Europol’s Operation Endgame dismantles Rhadamanthys, Venom RAT, and Elysium botnet in a global crackdown on cybercriminal infrastructures. Europol and Eurojust have launched a new phase of Operation Endgame, carried out between November 10 and 13, 2025, dismantling major malware families including Rhadamanthys Stealer, Venom RAT, and the Elysium botnet as part of a global effort […] Europol’s Operation Endgame dismantles Rhadamanthys, Venom RAT, and Elysium botnet in a global crackdown on cybercriminal infrastructures. Europol and Eurojust have launched a new phase of Operation Endgame, carried out between November 10 and 13, 2025, dismantling major malware families including Rhadamanthys Stealer, Venom RAT, and the Elysium botnet as part of a global effort to disrupt cybercriminal infrastructures and ransomware enablers worldwide. “The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers.” reads the press release published by Europol. The international law enforcement operation has taken down over 1,025 servers worldwide and led to the seizure of 20 domains used by malware operators. The coordinated operation also resulted in one arrest in Greece, searches across eleven locations in Germany, Greece, and the Netherlands, worldwide. The dismantled infrastructure infected hundreds of thousands of systems worldwide, stealing millions of credentials and over 100,000 crypto wallets worth millions of euros. “Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100 000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so at politie.nl/checkyourhack and haveibeenpwned.com” continues the press release. “There were actions aimed at criminal services and their criminal users. These users were directly contacted by the police and asked to share relevant information regarding infostealers via the Operation Endgame Telegram channel. In addition, the failing criminal services are exposed via the Operation Endgame website.” Operation Endgame involved a broad international coalition. EU participants included law enforcement and judicial bodies from Denmark, France, Germany, Greece, Lithuania, and the Netherlands. Beyond Europe, Australia, Canada, and the United States also took part, with agencies such as the FBI, DOJ, and Australian Federal Police contributing to the coordinated crackdown. From May 19 to 22, 2025, another round of the Operation ENDGAME disrupted global ransomware infrastructure. Law enforcement took down 300 servers and 650 domains, and issuing 20 international arrest warrants. Authorities also seized 3.5M in cryptocurrency, bringing the total to over 21.2M. This follows the 2024 botnet crackdown, targeting evolving malware threats and cybercriminal groups. The operation targeted initial access malware used by threat actors to infiltrate systems prior to ransomware deployment. Neutralized strains include Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, all commonly used in ransomware-as-a-service schemes. Authorities also issued 20 international arrest warrants for key operators. Several key suspects behind malware operations are now under international and public alerts. Germany will list 18 of them on the EU Most Wanted list from May 23. They allegedly provided or operated tools used in major ransomware attacks. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Operation Endgame)
Published: 2025-11-13T15:19:40