer had access to more than 100,000 compromised cryptocurrency wallets, potentially worth millions of euros — a reminder that cybercriminal operations often expand far beyond traditional data theft into the rapidly growing digital asset economy.
The takedown represents a significant blow to cybercriminal networks that rely on stable, resilient command-and-control servers and logistical infrastructure. By disrupting these systems, authorities dramatically reduce the operational capabilities of threat actors, at least temporarily.
However, cybercrime networks often reconstitute themselves quickly, shifting infrastructure or adopting new malware strains. Europol hinted at this continuing struggle with the line: Endgame doesn’t end here – think about (y)our next move.
The statement serves both as a warning to criminals and as a reminder that security agencies must remain proactive. By publicly identifying the strain families and exposing the failed criminal services, Europol aims to erode trust among cybercriminal communities and make it harder for newcomers to join or rely on underground malware-as-a-service ecosystems.
The operation also highlights the growing importance of rapid intelligence sharing, cross-border coordination, and cooperation with private cybersecurity researchers—an operational model now widely seen as essential to combating large-scale digital threats.
Authorities used an unusually direct method to reach individuals involved with these malware ecosystems. Users of criminal services were contacted by police and encouraged to share information related to infostealers through the Operation Endgame Telegram channel. Failing criminal services have been publicly exposed on the Operation Endgame website.
For victims, authorities recommend checking whether their computers or credentials were compromised via politie.nl/checkyourhack or haveibeenpwned.com. Given the scale of the credential theft involved, millions of individuals may have had login data, crypto wallets, or other sensitive assets exposed.
Operation Endgame is one of the largest collective takedowns of cybercrime infrastructure in recent years. While the operation marks a major milestone, Europol stresses that the broader campaign will continue. Malware developers and operators often evolve quickly, and the removal of servers today does not guarantee the prevention of new infrastructure tomorrow.
Still, the takedown dents the cybercriminal ecosystem by undermining trust, disrupting revenue flows, and seizing assets that can be used for attribution or prosecution. As digital crime grows increasingly professionalized, large-scale interventions like Endgame signal that global law enforcement agencies are increasingly prepared to respond with equal coordination and technical depth.
Anarchy in the UK? No, thanks. The UK government has dropped its most aggressive cybersecurity legislation ever.
