Major International Crackdown on Cybercrime: Operation Endgame
At 3:47 AM, a startling message circulated among cybercriminals using the Rhadamanthys infostealer: “Immediately reinstall your server, erase traces, the German police are acting.” This urgent alert marked a significant turning point as law enforcement agencies began dismantling one of the largest credential theft operations worldwide.
The Dismantling of a Global Cybercrime Network
From November 10 to 14, 2025, a coordinated effort led by Europol in The Hague resulted in the takedown of 1,025 servers linked to the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. This operation, known as Operation Endgame, underscores a monumental shift in the global fight against cybercrime.
The infrastructure connected to these operations had compromised hundreds of thousands of infected computers, containing millions of stolen credentials. Additionally, investigators discovered access to over 100,000 cryptocurrency wallets, potentially holding millions of euros. This international crackdown involved collaboration among law enforcement from eleven nations, including the United States, Canada, Australia, and several European countries.
Key Arrests and International Coordination
On November 3, 2025, authorities apprehended a significant suspect linked to the operations of VenomRAT in Greece, just days before the broader infrastructure takedown. This move indicated that investigators had been closely monitoring the operations, enabling them to strike effectively.
Searches were executed across eleven locations in Germany, Greece, and the Netherlands, resulting in the seizure of 20 domains associated with the malware. In response, the developer of the Rhadamanthys infostealer confirmed the disruption via a Telegram message, acknowledging that their infrastructure had been infiltrated by German law enforcement.
Internal communications among cybercriminals highlighted the chaos that ensued. As German IP addresses began to appear in their web panels, customers received urgent notifications to halt activities and wipe their systems to eliminate any traces of their operations. Security researchers tracking the situation noted a wave of panic rippling through underground forums as criminals realized their command infrastructure had been compromised.
Malware Subscription Business Model Impacted
The Rhadamanthys infostealer operates on a subscription model, where cybercriminals pay monthly fees to access malware and web panels designed to gather stolen data. It marketed itself under the name “Mythical Origin Labs,” presenting a professional facade through a Tor website, complete with detailed product descriptions and a support channel on Telegram.
Operating as a Malware-as-a-Service platform, Rhadamanthys is capable of stealing login details, browser information, and cryptocurrency wallet credentials. Most victims remain oblivious to these infections, as the malware stealthily exfiltrates sensitive data to attacker-controlled environments.
VenomRAT serves as a remote access trojan, designed to exfiltrate various files and sensitive data, including credit card information and passwords. Both malicious software families contribute significantly to the larger world of cybercrime, facilitating activities such as identity theft and financial fraud.
Elysium Botnet Elimination
Also within the scope of Operation Endgame was the Elysium botnet, which had been marketed alongside Rhadamanthys as a proxy service. This broad infrastructure included hundreds of thousands of infected machines, turning many unsuspecting victims into part of a proxy network utilized by criminals to conduct malicious activities and disguise the origins of their attacks.
Following the dismantling, the Operation Endgame website was updated to include new videos mocking the operators of Rhadamanthys, along with messages encouraging customers to report to law enforcement. This strategic approach aimed to apply psychological pressure on the criminal ecosystem.
Overview of Operation Endgame
Initiated in May 2024, Operation Endgame has been recognized as one of the largest efforts against botnets involved in deploying ransomware. Previous phases of the operation had already disrupted several malware operations, achieving significant milestones such as numerous arrests, server takedowns, and the seizure of considerable amounts in cryptocurrencies.
A special report by Shadowserver revealed the extent of Rhadamanthys infections from March to October 2025, sharing information with 201 national Computer Security Incident Response Teams (CSIRTs) across 175 countries to identify and alert compromised system owners.
Despite the successes, security analysts caution that resilience remains prevalent among malware operators. For instance, the DanaBot banking trojan reemerged with new versions even after earlier disruptions. This persistence highlights the challenges ongoing in the battle against cybercrime.
Conclusion
The simultaneous dismantling of interconnected platforms during Operation Endgame represents a critical stride in mitigating some of the most harmful cyber threats. While significant progress has been made, cybercrime continues to evolve, presenting ongoing challenges for law enforcement and security researchers dedicated to combating these criminal activities.
