End of the game for cybercrime infrastructure: 1025 servers taken down
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated
from Europol’s headquarters in The Hague. The actions targeted one of the biggest
infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium,
all of which played a key role in international cybercrime.
Authorities took down these three large cybercrime enablers.
The main suspect for VenomRAT was arrested in Greece on 3 November 2025.
The infrastructure dismantled during the action days was responsible for infecting
hundreds of thousands of victims worldwide with malware. The dismantled malware
infrastructure consisted of hundreds of thousands of infected computers containing
several million stolen credentials. Many of the victims were not aware of the infection
of their systems. The main suspect behind the infostealer had access to over 100.000
crypto wallets belonging to these victims, potentially worth millions of euros.
Check if your computer has been infected and what to do if so:
https://www.politie.nl/checkyourhack and https://haveibeenpwned.com.
Operation ENDGAME strikes again: the ransomware kill chain broken at its source
Cybercriminals around the world have suffered a major disruption after
law enforcement and judicial authorities, coordinated by Europol and Eurojust,
dismantled key infrastructure behind the malware used to launch ransomware attacks.
From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650
domains, and issued international arrest warrants against 20 targets, dealing a
direct blow to the ransomware kill chain.
In addition, EUR 3.5 million in cryptocurrency was seized during the action week,
bringing the total amount seized during Operation Endgame to EUR 21.2 million.
This latest phase of Operation ENDGAME follows on from the largest-ever
international action against botnets in May 2024. It targeted new malware variants
and successor groups that re-emerged after last year’s takedowns, reinforcing
law enforcement’s capacity to adapt and strike back – even as cybercriminals
retool and reorganise.
Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns
In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet,
operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches,
arrest warrants or ‘knock and talks’. Superstar used his botnet to run a pay-per-install service,
enabling customers to gain access to victims’ machines.
Customers used the service to deploy malware
for their own criminal activities. Investigations revealed that botnet access was purchased for a
range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more.
Law enforcement tracked down the customers as they were registered in a database seized during
Operation Endgame.
Robust international actions against illicit virtual currency exchanges
Operation Endgame continues taking actions to disrupt the cybercriminal ecosystem. In the last week,
multiple cryptocurrency exchanges were taken offline by international law enforcement agencies and
judicial authorities. These service providers facilitated many different criminal financial flows, such
as ransomware.
Money laundering facilitates all kinds of serious crime and enables criminals to stay out of reach of
investigative authorities. Service providers have an obligation to investigate whether money may have a
criminal origin. Knowingly accepting cryptocurrencies derived from crime and thus facilitating money
laundering is always punishable by law.
Several botnets dismantled in largest international operation
During a joint action by international law enforcement agencies and judicial authorities several botnets
that played a key role in cybercrime were dismantled. Four arrests were made and sixteen premises were
searched worldwide over the past few days. Additionally, eight summons were served against suspects. Many
national and international organisations in the public and private sectors also played an important role in
this operation.
The operation enabled us to simultaneously take down these botnets and disrupt the infrastructure used by
cybercriminals. Botnets are used for different types of cybercrime, for example ransomware. The dismantled
botnets consisted of millions of infected computer systems.
Many of the victims were not aware of the infection of their systems. The estimated financial loss these
criminals have caused to companies and government institutions amounts to hundreds of millions of euros.
This large-scale action is called Operation Endgame.
Operation Endgame does not end today. New actions will be announced on this website.
If you have information about the suspects in Operation Endgame, feel free to contact us
