Widespread reports suggest major law enforcement operation targeting notorious malware infrastructure has disrupted the Rhadamanthys stealer control panel, prompting urgent security alerts.
In a significant development within the cybersecurity community, reports indicate that German law enforcement authorities may have seized control of the main Rhadamanthys stealer infrastructure, marking a potentially significant blow against one of the most active malware-as-a-service operations.
The incident, which appears to have unfolded over the past 24-48 hours, has triggered widespread panic among threat actors and their customers as multiple administrative alerts warn of emergency server reinstallation and migration procedures.
According to incident reports circulating in threat intelligence channels, EU law enforcement compromised the primary Rhadamanthys command-and-control server, gaining access to multiple operator panels and modifying user data.
The severity of the situation prompted immediate action from the stealer’s administrator, who issued emergency directives instructing all active users to pause operations immediately and migrate their infrastructure to new servers as a precautionary security measure.
The evidence of the law enforcement operation became apparent when users discovered that the primary login method for the Rhadamanthys control panels had been forcibly changed to certificate-based authentication exclusively.
This abrupt modification prevented legitimate operators from accessing their malware infrastructure using standard password-based credentials, a clear indicator of unauthorized administrative intervention.
One administrator confirmed the compromise, stating that guests had visited the server, the password had been deleted for root login access, and all control panels were switched to strict certificate login mode.
Background on Hadamanthys Stealer Operation
Following the discovery, users attempted to regain access but faced systematic blocking attempts. The Rhadamanthys team subsequently advised all panel operators to immediately delete traces, erase system logs, reinstall their servers, and turn off power supplies as an emergency containment measure.
This guidance particularly targeted users who had installed their infrastructure through automated management panels, as these installations were reported to be the most severely compromised.
The operational impact has been substantial. The Rhadamanthys Tor onion domain and the associated eXploit hacking forum domain have been rendered inaccessible or blocked, with users currently limited to accessing the platform through mirror links and alternative Tor routes.
The blocked TOR website notification appears in multiple user reports, confirming the infrastructure’s current unavailability through standard access methods.
This incident represents one of the most significant disruptions to Rhadamanthys operations since the stealer’s emergence as a major threat.
The malware has been responsible for thousands of credential thefts, data exfiltration campaigns, and fraud operations across various victim organizations globally.
The timing and coordinated nature of the takeover strongly suggest a planned, multi-jurisdictional law enforcement action targeting the stealer’s core infrastructure.
The cybersecurity community has been monitoring the situation closely, with security researchers confirming the authenticity of the administrative alerts and the infrastructure status changes.
While full details of the law enforcement operation remain unclear, preliminary analysis indicates that authorities successfully obtained access to operator credentials, customer data, and control panel systems a critical victory in disrupting cybercriminal operations.
As operators scramble to rebuild their infrastructure and threat actors assess the damage, this incident demonstrates the evolving effectiveness of coordinated international law enforcement efforts in targeting cybercriminal infrastructure at scale.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.