Top infostealer disrupted after criminals lose server access

News
By published

The Rhadamanthys infostealer has been disrupted

Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration
(Image credit: Shutterstock)
  • Rhadamanthys infostealer disrupted; cybercriminals locked out of web panels
  • Developer blames German police; Tor site offline without seizure banner
  • Operation Endgame countdown hints at broader law enforcement action against MaaS

The Rhadamanthys infostealer, one of the most popular malware-as-a-service (MaaS) offerings on the dark web, has apparently been disrupted, with many of its customers locked out.

Researchers known as g0njxa and Gi7w0rm saw multiple cybercriminals reporting troubles using the tool, since the police obtained access to their web panels.

The MaaS’ developer blamed the German police for the disruption, saying entities with German IP addresses were logging into the web panels hosted in EU data centers right before access was revoked.

German police blamed

German police are yet to confirm or deny these claims, though. Speaking to BleepingComputer, G0njxa said Rhadamanthys’ Tor site is also offline, but it currently doesn’t have the usual police seizure banner, so there is still a chance that this is the work of a different actor.

For one user, SSH access now requires a certificate instead of root password, preventing entry: "If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," that person allegedly wrote.

"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server,” another one wrote. “Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard.”

At the same time, BleepingComputer uncovered the website for Operation Endgame, an ongoing police action targeting different MaaS operations, currently has a countdown timer, set to expire in approximately 21 hours.

Operation Endgame’s last activity was in May 2025, when Europol and Eurojust dismantled a ransomware kill chain. In that operation, the police seized roughly 300 servers, took down 650 domains, and issued international arrest warrants against 20 individuals. The police also seized €3.5 million in various cryptocurrencies.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.