A massive international law enforcement coalition, coordinated by Europol and Eurojust, has dealt a decisive blow to global cybercrime. The latest action, branded as “Season 3″ of Operation Endgame, was carried out between November 10 and 14, 2025.
The operation involved a joint effort between law enforcement and judicial authorities from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. They were supported by over 30 national and international private partners, including Proofpoint, Shadowserver, and HaveIBeenPwned.
The action targeted three large-scale cybercrime enablers:
Rhadamanthys: One of the world’s biggest “infostealers,” notorious for stealing passwords, credentials, and cryptocurrency.
VenomRAT: A powerful Remote Access Trojan (RAT) used by criminals to take full control of victim computers.
Elysium: A botnet used to manage and control fleets of infected devices.
The coordinated actions resulted in 1 arrest in Greece (the main suspect for VenomRAT), 11 locations searched across Germany, Greece, and the Netherlands, over 1,025 servers taken down or disrupted, and 20 domains seized.
The operation’s website, operation-endgame.com, was updated with a new animated video titled “S03E01.” The video mockingly portrays the “Rhadamanthys Stealer Factory” as a criminal enterprise run by a cartoon “Director” who hoards stolen information.
The video ends with a depiction of law enforcement destroying the factory with a bulldozer and writing a new to-do list:
- Take down Rhadamanthys
- Identify Director
- Identify customers
In a direct message to the cybercriminals, the operation’s website states: “Welcome back to The Endgame… We never left… We’ll be listening. And watching. Think about (y)our next move.”
The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. According to Europol, many victims were not even aware of the infection.
The main suspect behind the Rhadamanthys infostealer alone had allegedly gained access to over 100,000 cryptocurrency wallets belonging to victims, with a potential value in the millions of euros.
As depicted in the operation’s video, the types of data targeted by the stealer include:
- Usernames & Passwords
- Recovery Keys
- Screen-shots
- Cryptocurrency wallets
- Client data
- Access to control panels
To coordinate the operational actions, a command post was set up at Europol’s headquarters. Over 100 law enforcement officers from Australia, Canada, Denmark, France, Germany, Greece, and the United States were present to facilitate information exchange, crypto-tracing, and forensic support.












