Europol has achieved another major breakthrough in disrupting cybercriminal networks. Three notorious malware families – infostealer Rhadamanthys, trojan VenomRAT, and the botnet Elysium – have been crippled.
Operation Endgame, a long-term global anti-cybercrime effort coordinated by Europol, dismantled a cybercrime infrastructure responsible for infecting hundreds of thousands of victims worldwide with malware.
Over 1,025 servers were taken down or disrupted worldwide, and 20 domains were seized. The police searched 11 locations, most of them in the Netherlands, one in Germany, and one in Greece.
All three malware families play a key role in international cybercrime.
Many cybercrime groups deploy Rhadamanthys infostealer to collect user cookies, credentials, crypto wallets, and other data. Since 2022, the operators have been disseminating this malware-as-a-service on underground forums, offering a subscription model.
Europol stated that the main suspect behind VenomRAT was also arrested in Greece on November 3rd, 2025. This malware family emerged in 2020 and quickly gained popularity in cybercrime circles due to its efficient persistence capabilities and deep access, enabling it to steal data and load additional binaries.
“Infostealers and botnets are among the most widely used software worldwide to steal sensitive personal information (such as passwords and banking details) from a device. These services operate on a business model where a cybercriminal purchases a botnet (a network of infected computers) and then takes control of these computers and collects their data on their own server,” the Dutch police explained.
Additional services, such as Elysium Proxy Bot and a Crypt Service, were also impacted.
Law enforcement posted a playful video that depicts Rhadamanthys operators stealing collected information from subscribers for themselves. Moreover, the video hints that Rhadamanthys' customers will be targeted next.
“What's next? You’ll see. Not all at once, and perhaps not where you'd expect,” the post on the Operation Endgame’s website reads.
Millions of credentials, 100,000 crypto wallets stolen
The dismantled infrastructure contains a trove of information about the victims, and likely the criminals as well.
Authorities found “hundreds of thousands of infected computers containing several million stolen credentials,” with many victims still unaware that their systems are compromised.
Dutch police clarified that more than 600,000 victims worldwide have been infected by the dismantled malware strains, and tens of millions of victims' data records have been stolen.
“The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros,” Europol said in a press release.
“There were actions aimed at criminal services and their criminal users.”
Users can visit the Netherlands police’s website to check whether their email addresses were included in the seized databases. The data was also added to haveibeenpwned.com.
This latest takedown extends a series of major strikes against cybercriminals by Operation Endpoint. Previously, the Europol-coordinated effort disrupted malware-distributing platforms, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. It also neutralized malware strains like Bumblebee, Lactrodectus, Qakbot, Danabot, Trickbot, and Warmcookie. Europol helped shut down AVCheck, a key tool for malware development, among other actions.
While the operations target cybercrime at the supply chain level, this may not completely eradicate the malware strains, as cybercriminals may release them under new names and with new infrastructure.
The latest Operation Endgame was joined by more than 30 organizations, including private cybersecurity companies.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked