A global alliance of law enforcement agencies, led by Europol, has dismantled three major cybercrime networks in the latest phase of what officials refer to as “Operation Endgame.”
In an official statement, Europol reported that the operation focused on the Rhadamanthys infostealer malware, the Elysium botnet, and the VenomRAT remote access trojan. Authorities noted that each of these played a significant part in international cybercrime activities. As part of the crackdown, law enforcement confiscated over 1,000 servers.
Europol revealed that the primary individual suspected of operating VenomRAT was apprehended in Greece on November 3.
“The malware infrastructure that was dismantled included hundreds of thousands of compromised computers and millions of stolen credentials,” the statement said. “A large number of victims were unaware their systems had been breached.”
Europol also stated that the main perpetrator behind Rhadamanthys had access to more than 100,000 cryptocurrency wallets, which could be valued at several million euros.
Rhadamanthys, as an infostealer, is engineered to extract a range of sensitive data from infected machines, such as passwords and crypto wallet keys. Its usage surged in October after authorities dismantled the well-known Lumma infostealer earlier in the year, demonstrating that cybercriminals often shift to alternative, lesser-known tools after major takedowns.
According to Black Lotus Labs at Lumen, a cybersecurity partner in Operation Endgame, Rhadamanthys initially spread through malicious Google ads when it debuted in 2022, and later expanded its reach through recommendations on underground forums.
In a blog post, the company noted that Rhadamanthys experienced a “sharp increase” and a “steady growth in victim numbers” following the Lumma takedown, making it “the most widespread information-stealing malware by volume.” The firm estimated that by October, the malware had affected over 12,000 individuals.
Black Lotus Labs researcher Ryan English told TechCrunch that Rhadamanthys “became the new preferred infostealer” after Lumma was taken offline.
“We anticipate others will fill the void, so we continue monitoring to identify new threats,” English said, noting that both law enforcement and the cybersecurity sector “can only address so much at any given moment.”
“In reality, it’s an endless game of whack-a-mole,” English remarked.
