Operation Endgame: Europol takes down cybercrime network behind global malware outbreak
"Disrupting the front end of the ransomware kill chain has a ripple effect throughout the eCrime ecosystem."
Europol has brought down a massive cybercrime network and arrested a man believed to have masterminded the feared VenomRAT remote access trojan.
Coordinated from a base in The Hague, continental enforcers mobilized on November 13 for a three-day blitz dubbed Operation Endgame that smashed infrastructure responsible for infecting hundreds of thousands of people worldwide with malware.
As well as VenomRA, the swoop targeted the botnet Elysium and the infostealer called Rhadamanthys, which is alleged to have "played a key role in international cybercrime".
"Authorities took down these three large cybercrime enablers," Europol confirmed. "The main suspect for VenomRAT was also arrested in Greece on 3 November 2025."
Operation Endgame was a joint effort between law enforcement agencies in several European nations as well as the UK and US. Private companies also joined the action.
Overall, cops searched 11 locations: one in Germany, another in Greece and nine in the Netherlands
"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials," Europol added.
"Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."
Sending shockwaves through the criminal underworld
Crowdstrike was one of the companies involved in the operation. Adam Meyers, Head of Counter Adversary Operations, said: "Disrupting the front end of the ransomware kill chain — the initial-access brokers, loaders, and infostealers — instead of just the operators themselves has a ripple effect through the eCrime ecosystem.
"By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source. But disruption isn’t eradication.
READ MORE: ChatGPT cracks XLoader malware in record time, "supercharges" human analysts
"Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.
"Continued intelligence sharing between governments and private-sector partners like CrowdStrike will be key to maintaining this momentum and driving a lasting impact."
The battle is won, but the war goes on.
Other security researchers questioned whether the actions would have an enduring impact or simply slow down rather than stop the bad guys' nefarious activities.
Sergey Shykevich, Group Manager at Check Point Research, said: "On the Dark Web, discussions are already split: some believe Rhadamanthys will quickly resurface with version 0.9.3, while others see this as the beginning of the brand’s slow decline."
“Rhadamanthys evolved from a niche underground project into one of the most sophisticated and dominant infostealers of recent years - a true ‘brand’ in the cybercrime economy. Its takedown marks a major step in disrupting the malware-as-a-service ecosystem."
READ MORE: "It's not a losing battle": CrowdStrike's optimistic view of a worsening threat landscape
Operation Endgame was originally dedicated to disrupting botnets and is one of the largest operations of its kind.
Its other objectives include bringing down the infrastructure that supports ransomware attacks, targeting malware used for initial access into victim systems, seizing criminal assets, including crypto, and following up on leads to link online personas and usernames to real-life criminals.
For more information, check out the rather bizarre Europol website dedicated to publicising Operation Endgame.
