A welcome press release from Europol:
Between 10 and 14 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers (Rhadamanthys), the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.
The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD and Bitdefender.
The coordinated actions led to:
- 1 arrest in Greece
- 11 locations searched (1 in Germany, 1 in Greece, and 9 in the Netherlands)
- Over 1 025 servers taken down or disrupted worldwide
- 20 domains seized
Endgame doesn’t end here – think about (y)our next move
The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100 000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so at politie.nl/checkyourhack and haveibeenpwend.com.
There were actions aimed at criminal services and their criminal users. These users were directly contacted by the police and asked to share relevant information regarding infostealers via the Operation Endgame Telegram channel. In addition, the failing criminal services are exposed via the Operation Endgame website.
Command post at Europol to coordinate the operational actions
Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation. To support the coordination of the operation, Europol organised and coordinated calls with all the countries as well as an operational sprint at its headquarters.
Over 100 law enforcement officers from Australia, Canada, Denmark, France, Germany, Greece, the Netherlands and the United States supported the coordination of the operational actions from the command post at Europol. The command post facilitated the exchange of intelligence on seized servers, suspects, and the transfer of seized data. Eurojust also assisted with the execution of a European Arrest Warrant and European Investigation Orders.
EU Member States:
- Denmark: Danish Police (Politi)
- France: National Police (Police Nationale); Public Prosecutor Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit; Paris Police Prefecture (Préfecture De Police de Paris)
- Germany: Federal Criminal Police Office (Bundeskriminalamt), Public Prosecutor General’s Office Frankfurt am Main – Cybercrime Office;
- Greece: Hellenic Police (Ελληνική Αστυνομία)
- Lithuania – Lithuanian Criminal Police Bureau (Lietuvos Policijos Departamentas)
- Netherlands: National Police (Politie), Public Prosecution Office (Openbaar Ministerie)
Non-EU Member States:
- Australia: Australian Federal Police
- Canada: Royal Canadian Mounted Police; Sûreté du Québec
- The United States: Federal Bureau of Investigation, The Defense Criminal Investigative Service, United States Department of Justice