An unprecedented international strike under Operation Endgame has delivered one of the most significant blows yet to cyber-crime infrastructure. Coordinated by Europol, Eurojust and partner agencies, the operation disrupted the backend of major malware platforms such as Rhadamanthys (an infostealer), VenomRAT (a remote-access trojan) and Elysium (a large-scale botnet).
Key Facts
- The latest phase resulted in the dismantling or seizure of approximately 1,025 servers and 20 domains globally.
- Participating nations spanned Europe, North America, Australia and Canada. Over 30 private-sector partners joined the effort.
- The infrastructure taken down supported operations that had compromised “hundreds of thousands” of machines and pilfered millions of credentials worldwide.
- Previous phases of Operation Endgame (e.g., May 2025: 300 servers, 650 domains, €3.5 million in crypto seized) laid the groundwork for this broader disruption.
Why This Matters
- Malware-as-a-service (MaaS) ecosystems depend on robust backend infrastructure – once those servers and domains are disrupted, the entire supply-chain from initial access to ransomware deployment is impacted.
- Many organisations rely on threat-intelligence feeds detecting just the payload or final stage; this operation targets the delivery mechanisms, which dramatically reduces time-to-detection windows and impact.
- The breadth of the takedown shows that cyber-crime is no longer just about isolated rogue actors – it is now a global business ecosystem. Disrupting infrastructure at scale is a new frontier in cyber defence.
- Even if some infrastructure resurfaces, the loss of trust, forced re-build costs and increased law-enforcement pressure raise the bar for future operations of this type.
What Organisations Should Do
- Confirm that your threat-intel partners receive and integrate indicators related to Rhadamanthys, VenomRAT, Elysium, and other disrupted families.
- Conduct hunt-passes for systems with known C2, infostealer artifacts or botnet behaviour consistent with victim machines.
- Review backup and recovery systems: this takedown reduces the tail risk from some mass-infostealer campaigns, but compromised credentials may still remain in circulation.
- Strengthen initial-access defences: patching, identity controls, phish-resistant MFA and network segmentation remain key post-payload controls.
- Re-examine your vendor and third-party risk model: infrastructure hosting, transit providers and domain-registration services may all feed into adversary supply-chains.
Conclusion
Operation Endgame’s latest phase marks a watershed moment in the fight against cyber-crime infrastructure. By dismantling over a thousand servers and targeting malware delivery platforms at their core, law-enforcement and industry have shown that cyber-criminal supply-chains can be disrupted. However the work is not done – organisations must continue to invest in both proactive intelligence and reactive readiness to make the most of this momentum.
About COE Security
COE Security partners with organisations in financial services, healthcare, retail, manufacturing and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In light of operations such as Operation Endgame, COE Security also provides malware-infrastructure disruption analysis, server-hunt readiness, credential-theft exposure assessments, and supply-chain visibility programmes. Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.