In a sweeping crackdown on cybercrime infrastructure, international law enforcement agencies dismantled key components of three prominent malware families during the latest phase of Operation Endgame.
Coordinated from Europol’s headquarters in The Hague between November 10 and 13, 2025, the operation targeted Rhadamanthys, a prolific infostealer; VenomRAT, a remote access trojan; and Elysium, a pervasive botnet.
These tools have fueled widespread data theft and unauthorized access, affecting hundreds of thousands of victims globally.
Authorities not only seized servers but also arrested the main suspect behind VenomRAT in Greece on November 3, marking a significant blow to the cybercriminals’ operations.
The effort exposed the interconnected web of malware that enables ransomware and other attacks.
Rhadamanthys, known for siphoning sensitive credentials from infected systems, granted its operators access to over 100,000 cryptocurrency wallets potentially worth millions of euros.
VenomRAT allowed remote control of compromised devices, while Elysium turned everyday computers into unwitting participants in botnet-driven schemes.
By disrupting over 1,025 servers and seizing 20 domains worldwide, investigators severed the digital lifelines that powered these threats.
Coordinated Global Takedown and Key Arrests
Operation Endgame, spearheaded by Europol and Eurojust, united forces from 11 countries: Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.
More than 30 public and private entities contributed, including cybersecurity firms such as CrowdStrike, Proofpoint, and Bitdefender, as well as initiatives such as Shadowserver and Have I Been Pwned.
These partners provided critical intelligence on malware distribution and victim data.
The actions yielded concrete results: one arrest in Greece, searches at 11 locations across Germany, Greece, and the Netherlands, and the takedown of infrastructure infecting countless devices.
Europol’s command post in The Hague buzzed with over 100 officers exchanging real-time intelligence on seized servers and suspects.
Eurojust facilitated the use of legal tools, such as European Arrest Warrants, to ensure seamless cross-border cooperation.
Private sector input proved invaluable, tracing crypto flows and identifying infected endpoints.
This phase built on Endgame’s broader mission to dismantle ransomware enablers. The infected networks held millions of stolen credentials, many from unaware users whose systems lurked as silent threats.
Law enforcement reached out directly to criminal service users via a dedicated Telegram channel, urging them to share information on infostealers. The operation’s website now exposes faltering criminal services, deterring would-be operators.
Impacts On Victims and Future Safeguards
The fallout from this takedown reverberates across the cyber landscape. Victims, often oblivious to infections, face risks of identity theft and financial loss.
Europol urges checking systems via resources like politie.nl/checkyourhack and haveibeenpwned.com to detect compromises and secure accounts.
The operation highlighted how infostealers feed larger ecosystems, from ransomware deployment to dark web data sales.
Participating agencies spanned EU members, including France’s National Police and Germany’s Federal Criminal Police Office, as well as non-EU partners such as the FBI and Australia’s Federal Police.
This collaboration underscores a unified front against evolving threats. As Endgame continues, it signals to cybercriminals: the net is tightening.
Future phases will likely target remaining enablers, emphasizing proactive defense.
In the end, this operation not only disrupted immediate threats but also empowered global resilience.
By combining enforcement muscle with private expertise, authorities reclaimed digital territory from the shadows of malware.
