Europol has coordinated a fresh phase of Operation Endgame that dismantled infrastructure behind three major malware services, with police taking down or disrupting more than 1,025 servers across multiple countries between 10 and 13 November.

The action targeted the infostealer Rhadamanthys, the remote access trojan VenomRAT, and the botnet Elysium. Europol said the dismantled infrastructure comprised “hundreds of thousands of infected computers containing several million stolen credentials,” adding: “Many of the victims were not aware of the infection of their systems.”

Authorities also seized 20 domains and searched 11 locations in Germany, Greece and the Netherlands, while one suspect was arrested in Athens.

Greek police said the man, a 38‑year‑old Albanian national detained on 3 November on a European arrest warrant issued by France, is alleged to be the creator and seller of VenomRAT since 2020. Police said the malware was designed to steal information through keystroke recording, remote use of web cameras, text infiltration and cryptocurrency wallet hacking, with prices ranging from 150 euros a month to 1,550 euros a year. After searching his residence, officers confiscated hardware and a digital wallet holding cryptocurrencies worth $140,424.

Europol noted that “the main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros.” The agency directed victims to resources at politie.nl/checkyourhack and haveibeenpwned.com.

Private sector partners supported the operation. Adam Meyers, head of counter adversary operations at CrowdStrike, said: “Operation Endgame 3.0 shows what’s possible when law enforcement and the private sector work together. Disrupting the front end of the ransomware kill chain – the initial‑access brokers, loaders, and infostealers – instead of just the operators themselves has a ripple effect through the eCrime ecosystem.”

He added: “By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source. But disruption isn’t eradication. Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.”

Other industry voices praised the coordinated action. Michael Bell, chief executive officer of Suzu, said the takedowns force threat actors “to invest resources in reconstitution rather than new attacks,” buying time for defenders to strengthen systems. Trey Ford, chief strategy and trust officer at Bugcrowd, said global collaboration makes it “both expensive and dangerous to abuse technology for evil.”

Participating authorities spanned Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States, coordinated from Europol’s headquarters in The Hague.

---