Authorities from nine countries dealt a major blow to cybercrime by dismantling over 1,000 servers used by the operators of Rhadamanthys, VenomRAT, and the Elysium botnet. This move is part of the latest phase of Operation Endgame, a global offensive aimed at cutting off the infrastructure supporting these threats at the root.
The operation, coordinated by Europol and Eurojust, involved not only law enforcement agencies but also a wide range of private sector partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender. Together, they formed a united front to identify, track, and take down the servers that kept these malware networks alive.
Between November 10 and 14, 2025, searches were carried out at 11 locations across Germany, Greece, and the Netherlands. As a result, 20 domains were seized, and 1,025 servers supporting these malicious operations were taken offline.
Additionally, this phase of Endgame led to the arrest of a key suspect in Greece on November 3, directly linked to VenomRAT—a remote access trojan used to covertly take control of infected devices.
Europol revealed that the dismantled infrastructure included hundreds of thousands of infected devices and millions of stolen credentials. Alarmingly, most victims were unaware their systems had been compromised. The main suspect had access to over 100,000 cryptocurrency wallets, potentially worth millions of euros.
Seizure Notice on Rhadamanthys Tor Site
According to Black Lotus Labs at Lumen—one of the teams that supported authorities during the operation—the Rhadamanthys infrastructure had been growing steadily since 2023, peaking between October and November 2025.
“We observed an average of around 300 active servers per day, with a peak of 535 servers in October 2025 alone. Over 60% of these C2 servers were hosted in the United States, Germany, the United Kingdom, and the Netherlands,” Lumen reported.
Alarmingly, more than 60% of Rhadamanthys command-and-control (C2) servers were not detected on VirusTotal, allowing them to operate under the radar for an extended period. Thanks to this stealth, the malware impacted over 4,000 unique IP addresses per day in October 2025, driving the sharp rise in victims recorded during that time.
Read more: Ransomware Attack Indicators: How to Identify Them?
The announcement confirms that the Rhadamanthys infostealer operation has been completely disrupted. Even the malware-as-a-service clients admitted they could no longer access the servers they used to manage their campaigns.
The developer of Rhadamanthys also posted on Telegram, expressing suspicion of German police involvement. According to the post, web panels hosted in EU data centers began registering connections from German IP addresses just before operators lost control of the entire infrastructure.
Operation Endgame is no newcomer to this fight. This international initiative has previously taken down over a hundred servers linked to malware campaigns such as IcedID, Bumblebee, Pikabot, Trickbot, and SystemBC—directly impacting the operational capabilities of various criminal networks.
In earlier phases, joint action also targeted ransomware-related infrastructure, the AVCheck testing site, and botnet servers like Smokeloader, as well as other major threats like DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC.
Even outside this operation, international pressure has continued to mount. In April 2024, Ukraine’s cyber police arrested a Russian citizen in Kyiv accused of working with ransomware groups like Conti and LockBit, helping their malware evade antivirus tools.
The international operation that dismantled the Rhadamanthys, VenomRAT, and Elysium networks sends a clear message: cybercrime is not untouchable. When its infrastructure is targeted, its ability to operate is drastically reduced. This is a major step forward and proof of the impact global cooperation can have.
However, it's also a reminder that these threats continue to evolve. Cybercriminals regroup quickly and look for new ways to compromise systems. That’s why both users and companies must maintain an active and ongoing security posture.
At TecnetOne, we firmly believe that prevention, visibility, and early response are key to staying ahead. Cybersecurity isn’t improvised—it’s built day by day.