Europol has delivered another major blow to global cybercrime networks, announcing the takedown of 1,025 servers linked to large-scale malware operations, including the Rhadamanthys infostealer, VenomRAT remote-access Trojan, and the Elysium botnet.
This coordinated strike, one of the largest of its kind, ran between 10 and 14 November 2025, with operational command hosted at Europol’s headquarters in The Hague.
The crackdown marks the latest phase of Operation Endgame, an ongoing multinational campaign aimed at dismantling infrastructure underpinning financially motivated cybercrime, including ransomware, credential theft, and remote-access exploitation. Authorities targeted:
- Rhadamanthys, a prolific infostealer linked to several high-volume cyber-espionage and credential-theft campaigns, including Stargazers Ghost, ClickFix, and FileFix.
- VenomRAT, a remote-access Trojan widely used to hijack victim systems, steal credentials, and deploy secondary payloads. Its main suspect was arrested in Greece on 3 November 2025.
- Elysium, a global botnet responsible for widespread malware distribution and pay-per-install operations supporting other cybercriminal groups.
The infrastructure taken down was responsible for infecting hundreds of thousands of computers worldwide, yielding several million stolen credentials. According to investigators, the alleged Rhadamanthys operator had unauthorized access to more than 100,000 crypto wallets, potentially holding millions of euros in digital assets.
Operation Endgame’s latest push led to 1 arrest in Greece, 11 searches in Greece, Germany, and the Netherlands, and the seizure of 1,025 servers and 20 domains.
More than 100 law-enforcement officers from seven countries coordinated operations from Europol’s command post, exchanging intelligence, tracing crypto flows, and managing data recovered from seized servers.
A significant portion of impacted individuals were unaware that their systems had been infected and their credentials stolen. Europol urges citizens worldwide to check whether their email or device is linked to these compromised servers.
Have I Been Pwned has added 2 million new email addresses from the seized infrastructure to its database. Users can also check if they’re impacted on the Dutch police portal.
Authorities didn’t stop at infrastructure operators. Individuals using these services for criminal purposes were directly contacted by police and encouraged to provide information via an Operation Endgame Telegram channel. Failing services and operators have also been exposed through the operation’s website.
More actions against cybercrime enablers are expected as investigators continue analyzing seized systems, wallets, logs, and communication channels.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
