The U.S. and eight other Western governments have jointly dismantled the computer infrastructure behind multiple popular cybercrime tools.
In a three-day operation, law enforcement authorities took down more than 1,000 servers and 20 domains associated with the Rhadamanthys infostealer, the VenomRAT remote access Trojan and the Elysium botnet. Greek police arrested VenomRAT’s suspected operator.
“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol, which coordinated the operation from its headquarters in The Hague, said in a statement. “The main suspect behind the [Rhadamanthys] infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros.”
Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands and the U.S. participated in the takedowns, which were the latest phase of Operation Endgame, an ongoing multinational effort to cripple cybercrime gangs. Cybersecurity firms, telecom companies and independent research organizations, including CrowdStrike, Lumen and Shadowserver, provided support for the operation.
The law enforcement disruptions targeted infrastructure that Europol said “played a key role in international cybercrime.”
The Rhadamanthys infostealer factored in multiple hacker gangs’ activities, with its tiered pricing model and variety of modules suggesting a sophisticated development and sales operation. Its infostealer’s creators built in obfuscation features and regularly upgraded its capabilities, allowing hackers to deploy it differently depending on their target.
VenomRAT popped up frequently in attacks on hotels and other hospitality companies by a threat actor that Proofpoint tracks as TA558. The group, which accounts for 58% of the VenomRAT deployments that Proofpoint has observed since 2022, primarily hacks Latin American organizations but has also targeted entities in North America and Western Europe. It may have moved on to other malware, however, as Proofpoint said it “has not observed VenomRAT in campaign data since September 2025.”
Adam Meyers, head of counter adversary operations at CrowdStrike, said the latest operation “shows what’s possible when law enforcement and the private sector work together.”
“Disrupting the front end of the ransomware kill chain — the initial-access brokers, loaders, and infostealers — instead of just the operators themselves has a ripple effect through the eCrime ecosystem,” Meyers said in a statement.