The warning arrived on chat at 3:47 AM: "Immediately reinstall your server, erase traces, the German police are acting."
Cybercriminals worldwide using the Rhadamanthys infostealer watched in real-time as German law enforcement IP addresses appeared in their web panels, signaling the collapse of what investigators now reveal as one of the largest credential theft operations globally.
Between November 10 and 14, 2025, authorities coordinated from Europol's headquarters in The Hague dismantled 1,025 servers supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and Elysium botnet in the latest phase of Operation Endgame.
The infrastructure controlled hundreds of thousands of infected computers containing several million stolen credentials and access to over 100,000 cryptocurrency wallets potentially worth millions of euros. The coordinated international action involved law enforcement from eleven countries including the United States, Canada, Australia, and multiple European nations.
Key Suspect Arrested in Greece
Authorities arrested a primary suspect linked to VenomRAT operations in Greece on November 3, 2025. The arrest preceded the broader infrastructure takedown by days, suggesting investigators conducted extensive surveillance before executing simultaneous strikes.
Officers conducted searches at 11 locations across Germany, Greece, and the Netherlands while seizing 20 domains tied to the malware operations. The Rhadamanthys developer acknowledged the disruption in a Telegram message, claiming German law enforcement accessed their infrastructure.
Web panels hosted in EU data centers logged German IP addresses connecting immediately before cybercriminals lost server access, according to messages circulated among the infostealer's customer base. Security researchers known as g0njxa and Gi7w0rm, who monitor malware operations, reported that cybercriminals using Rhadamanthys received urgent warnings about the law enforcement action.
Internal communications advised immediate cessation of activities and system reinstallation to erase traces, with operators noting that SSH access suddenly required certificates instead of root passwords. The panic spread rapidly through underground forums as customers realized law enforcement had penetrated their command and control infrastructure.
Malware-as-a-Service Business Model Disrupted
Rhadamanthys operates on a subscription model where cybercriminals pay monthly fees for malware access, support, and web panels used to collect stolen data. The operation marketed itself professionally as "Mythical Origin Labs" through a Tor website with detailed product descriptions, a Telegram support channel, and communication via Tox messaging.
The infostealer steals login credentials, browser data, cryptocurrency wallet information, autofilled data, and other sensitive information from browsers, password managers, and crypto wallets. Subscription plans ranged across multiple tiers, providing different levels of functionality and support.
The malware commonly spreads through campaigns promoted as software cracks, malicious YouTube videos, or poisoned search advertisements. Most victims remained unaware of infections on their systems, with stolen credentials silently exfiltrated to attacker-controlled infrastructure.
VenomRAT functions as a remote access trojan capable of exfiltrating various files, stealing cryptocurrency wallets and browser data, credit card details, account passwords, and authentication cookies. Both malware families operated as enablers for broader cybercrime ecosystems, with customers using stolen data for identity theft, financial fraud, and follow-on attacks.
Elysium Botnet Infrastructure Eliminated
The Elysium botnet, marketed alongside Rhadamanthys by the same operators as a proxy bot service, fell under the operation's scope. Security researchers assess that machines infected with Rhadamanthys or VenomRAT may have also been equipped with the proxy bot, creating a multi-layered criminal infrastructure serving various malicious purposes.
The dismantled infrastructure consisted of hundreds of thousands of infected computers across multiple continents. Many victims unknowingly participated in proxy networks that criminals used to route malicious traffic and obscure attack origins.
The Operation Endgame website was updated with new video content mocking Rhadamanthys operators and encouraging their customers to contact law enforcement. The site previously featured countdown timers announcing upcoming actions, creating psychological pressure on cybercriminals.
About Operation Endgame
Operation Endgame launched with initial actions in May 2024, described by Europol as the largest ever operation against botnets that play major roles in ransomware deployment. Previous phases disrupted IcedID, Bumblebee, Pikabot, Trickbot, SystemBC, SmokeLoader, and DanaBot malware operations.
The May 2024 actions resulted in four arrests, over 100 servers taken down across 10 countries, over 2,000 domains brought under law enforcement control, and seizure of €3.5 million in various cryptocurrencies.
Shadowserver published a Rhadamanthys Historical Bot Infections Special Report containing information about devices infected between March 14 and October 11, 2025. The report was shared with 201 National CSIRTs in 175 countries and 10,000-plus network owners to identify compromised computers and alert owners. Authorities established accessible resources for concerned victims.
Security researchers warn that despite Operation Endgame's successes, some malware operations have demonstrated resilience. DanaBot banking trojan resurfaced with version 669 approximately six months after disruption, focusing on cryptocurrency theft and demonstrating the persistent nature of cybercrime infrastructure.
The simultaneous dismantling of three interconnected criminal platforms disrupts infrastructure enabling some of the most damaging cybercrimes globally, though investigators acknowledge the ongoing challenge of preventing criminal groups from rebuilding operations.
Login
