Between November 10 and 14, 2025, a landmark international law enforcement operation known as Operation Endgame delivered a significant strike against major cybercrime infrastructure worldwide. Coordinated by Europol and Eurojust from their headquarters in The Hague, this campaign dismantled over 1,025 servers linked to three notorious malware threats: the Rhadamanthys infostealer, the Venom Remote Access Trojan (Venom RAT), and the Elysium botnet.
What Was Targeted?
Rhadamanthys, a sophisticated infostealer, had infected hundreds of thousands of computers globally, secretly harvesting millions of credentials from victims unaware of their compromised systems. Europol revealed that the main operator behind Rhadamanthys had unauthorized access to over 100,000 cryptocurrency wallets worth potentially millions of euros. Venom RAT, used to remotely control infected systems, and the Elysium botnet, a widely used botnet platform, were also neutralized through coordinated takedowns.
How Did It Unfold?
The operation involved coordinated raids and investigations across 11 countries, resulting in the seizure of over 1,025 servers and 20 malicious domains. Law enforcement arrested the main suspect behind the Venom RAT in Greece and conducted eleven location searches spanning Greece, Germany, and the Netherlands. Over 100 officers from seven countries collaborated to trace crypto asset flows, analyze compromised data, and exchange vital intelligence.
The Impact
Operation Endgame disrupted critical infrastructure responsible for enabling ransomware and other cybercrime operations that had been plaguing organizations and individuals worldwide. The takedown directly impacted criminal services and their users: authorities contacted individuals relying on these malicious tools, encouraging them to cooperate and share intelligence through official channels.
Beyond the Takedown
This phase of Operation Endgame builds on a series of multinational campaigns initiated in 2024 aimed at disrupting the ransomware supply chain and associated malware ecosystems. Previous takedowns targeted malware families like DanaBot, Qakbot, and SmokeLoader. Despite these successes, some malware strains, such as Danabot, have demonstrated resilience by resurfacing post-takedown, highlighting the persistent and evolving nature of cyber threats.
What Comes Next?
Europol and its partners expect further actions against cybercrime enablers as ongoing analysis of seized systems reveals new leads. The operation sends a clear message that global cooperation is essential to dismantling the infrastructure that fuels cybercrime. Users and organizations are urged to check for compromises, especially against the massive credential dumps resulting from this infrastructure, with resources such as Have I Been Pwned and local police portals offering assistance.
Operation Endgame’s latest success underscores the continuous and collaborative fight to safeguard cyberspace from criminal exploitation, reaffirming the importance of international partnerships in combating cyber threats.
