- Europol disrupts Rhadamanthys, VenomRAT and Elysium, seizes servers, domains and arrests suspect
- The malware infrastructure contained millions of stolen credentials and more than 100,000 crypto wallets.
- Operation Endgame previously took down major malware networks, although some like DanaBot have resurfaced
Europol has launched the latest phase of its Operation Endgame, which seeks to disrupt the activities of some of the largest malware operations currently active.
A press release posted on Europol’s website states that between November 10 and 13 its agents, along with national law enforcement agencies from a handful of European countries, disrupted Rhadamanthys, VenomRAT, and Elysium.
The activities resulted in the down or interruption of more than 1,000 servers, the seizure of 20 domains, and the search of 11 locations (one each in Germany and Greece, and nine in the Netherlands). Additionally, one person, suspected of operating VenomRAT, was arrested.
Europol activities
The dismantled malware infrastructure consisted of “hundreds of thousands of infected computers containing several million stolen credentials,” Europol explained.
Many of the victims were unaware of the fact that they were being attacked, he added, saying that the main suspect behind the data thief had access to “over 100,000 crypto wallets” potentially worth millions.
News of the operation first emerged two days ago, when independent security researchers saw that Rhadamanthys users were banned from the platform. These users, as well as the malware operators, blamed German authorities for the outage and urged their users to cover their tracks.
The last Operation Endgame activity was in May 2025, when Europol and Eurojust dismantled a ransomware takedown chain. In that operation, police seized approximately 300 servers, took down 650 domains, and issued international arrest warrants for 20 people. The police also seized 3.5 million euros in various cryptocurrencies.
Disrupting malware operations is commendable, but without arrests, it is only a matter of time before they resurface. DanaBot, one of the operations that was shut down in May, resurfaced six months later, with rebuilt infrastructure and new cryptocurrency wallets to divert stolen funds.
Other backdoor, malware, and loader operations that were disrupted by Operation Endgame include IcedID, Smokeloader, Qakbot, and Trickbot.
Through Infosecurity Magazine
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
