- Europol disrupts Rhadamanthys, VenomRAT, and Elysium, seizing servers, domains, and arresting one suspect
- The malware infrastructure held millions of stolen credentials and over 100,000 crypto wallets
- Operation Endgame previously dismantled major malware networks, though some like DanaBot have resurfaced
Europol has launched the latest phase of its Operation Endgame, looking to disrupt the activities of some of the largest malware operations active today.
A press release published on Europol’s website claims between November 10 and 13 its agents, together with national law enforcement agencies from a handful of European countries, disrupted Rhadamanthys, VenomRAT, and Elysium.
The activities resulted in more than 1,000 servers either taken down or disrupted, 20 domains seized, and 11 locations searched (one in Germany and Greece, and nine in the Netherlands). Furthermore, one person was arrested, suspected of operating VenomRAT.
Europol’s activities
The dismantled malware infrastructure consisted of “hundreds of thousands of infected computers containing several million stolen credentials,” Europol explained.
Many of the victims were oblivious to the fact they were targeted, it added, and said that the main suspect behind the infostealer had access to “over 100,000 crypto wallets” potentially worth millions.
News of the operation first surfaced two days ago, when independent security researchers saw Rhadamanthys’ users being locked out of the platform. Those users, as well as the malware’s operators, blamed the German authorities for the disruption, and urged their users to cover up their tracks.
Operation Endgame’s last activity was in May 2025, when Europol and Eurojust dismantled a ransomware kill chain. In that operation, the police seized roughly 300 servers, took down 650 domains, and issued international arrest warrants against 20 individuals. The police also seized €3.5 million in various cryptocurrencies.
Disrupting malware operations is commendable, but without arrests, it is only a matter of time before they resurface. DanaBot, one of operations that were taken down in May, resurfaced six months later, with rebuilt infrastructure and new cryptocurrency wallets to siphon stolen funds to.
Other backdoor, malware, and loader operations that were disrupted through Operation Endgame include IcedID, Smokeloader, Qakbot, and Trickbot.
Via Infosecurity Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
