Operation Endgame: Police reveal takedowns of three key cybercrime tools

An international coalition of law enforcement agencies announced on Thursday a series of disruptions to three of the most significant tools used by cybercriminals globally.

Coordinated from Europol’s headquarters in The Hague, the latest phase of Operation Endgame saw cops scupper the Rhadamanthys infostealer, the VenomRAT remote access trojan and the Elysium botnet.

It follows a first phase back in 2024 when Operation Endgame launched what its participants described as the “largest ever operation against botnets,” before a second wave of actions earlier this year took direct aim at individuals in the ransomware ecosystem.

According to Europol, the most recent phase of Operation Endgame — which began November 10 — saw infrastructure taken down that had been “responsible for infecting hundreds of thousands of victims worldwide with malware.”

It involved authorities from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States.

Europol also said the main suspect behind the VenomRAT tool was arrested in Greece earlier this month. The suspect’s name and nationality have not been announced.

Alongside the arrest, 11 locations were raided — one in Germany, one in Greece, and nine in the Netherlands — and 20 domains were seized, alongside over 1,025 servers either taken down or disrupted globally.

Europol said the dismantled malware infrastructure “consisted of hundreds of thousands of infected computers containing several million stolen credentials” with many of the owners of those computers unaware their systems were infected.

“The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros,” Europol said.

Around 2 million impacted email addresses and 7.4 million passwords are available for checking. People have been encouraged to visit politie.nl/checkyourhack and haveibeenpwned.com to see if their computers had been infected, and to find out what to do if they were. 

A video about the takedown of the Rhadamanthys infostealer has been uploaded to the Operation Endgame website, suggesting law enforcement officials are seeking to identify its director and customers and encouraging those with information to come forward.

The clearweb site for the VenomRAT has also been seized and now features a splashpage stating: “Law enforcement agencies have seized databases and other information relating to this domain. Anyone operating or using these cybercriminal services is subject to investigation and prosecution.”