An international coalition led by the European police agency Europol has disrupted three major cybercrime rings that were responsible for infecting hundreds of thousands of computers with malicious software, seizing more than 1,000 illegal servers, and striking a blow to a thriving underground economy that sells stolen data. The crackdown, which comes as part of the ongoing Operation Endgame project, focused on the Rhadamanthys infostealer, the Elysium botnet, and the VenomRAT remote access trojan—toolsets investigators believe were leveraged to orchestrate large-scale credential theft, account takeover, and hands-on keyboard intrusions.
Europol said the operation had disrupted infrastructure used by an infection chain comprising hundreds of thousands of infected computers worldwide, as well as several million stolen credit card numbers. Many of the victims had no idea that their devices were being put to work in criminal networks, underscoring just how quietly such campaigns can run until law enforcement or security researchers shine a light on the activity.
Another suspected mastermind of VenomRAT was also arrested in Greece, with simultaneous financial and infrastructure investigations ongoing. It amounts to a major blow against malware-as-a-service operators who rent out those capabilities to many different classes of criminals.
Operation Endgame: On Stealers, Botnets and RATs
Rhadamanthys, a credential-stealing malware sold to cybercriminals, excels at gathering passwords, cookie sessions, browser autofill data, and cryptocurrency wallet keys. The main suspect tied to Rhadamanthys had access to over 100,000 crypto wallets, each with the potential for a multimillion-euro haul if cashed through laundering funnels, Europol said.
Attackers used Elysium, a botnet service, which offered for-hire infrastructure for sending malicious payloads, spam blasting, and rotating command-and-control server addresses, and VenomRAT gave intruders persistent access to infected systems with keylogging dialogs, file stealing, and remote execution.
Together, they paint a modular picture of cybercrime: steal credentials en masse, weaponize access to compromised devices, and hand operators remote control for post-compromise monetization.
After a different infostealer was disrupted, Lumen’s Black Lotus Labs, which has been supporting industry efforts as part of the operation, saw Rhadamanthys fallout increase significantly—it became the most prevalent stealer by telemetry deployment volume and impacted more than 12,000 victims in a month.
The data demonstrates how rapidly criminal demand shifts when a single service goes dark.
Why Takedowns Can Set Off the Whack-a-Mole Effect
Interruptions like these mitigate active harm, but they also force adversaries to retrench. Infostealer crews often have to turn on a dime and shift distribution from one method to another—compromised search ads one week, cracked installers with social engineering the next—and affiliates advertise “fresh” builds in underground forums. The result is a kind of bored-and-annoyed, déjà vu whack-a-mole dynamic: knock down one operation and demand springs to the next most viable organization.
The economics incentivize persistence. Stolen credentials and wallet seeds can be monetized and fund BEC, account takeovers, or ransomware initial access in no time. The F.B.I.’s Internet Crime Complaint Center reports that more than $10 billion in annual victim losses result from cyber-enabled fraud originating largely from credentials stolen by commodity stealers like the ones pursued here. Industry studies by firms including Chainalysis and Elliptic provide insight into how crypto-related theft is laundered through mixers and cross-chain bridges—both of which complicate recovery of the stolen assets.
Europol’s strategy marries arrests with infrastructure takedowns and sinkholing to disrupt command channels and map victim populations. Those collaborations with telecoms and national CSIRTs allow for targeted notifications and mitigation at scale, closing the window of time in which criminals can exploit their footholds.
What Companies Should Do Now to Reduce Their Risk
Look for CERTs and security companies to be pushing out indicators of compromise related to Rhadamanthys, Elysium, and VenomRAT. Enterprises need to rapidly ingest those IOCs and hunt for related processes and C2 beacons, and consider credential exposure if endpoints were compromised.
- Force password resets and revoke tokens.
- Rotate API keys and wallet seeds.
- Check for persistence mechanisms and signs of lateral movement.
They can reduce risk by using a password manager, enabling phishing-resistant MFA where available, and considering search ads and software cracks to be high-risk vectors. Maintain up-to-date browsers and extensions, and be careful of pop-ups to “re-authenticate,” which might harvest sessions that are already protected by MFA.
For defenders, the lesson is to stay consistent. Match takedown news with hard hygiene: lock down egress filtering, block well-known stealer exfiltration protocols, and implement behavioural controls which alert on mass credential access or suspicious browser data collection. The quicker that organizations respond to takedown intelligence, the less value there is in criminals’ caches.
The latest Endgame moves are a big win but are not an endgame. Cybercriminals trade in agility; continuous pressure, financial tracing, and public-private data sharing are what will transform temporary disruptions into lasting deterrence. Success here will be quantified in hours, days, or weeks of reduced dwell time and how much it costs operators, not only servers taken offline.
