Europol, Eurojust joint operation takes down over 1,025 servers used by malware operations

Europol, alongside Eurojust, has taken down over 1,025 servers used by three malware families: Rhadamanthys infostealer, VenomRAT, and the Elysium botnet malware operations.

This mission is part of the latest phase of Operation Endgame, an activity taking place between November 10 and 13, designed to dismantle criminal infrastructures and combat ransomware enablers worldwide.

In a statement, Europol said, “The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials.”

The joint action, coordinated by Europol and Eurojust, was also supported by several private partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender.

Europol’s main suspect behind Venom RAT

According to Europol, many victims were unaware of infections. This has highlighted the sneaky nature of these threats. Infostealers quietly harvest login details, while RATs like VenomRAT enable remote control for espionage or ransomware deployment, and botnets like Elysium amplify distributed denial-of-service (DDoS) attacks and spam campaigns.

The joint action targeted ransomware infrastructure, the AVCheck site, Smokeloader botnet customers, and servers. It also disrupted major malware operations, such as DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.

Besides eliminating the three major cybercrime enablers, authorities have also arrested the main suspect behind Venom RAT in Greece on November 3. Additionally, more than 1,025 servers have been taken down, and 20 domains have been seized.

Infostealer had access to 100,000 crypto wallets

Today’s announcement confirms the disruption of the Rhadamanthys infostealer operation, with the malware-as-a-service’s customers stating they no longer have access to their servers.

This comes after Rhadamanthys promoted two tools on its website, called Elysium Proxy Bot and Crypt Service. The main information stealer had been updated to include the ability to collect fingerprints from devices and web browsers, among other things.

Rhadamanthys had become one of the most famous information scammers available as a malware-as-a-service (MaaS). It was first advertised by a threat actor named kingcrete2022. Version 0.9.2 of the stealer is the latest version.

Over time, the stealer’s skills have evolved to the point where they can accomplish much more than just steal data. They posed a serious threat to both personal and business security. Recorded Future revealed that version 0.7.0 of the malware had a new artificial intelligence (AI) tool for optical character recognition (OCR) that could capture crypto wallet seed phrases.

However, it is still unclear whether the Elysium botnet Europol refers to is the same proxy botnet service as RHAD security (also known as Mythical Origin Labs), the threat actor associated with Rhadamanthys, which was observed advertising as recently as last month.

Europol also revealed that the main suspect behind the infostealer had access to no less than 100,000 crypto wallets belonging to victims. That could potentially amount to millions of euros.

Authorities that participated in the effort included law enforcement agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the US. 

At the same time, the US Department of Justice (DOJ), FBI, and Secret Service created a new interagency task force to fight cryptoscams targeting Americans.

As reported by Cryptopolitan, the new task force stated that criminals running the operations often operate from compounds in Southeast Asia. Workers at the sites are mostly victims of human trafficking, held against their will, abused, and guarded by armed groups.

US Attorney Jeanine Ferris Pirro said, “Estimates because of underreporting could be as much as 15 times more than $9 billion, and it starts with the devices that you and I hold and use every day to do our banking, to enrich our lives, to communicate with our friends and our loved ones.” 

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program