Team Cymru Supports Europol to Takedown of Three Key Cybercriminal Tools as Part of Operation Endgame

In support of Team Cymru’s mission to Save and Improve Human Lives, we are honored to have provided material support and coordination with international law enforcement in the takedown of three key cybercriminal tools. The takedowns, part of Operation Endgame, disrupted the infrastructure of the infostealer Rhadamanthys, the remote access Trojan VenomRAT, and the botnet Elysium. 

This operation, coordinated by Europol and Eurojust, included the participation of more than 30 national and international private and public parties. Coordinated action led to the takedown or disruption of 1,025 malicious servers, the seizure of 20 domains, physical searches in 11 locations in Europe, and the arrest in Greece of the main suspect behind VenomRAT. 

The dismantled Rhadamanthys, VenomRAT, and Elysium infrastructure consisted of hundreds of thousands of infected machines globally. This malware was responsible for the theft of hundreds of thousands of credentials and the compromise of over 100,000 cryptocurrency wallets, thought to contain the equivalent of millions of dollars. 

Team Cymru’s Contributions

Working alongside more than 30 national and international public and private parties, Team Cymru contributed to this phase of Operation Endgame by identifying Rhadamanthys’ backend and management infrastructure by using our netflow data, in addition to other datasets in Team Cymru's Scout platform. Our specialized analysts worked with partner organizations to map out infrastructure across shared data, helping to drive forward collaboration in public-private partnerships.

Our analysts also used our netflow to investigate operator behaviors, as well as identify personal infrastructure they used to interact with Rhadamanthys’ infrastructure and commit other activities.

These contributions helped to identify Rhadamanthys’ infrastructure setup, how the actors were utilizing it, the methods of their interactions, and other connections from the host that warranted further investigation. This collaboration helped to lead to the identification of communications between the malware and upstream infrastructure, contributing to Operation Endgame's goal of disruption and takedown of cybercriminal activities.

Details of the Disrupted Malware

Operation Endgame is a multi-year and multi-phase operation. In 2024, the first phase of Operation Endgame was the largest ever operation against botnets. Earlier this year, Operation Endgame carried out a second phase targeting individuals in the ransomware ecosystem. 

This latest phase, carried out from November 10 to November 13, focused on the disruption and takedown of Rhadamanthys, VenomRAT, and Elysium. 

Rhadamanthys 

Rhadamanthys is an infostealer designed to harvest information from infected machines. This malware leveraged plugins, allowing the operators of the tool to swap in and out different modules from a remote server to customize Rhadamanthys to the target environment. 

Rhadamanthys became a dominant tool in the cybercriminal underground, attracting interest from a range of customers. The operators of Rhadamanthys offered customers various subscription tiers, which included, at higher levels, dedicated hosting to support criminal operations. 

Elysium

Elysium was a brand new proxy botnet service offered by the developers of  Rhadamanthys. The tool allegedly offered purchasers the ability to construct their own, professional reverse proxy network. 

VenomRAT 

VenomRAT is a remote access Trojan used for a range of activities, including information theft, user monitoring, and to take remote control of infected systems. Information routinely targeted by VenomRAT included credit card numbers, cryptocurrency wallet login information, browser data, account passwords, autofill information, cookies, and various text data formats. 

Team Cymru’s Ongoing Commitment to Dismantling Cybercrime

Team Cymru’s contributions to this phase of Operation Endgame are just one part of an ongoing commitment to dismantling cybercriminal infrastructure and protecting communities globally. At the end of 2023 and in the middle of 2024, Team Cymru contributed infrastructure intelligence, threat validation, and attribution at scale to the Synergia series (Operation I and Operation II), leading to the dismantling of tens of thousands of cybercrime servers associated with phishing operations, information stealers, and ransomware. 

In November 2024, and then in August 2025, Team Cymru participated in Operation Serengeti and Operation Serengeti 2.0. These operations targeted ransomware actors, investment fraud rings, human trafficking networks, and business email compromise (BEC) schemes, leading to the dismantling of tens of thousands of malicious infrastructures, the recovery of tens of millions of dollars, and the arrest of thousands of criminals. Team Cymru also participated in Operation Endgame I and Operation Endgame II, helping to disrupt the versatile and persistent Trojan DanaBot  

Team Cymru is honored to continue to collaborate with international efforts with partners like INTERPOL, Europol, and other global stakeholders. Participation in these operations continues to build public-private partnerships and accelerates the disruption of malicious activity online and its realworld effects offline. 

Next steps

If you believe you may have been impacted by Rhadamanthys, VenomRAT, or Elysium, check your email at thespolitie.nl/checkyourhack and haveibeenpwned.com to see if you have been infected and learn mitigations to take.