Operation Endgame 3.0 push takes down more cybercrime servers, disrupting criminal gangs

News
By published

Rhadamanthys, VenomRAT, and Elysium have officially been taken down

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Europol disrupts Rhadamanthys, VenomRAT, and Elysium, seizing servers, domains, and arresting one suspect
  • The malware infrastructure held millions of stolen credentials and over 100,000 crypto wallets
  • Operation Endgame previously dismantled major malware networks, though some like DanaBot have resurfaced

Europol has launched the latest phase of its Operation Endgame, looking to disrupt the activities of some of the largest malware operations active today.

A press release published on Europol’s website claims between November 10 and 13 its agents, together with national law enforcement agencies from a handful of European countries, disrupted Rhadamanthys, VenomRAT, and Elysium.

The activities resulted in more than 1,000 servers either taken down or disrupted, 20 domains seized, and 11 locations searched (one in Germany and Greece, and nine in the Netherlands). Furthermore, one person was arrested, suspected of operating VenomRAT.

Europol's activities

The dismantled malware infrastructure consisted of “hundreds of thousands of infected computers containing several million stolen credentials,” Europol explained.

Many of the victims were oblivious to the fact they were targeted, it added, and said that the main suspect behind the infostealer had access to “over 100,000 crypto wallets” potentially worth millions.

News of the operation first surfaced two days ago, when independent security researchers saw Rhadamanthys’ users being locked out of the platform. Those users, as well as the malware’s operators, blamed the German authorities for the disruption, and urged their users to cover up their tracks.

Operation Endgame’s last activity was in May 2025, when Europol and Eurojust dismantled a ransomware kill chain. In that operation, the police seized roughly 300 servers, took down 650 domains, and issued international arrest warrants against 20 individuals. The police also seized €3.5 million in various cryptocurrencies.

Disrupting malware operations is commendable, but without arrests, it is only a matter of time before they resurface. DanaBot, one of operations that were taken down in May, resurfaced six months later, with rebuilt infrastructure and new cryptocurrency wallets to siphon stolen funds to.

Other backdoor, malware, and loader operations that were disrupted through Operation Endgame include IcedID, Smokeloader, Qakbot, and Trickbot.

Via Infosecurity Magazine

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.