Law enforcement agencies worldwide, coordinated by Europol, have dismantled three major cybercrime operations in a recent crackdown dubbed “Operation Endgame.” The targets included the Rhadamanthys infostealer, the Elysium botnet, and the VenomRAT remote access trojan — all key players in international cybercrime. Over 1,000 servers were seized during the operation, and one primary suspect behind VenomRAT was arrested in Greece on November 3.
The operation highlights a critical reality: dismantling cybercrime infrastructure is a continuous battle, often described as a “whack-a-mole” scenario. Once one threat is neutralized, another rapidly emerges to take its place.
The Targets: What Were They Doing?
Rhadamanthys is an infostealer designed to extract sensitive data from infected devices, including passwords and cryptocurrency wallet keys. The malware gained prominence after the takedown of Lumma, another popular infostealer, in early 2023. By October, Rhadamanthys had compromised over 12,000 victims, making it one of the most widespread information-stealing malware in circulation. The suspect behind Rhadamanthys had access to over 100,000 crypto wallets, potentially worth millions of euros.
Elysium operated as a botnet, a network of compromised computers controlled remotely by attackers. Botnets are used for a variety of malicious activities, including distributed denial-of-service (DDoS) attacks and spam campaigns.
VenomRAT is a remote access trojan (RAT) that allows attackers to gain full control over infected systems. RATs are often used for espionage, data theft, and deploying additional malware.
The Cycle of Adaptation
The rise of Rhadamanthys after Lumma’s takedown illustrates a key trend in cybercrime: criminals adapt quickly. When one tool is neutralized, another emerges, often less well-known at first, to fill the void. This is why law enforcement and cybersecurity firms describe the fight as endless.
Rhadamanthys initially spread through malicious Google advertisements before gaining traction on underground forums. The malware’s dramatic increase in victims after Lumma’s takedown underscores how easily criminals can pivot to new tools.
The “Whack-a-Mole” Reality
Ryan English, a researcher at Black Lotus Labs, explains that this is a fundamental challenge in cybercrime. “We know that others will take their place, so we just keep tracking to see who’s emerging from that,” he said. The industry can only disrupt threats as they emerge, but the underlying problem remains: criminals will always find new ways to exploit vulnerabilities.
The dismantling of these operations is a significant victory for law enforcement, but it doesn’t solve the larger issue. The threat landscape is constantly evolving, and new malware strains will inevitably emerge to replace the ones that have been taken down.
Why This Matters
The ongoing cycle of takedowns and reemergence highlights the need for a more proactive approach to cybersecurity. Simply disrupting existing threats isn’t enough; organizations and individuals must prioritize prevention, education, and robust security practices. The battle against cybercrime isn’t just about catching criminals; it’s about reducing the opportunities for them to succeed in the first place.
The fact that Rhadamanthys quickly filled the void left by Lumma shows that technical disruption alone won’t win the war. The underlying problem of weak security practices, phishing attacks, and unpatched vulnerabilities remains.
Ultimately, the fight against cybercrime is a marathon, not a sprint. Law enforcement and the cybersecurity industry must continue to adapt and innovate, but individuals and organizations must also take responsibility for their own security
