Key Findings

• Operation Endgame, a global law enforcement operation, has taken down the core systems of three major online crime groups, including the Rhadamanthys infostealer, the VenomRAT remote control tool, and the Elysium botnet.

• The operation was coordinated by Europol and Eurojust, with the participation of law enforcement and judicial authorities from 11 countries, including Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.

• Over 1,025 servers used by cybercriminals to run malware globally have been seized, and 11 malicious domains have been shut down.

• Authorities conducted 11 searches across locations in Germany, Greece, and the Netherlands, and arrested a key suspect linked to the VenomRAT operation in Greece.

• The dismantled infrastructure had infected hundreds of thousands of computers, resulting in several million stolen login details and over 100,000 cryptocurrency wallets potentially worth millions of euros.

Background

Operation Endgame is part of a broader, ongoing effort by law enforcement to disrupt cybercriminal infrastructures and ransomware enablers worldwide. This latest phase follows previous actions, such as the May 2024 takedown that hit dropper tools like Smokeloader, IcedID, and Bumblebee, and the disruption of the DanaBot network in May 2025.

Arrests and Network Takedown

• The joint action involved law enforcement and legal teams from 11 nations, including Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.

• Authorities also had support from more than 30 organizations, including cybersecurity firms like Proofpoint, CrowdStrike, and Bitdefender, which led to the seizure of 11 malicious domains and the shutdown of over 1,025 servers used by cybercriminals.

• Authorities conducted 11 searches across locations in Germany, Greece, and the Netherlands, and arrested a key suspect linked to the VenomRAT operation in Greece on November 3, 2025.

Impact and Victim Assistance

• The dismantled infrastructure had infected hundreds of thousands of computers, resulting in several million stolen login details and over 100,000 cryptocurrency wallets potentially worth millions of euros.

• Many victims were not even aware that their systems were compromised.

• Police urge victims to use free tools like politie.nl/checkyourhack to check their computer's status and seek assistance if infected.

Ongoing Efforts

• Operation Endgame is part of a broader, ongoing effort by law enforcement to disrupt cybercriminal infrastructures and ransomware enablers worldwide.

• Past actions include the May 2024 takedown that hit dropper tools like Smokeloader, IcedID, and Bumblebee, and the disruption of the DanaBot network in May 2025.

• Authorities are not only going after the big criminals but also the people who pay to use their services, as seen in the April 2025 arrests of criminal customers of the now-defunct Smokeloader service.

Sources

• https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/

• https://securityaffairs.com/184581/cyber-crime/a-new-round-of-europols-operation-endgame-dismantled-rhadamanthys-venom-rat-and-elysium-botnet.html

• https://thehackernews.com/2025/11/operation-endgame-dismantles.html