Authorities have delivered another major hit to global cybercrime infrastructure, with more than 1,025 servers linked to three prolific malware operations taken down in the latest phase of Operation Endgame.
Coordinated from Europol’s headquarters in The Hague between 10 and 13 November, the action targeted the infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium. All of these are key enablers behind large-scale international cyberattacks.
A suspect tied to VenomRAT was arrested earlier this month in Greece.
Millions of Stolen Credentials
Officials say the dismantled infrastructure had infected hundreds of thousands worldwide and had siphoned millions of stolen credentials. Investigators believe the main Rhadamanthys operator alone had access to more than 100,000 crypto wallets, potentially worth millions.
The operation, coordinated by Europol and Eurojust, brought together law enforcement from 11 countries, backed by more than 30 public and private partners, including Cryptolaemus, Shadowserver, Proofpoint, CrowdStrike, Trellix, and Bitdefender.
Key results include:
- 1 arrest in Greece
- 11 searches across Germany, Greece and the Netherlands
- 1,025+ servers taken down or disrupted
- 20 domains seized
Victims are being urged to check whether their systems were compromised at politie.nl/checkyourhack and haveibeenpwned.com.
More than 100 officers from nine countries worked from Europol’s command post during the takedown, coordinating intelligence on seized servers, suspects and data transfers. Eurojust supported with arrest warrants and investigation orders.
Europol says Endgame isn’t finished. Criminal users of these services have been directly contacted and asked to come forward with information via the operation’s Telegram channel, while failing criminal services are being publicly exposed on the Endgame website.
The Threat isn’t Over
Phil Wylie, Senior Consultant & Evangelist, at Suzu, sayd: “This operation shows what’s possible when intelligence and collaboration align, but dismantling one infrastructure doesn’t end the threat. Threat actors adapt fast, and defenders must be faster.
“To help reduce such risks, practicing good security hygiene is imperative, as well as proactive security measures, including security assessments, penetration tests, and security controls validation,” Wylie adds.
Founder & CEO of Suzu Michael Bell, adds: “It’s a cat and mouse game, but impact isn’t measured by permanence. Impact is measured by disruption cost and defender advantage gained.”
Reducing the Attack Surface
Bell says forcing adversaries to rebuild 1,025 servers and reconstitute infrastructure across three major malware families means they’re investing resources in recovery instead of new attacks, and every credential rotation or system hardening that happens during this window reduces future attack surface.
“The arrest of VenomRAT’s main operator and seizure of databases containing millions of stolen credentials also creates operational security paranoia within cybercrime networks because when your infrastructure gets seized, you don’t know what intelligence law enforcement now has about your customers, affiliates, and future plans,” Bell says.
“So yes, they’ll rebuild, but these operations buy defenders time, degrade adversary confidence, and validate the public-private collaboration model that’s the only way to sustainably disrupt the cybercrime ecosystem.”
Expect Subsequent Phishing Campaigns
John Carberry, CMO, at Xcape Inc, adds: “Reports indicate that criminals are now locked out of Rhadamanthys control panels, causing significant operational challenges for those involved. Security teams should now scan endpoints for remaining threats, change tokens and credentials across their systems, and integrate new indicators of compromise (IOCs) from the takedown to identify any lingering infections.”
Expect subsequent phishing campaigns and attempts by criminals to rebuild their infrastructure as they adapt and try new methods. “The only way to win the cyberwar is to persistently decapitate the criminal infrastructure that runs the world’s malware economy.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.