A Europol law enforcement operation targeting malware networks across the continent has disrupted a cybercrime operation that victimized hundreds of thousands worldwide.
“Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers,” Europol stated.
More than 30 public and private entities also participated in the operation, underscoring the significance of collaboration in tackling distributed cybercrime networks.
Abuse.ch, Bitdefender, CrowdStrike, Cryptolaemus, Cymru, DIVD, HaveIBeenPwned, Lumen, Proofpoint, RoLR, Shadowserver, Spamhaus, Spycloud, and Trellix participated in the law enforcement campaign.
Operation Endgame is an ongoing law enforcement campaign targeting cybercrime infrastructure that allows cybercriminals to target millions of people worldwide.
Europol cybercrime takedown operation dismantles potent malware networks
The operation took place between November 10 and 13, 2025, at Europol’s headquarters in The Hague, the Netherlands. It targeted several malware networks linked to various infostealers and botnets, including the Elysium botnet, Rhadamanthys infostealer, and the VenomRAT remote access trojan.
During the operation, 11 locations were searched across Germany (1), Greece (1), and the Netherlands (9). More than 1,025 servers linked to the malware networks were also taken down, and 20 domains were seized.
“Operation Endgame 3.0 is forcing adversaries to rebuild 1,025 servers and reconstitute infrastructure across three major malware families (Rhadamanthys, VenomRAT, Elysium) means they’re investing resources in recovery instead of new attacks, and every credential rotation or system hardening that happens during this window reduces future attack surface,” said Michael Bell, Founder & CEO, Suzu.
The law enforcement operation also resulted in the arrest of a suspected operative of a cybercrime network in Greece. The Albanian national is suspected of creating and selling VenomRAT since 2020. The Trojan costs $150 monthly and $1,550 annually and can be offered in either a self-hosted or a rented server model with additional perks. It is distributed via unsolicited emails containing malicious attachments.
Its alleged creator and seller’s arrest resulted from an arrest warrant issued by France. Unsurprisingly, the trojan’s cybercrime infrastructure was also hosted on servers belonging to a French company.
The Shadowserver Foundation also revealed that the Rhadamanthys infostealer had compromised over 10,000 users in more than 175 countries between March and November 2025.
Meanwhile, authorities have contacted victims impacted by the cybercrime campaign via the Operation Endgame website, notifying them that they had been infected with credential-stealing malware.
“This operation shows what’s possible when intelligence and collaboration align,” stated Phil Wylie, Senior Consultant & Evangelist, Suzu.
However, he warned that “dismantling one infrastructure doesn’t end the threat. Threat actors adapt fast, and defenders must be faster.”
“To help reduce such risks, practicing good security hygiene is imperative, as well as proactive security measures including security assessments including penetration tests, and security controls validation,” added Wylie.
Hackers compromised millions of credentials and hundreds of thousands of crypto wallets
According to Europol, the Rhadamanthys developer had access to over 100,000 crypto wallets, valued at millions of dollars, underscoring the breadth of the cybercrime network. During the operation, Europol and partner law enforcement agencies seized cryptocurrency amounting to $140,424.
Europol also disclosed that the dismantled malware networks consisted of hundreds of thousands of infected computers and millions of stolen credentials, of which most owners were likely unaware that they had been compromised, putting their accounts and crypto wallets at risk of takeover.
“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol explained. “Many of the victims were not aware of the infection of their systems.”
The malware networks, specifically those linked to the Elysium botnet, were also linked to cyber attacks on critical infrastructure, government, and healthcare sectors. However, the Rhadamanthys infostealer and VenomRAT were linked to widespread attacks on corporate networks, suggesting that their operators were more financially motivated.
Meanwhile, Europol and partner law enforcement agencies have dismantled cybercrime infrastructure in similar sweeps. Between October 2024 and May 2025, law enforcement operations Magnus and Endgame dismantled the RedLine and Lumma infostealer infrastructures, respectively, allowing Rhadamanthys to surge, only for it to suffer the same fate in November 2025.
