Law enforcement authorities from nine countries disrupted infrastructure used by the Rhadamanthys infostealer, VenomRAT remote access trojan and the Elysium botnet during a phase of Operation Endgame, taking down 1,025 servers and seizing 20 domains after searches in Germany, Greece and the Netherlands between 10 and 14 November 2025.
The action was coordinated by Europol and Eurojust and involved support from multiple private partners and security organisations, including Shadowserver, Proofpoint, Lumen, HaveIBeenPwned and DIVD, alongside other industry partners named by investigators.
Police also arrested a key suspect in Greece on 3 November 2025 in an inquiry linked to VenomRAT. In a press release, Europol said the dismantled infrastructure involved hundreds of thousands of infected machines and several million stolen credentials, and that the main suspect had access to more than 100,000 crypto wallets that could be worth millions of euros.
Investigators reported that customers of the Rhadamanthys malware-as-a-service lost access to their control servers following the disruption, and that the Rhadamanthys developer indicated German IP addresses were observed connecting to web panels hosted in EU data centres before access was lost.
Authorities advised organisations and individuals to check systems for compromises and stolen data using available services such as politie.nl/checkyourhack and haveibeenpwend.com.
The operation builds on earlier multinational actions that have seized servers, targeted ransomware supply chains and disrupted other malware campaigns, and investigators said it forms part of ongoing efforts to dismantle criminal infrastructure across multiple malware families.