Thursday, November 13, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Rhadamanthys malware admin rattled as cops seize a thousand-plus servers

TH Author

International cops have pulled apart the Rhadamanthys infostealer operation, seizing 1,025 servers tied to the malware in coordinated raids between November 10-13.

The infrastructure takedown, part of the long-running Operation Endgame coordinated by Europol and Eurojust, affected hundreds of thousands of infected computers containing several million stolen credentials worldwide.

Europol: Five pay-per-infect suspects cuffed, some spill secrets to cops

READ MORE

“Many of the victims were not aware of the infection of their systems,” the operation saidd

Today’s announcement confirms recent reports of a Rhadamanthys takedown after cybercrime forums reported European law enforcement had seized its infrastructure.

The malware’s administrator told customers to down tools “for safety reasons” on November 11, hours before the operation’s onion site went dark.

In typical Operation Endgame fashion, officials released a smug animated video hinting at intelligence gathered during the operation. The video depicts a lone administrator allegedly skimming the most valuable secrets and cryptocurrency keys for personal gain, passing only less lucrative data to customers — a tactic designed to undermine trust within criminal organizations.

According to the Shadowserver Foundation, which assisted in the enforcement action, officials accessed a Rhadamanthys database revealing more than 525,000 infections between March and November 2025 across 226 countries, collecting over 86 million individual records.

“The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros,” the Operation Endgame team said in a statement.

While infrastructure was disrupted, the administrator and customers remain at large. The animated video ends with a call for public help identifying those involved.

First spotted in 2022, Rhadamanthys quickly became a go-to credential theft tool in the criminal underground. According to Proofpoint, access cost $300-500 monthly, with bespoke configurations available at higher prices. Criminals typically distributed it via emails, web injects, and malvertising campaigns.

Proofpoint reported more Rhadamanthys activity in 2025 than in any other previous year, attributing the surge to increased use of compromised websites for malware delivery.

The operation also targeted the Elysium botnet and VenomRAT malware, seizing their infrastructure and arresting one suspect — VenomRAT’s “main suspect” — in Greece on November 3. Police searched 11 locations: one in Germany, one in Greece, and nine in the Netherlands.

Launched in 2024, Operation Endgame has repeatedly targeted malware and the botnets used to distribute it. ®

READ MORE HERE