In August 2020, Shahid Shushtari actors began a multi-faceted campaign targeting the US presidential election, combining computer intrusion activity with exaggerated claims of access to victim networks to enhance psychological effects. The US Treasury Department designated Shahid Shushtari and six employees on November 18, 2021, pursuant to Executive Order 13848 for attempting to influence the 2020 election.

Read: Six Iranian Hackers Identified in Cyberattacks on US Water Utilities, $10 Million Reward Announced

The Infrastructure and Olympic Targeting

Since 2023, Shahid Shushtari established fictitious hosting resellers named "Server-Speed" and "VPS-Agent" to provision operational server infrastructure while providing plausible deniability. These resellers procured server space from Europe-based providers including Lithuania's BAcloud and UK-based Stark Industries Solutions.

In July 2024, actors used VPS-Agent infrastructure to compromise a French commercial dynamic display provider, attempting to display photo montages denouncing Israeli athletes' participation in the 2024 Olympics. This cyberattack was coupled with disinformation including fake news articles and threat messages to Israeli athletes under the banner of a fake French far-right group.

Following the October 7, 2023, Hamas attack, Shahid Shushtari used cover personas including "Contact-HSTG" to contact family members of Israeli hostages, attempting to inflict psychological trauma. The group also undertook significant efforts to enumerate and obtain content from IP cameras in Israel, making images available via several servers.

AI Integration and Hack-and-Leak Operations

Shahid Shushtari incorporated artificial intelligence into operations, including AI-generated news anchors in the "For-Humanity" operation that impacted a US-based Internet Protocol Television streaming company in December 2023. The group leverages AI services including Remini AI Photo Enhancer, Voicemod, Murf AI for voice modulation, and Appy Pie for image generation, a joint October advisory from the U.S. and Israeli agencies stated.

Since April 2024, the group used the online persona "Cyber Court" to promote activities of cover-hacktivist groups including "Makhlab al-Nasr," "NET Hunter," "Emirate Students Movement," and "Zeus is Talking," conducting malicious activity protesting the Israel-Hamas conflict.

FBI assessments indicate these hack-and-leak operations are intended to undermine public confidence in victim network security, embarrass companies and targeted countries through financial losses and reputational damage.

Anyone with information on Mohammad Bagher Shirinkar, Fatemeh Sedighian Kashi, or Shahid Shushtari should contact Rewards for Justice through its secure Tor-based tips-reporting channel.

The warning arrived on chat at 3:47 AM: "Immediately reinstall your server, erase traces, the German police are acting."

Cybercriminals worldwide using the Rhadamanthys infostealer watched in real-time as German law enforcement IP addresses appeared in their web panels, signaling the collapse of what investigators now reveal as one of the largest credential theft operations globally.

Between November 10 and 14, 2025, authorities coordinated from Europol's headquarters in The Hague dismantled 1,025 servers supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and Elysium botnet in the latest phase of Operation Endgame.

The infrastructure controlled hundreds of thousands of infected computers containing several million stolen credentials and access to over 100,000 cryptocurrency wallets potentially worth millions of euros. The coordinated international action involved law enforcement from eleven countries including the United States, Canada, Australia, and multiple European nations.

Key Suspect Arrested in Greece

Authorities arrested a primary suspect linked to VenomRAT operations in Greece on November 3, 2025. The arrest preceded the broader infrastructure takedown by days, suggesting investigators conducted extensive surveillance before executing simultaneous strikes.

Officers conducted searches at 11 locations across Germany, Greece, and the Netherlands while seizing 20 domains tied to the malware operations. The Rhadamanthys developer acknowledged the disruption in a Telegram message, claiming German law enforcement accessed their infrastructure.

Web panels hosted in EU data centers logged German IP addresses connecting immediately before cybercriminals lost server access, according to messages circulated among the infostealer's customer base. Security researchers known as g0njxa and Gi7w0rm, who monitor malware operations, reported that cybercriminals using Rhadamanthys received urgent warnings about the law enforcement action.

Internal communications advised immediate cessation of activities and system reinstallation to erase traces, with operators noting that SSH access suddenly required certificates instead of root passwords. The panic spread rapidly through underground forums as customers realized law enforcement had penetrated their command and control infrastructure.

Malware-as-a-Service Business Model Disrupted

Rhadamanthys operates on a subscription model where cybercriminals pay monthly fees for malware access, support, and web panels used to collect stolen data. The operation marketed itself professionally as "Mythical Origin Labs" through a Tor website with detailed product descriptions, a Telegram support channel, and communication via Tox messaging.

Also read: Be Wary of Google Ads: Rhadamanthys Stealer is Here!

The infostealer steals login credentials, browser data, cryptocurrency wallet information, autofilled data, and other sensitive information from browsers, password managers, and crypto wallets. Subscription plans ranged across multiple tiers, providing different levels of functionality and support.

The malware commonly spreads through campaigns promoted as software cracks, malicious YouTube videos, or poisoned search advertisements. Most victims remained unaware of infections on their systems, with stolen credentials silently exfiltrated to attacker-controlled infrastructure.

VenomRAT functions as a remote access trojan capable of exfiltrating various files, stealing cryptocurrency wallets and browser data, credit card details, account passwords, and authentication cookies. Both malware families operated as enablers for broader cybercrime ecosystems, with customers using stolen data for identity theft, financial fraud, and follow-on attacks.

Elysium Botnet Infrastructure Eliminated

The Elysium botnet, marketed alongside Rhadamanthys by the same operators as a proxy bot service, fell under the operation's scope. Security researchers assess that machines infected with Rhadamanthys or VenomRAT may have also been equipped with the proxy bot, creating a multi-layered criminal infrastructure serving various malicious purposes.

The dismantled infrastructure consisted of hundreds of thousands of infected computers across multiple continents. Many victims unknowingly participated in proxy networks that criminals used to route malicious traffic and obscure attack origins.

The Operation Endgame website was updated with new video content mocking Rhadamanthys operators and encouraging their customers to contact law enforcement. The site previously featured countdown timers announcing upcoming actions, creating psychological pressure on cybercriminals.

About Operation Endgame

Operation Endgame launched with initial actions in May 2024, described by Europol as the largest ever operation against botnets that play major roles in ransomware deployment. Previous phases disrupted IcedID, Bumblebee, Pikabot, Trickbot, SystemBC, SmokeLoader, and DanaBot malware operations.

Read: Operation Endgame – Largest Ever Operation Against Multiple Botnets Used to Deliver Ransomware

The May 2024 actions resulted in four arrests, over 100 servers taken down across 10 countries, over 2,000 domains brought under law enforcement control, and seizure of €3.5 million in various cryptocurrencies.

Shadowserver published a Rhadamanthys Historical Bot Infections Special Report containing information about devices infected between March 14 and October 11, 2025. The report was shared with 201 National CSIRTs in 175 countries and 10,000-plus network owners to identify compromised computers and alert owners. Authorities established accessible resources for concerned victims.

Security researchers warn that despite Operation Endgame's successes, some malware operations have demonstrated resilience. DanaBot banking trojan resurfaced with version 669 approximately six months after disruption, focusing on cryptocurrency theft and demonstrating the persistent nature of cybercrime infrastructure.

The simultaneous dismantling of three interconnected criminal platforms disrupts infrastructure enabling some of the most damaging cybercrimes globally, though investigators acknowledge the ongoing challenge of preventing criminal groups from rebuilding operations.

Also read: Operation Endgame 2.0: Europe’s Cyber Dragnet Just Crippled the Ransomware Economy at Its Source