Rhadamanthys malware admin rattled as cops seize a thousand-plus servers

Steven

Rhadamanthys malware admin rattled as cops seize a thousand-plus servers

Summary

International law enforcement dismantled major infrastructure linked to the Rhadamanthys infostealer in coordinated raids from 10–13 November 2025. Authorities seized 1,025 servers as part of Operation Endgame, coordinated by Europol and Eurojust, disrupting botnet and malware infrastructure that harvested millions of credentials and crypto-wallet data worldwide.

Key Points

  • Law enforcement seized 1,025 servers tied to Rhadamanthys during coordinated raids (10–13 Nov 2025).
  • Operation Endgame — run by Europol and Eurojust with partners like Shadowserver — exposed >525,000 infections (Mar–Nov 2025) across 226 countries and ~86 million stolen records.
  • Officials say the Rhadamanthys operator had access to over 100,000 crypto wallets, potentially worth millions of euros.
  • Infrastructure for Elysium botnet and VenomRAT was also disrupted; one VenomRAT suspect arrested in Greece and multiple locations searched in Germany, Greece and the Netherlands.
  • The malware admin told customers to “stand down” hours before the onion site went dark; infrastructure disruption does not yet mean all suspects are in custody.
  • Security firms such as Proofpoint reported a surge in Rhadamanthys activity in 2025; distribution methods included malicious emails, web injects and malvertising.

Content Summary

Operation Endgame teams, supported by organisations including the Shadowserver Foundation, accessed Rhadamanthys databases showing extensive global infections and harvested data. The takedown revealed that the primary operator was selectively skimming the most valuable information — including crypto keys — while selling lesser data to customers, a tactic captured in an Operation Endgame animated video released with the operation’s announcement.

Alongside Rhadamanthys, authorities disrupted Elysium and VenomRAT infrastructure; one individual suspected in the VenomRAT campaign was arrested in Greece earlier in November. Police searched 11 sites across several European countries as part of the enforcement actions. While infrastructure has been seized and some suspects identified, many operators and customers remain at large and the investigation is ongoing.

Context and relevance

This takedown is a high-profile example of sustained international cooperation against malware-as-a-service ecosystems. It highlights how infostealers remain a major conduit for credential theft, fraud and crypto-theft, and shows law enforcement can both disrupt infrastructure and gather intelligence on criminal marketplaces. For security teams and incident responders, the operation is a reminder to prioritise detection of infostealer behaviours and to assume stolen credentials and wallet keys may be in circulation after such campaigns.

Why should I read this?

Because this isn’t small fry — it’s a big, cross-border hit on one of the credential-stealing toolsets that has been booming this year. If you look after logins, crypto wallets, or incident response, this story tells you what crooks were doing, what got wiped out and what gaps might still be open. Quick skim, big payoff.

Author style

Punchy — the piece cuts to the chase: a large-scale, multinational disruption that reveals both the scale of data theft and the continued risk to organisations and individuals. Read the detail if you want the numbers and the implications; it’s relevant.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/13/rhadamanthys_takedown/