Operation Endgame Dismantles Global Malware Network With Access to 100,000 Crypto Wallets

European law enforcement has delivered a crushing blow to international cybercrime infrastructure in the latest phase of Operation Endgame, a coordinated action that dismantled malware networks responsible for compromising over 100,000 cryptocurrency wallets. The operation, coordinated through Europol headquarters in The Hague between November 10 and 13, marks one of the most significant takedowns targeting digital asset theft to date.

The Exploit Mechanics

The operation targeted three primary cybercrime enablers: the Rhadamanthys infostealer, the VenomRAT remote access trojan, and the Elysium botnet. Each tool served a distinct role in the criminal ecosystem. Rhadamanthys specialized in harvesting credentials from cryptocurrency wallets and browser extensions, silently exfiltrating private keys and seed phrases from infected machines. VenomRAT provided persistent remote access to compromised systems, allowing attackers to monitor crypto transactions in real time and intercept two-factor authentication codes. The Elysium botnet functioned as the distribution backbone, automating the deployment of malicious payloads across hundreds of thousands of endpoints worldwide.

Investigators confirmed that the primary Rhadamanthys suspect maintained access to over 100,000 victim cryptocurrency wallets, with potential losses valued at millions of euros. The malware operated through sophisticated delivery chains, often disguised as legitimate software downloads or embedded in phishing emails that mimicked communications from major cryptocurrency exchanges.

Affected Systems

The scope of the operation spanned three continents and involved coordinated raids and technical interventions across multiple jurisdictions. In Greece, authorities arrested the primary suspect behind VenomRAT, whose malware had been sold as a service to other criminal operators. In Germany and the Netherlands, investigators executed search warrants at locations linked to botnet infrastructure. The technical takedown involved disrupting 1,025 servers worldwide and seizing 20 domains used for command-and-control operations.

Cryptocurrency users represented a significant portion of the victim pool. The Rhadamanthys infostealer specifically targeted popular browser-based wallets including MetaMask, Phantom, and Coinbase Wallet extensions, along with desktop applications like Electrum and Exodus. Attackers harvested not only wallet credentials but also stored passwords, session cookies, and autofill data that could be used to bypass exchange security measures.

The timing of the takedown is notable given the broader security landscape in November 2025. The crypto sector has already suffered over $161 million in losses from various exploits this month alone, including the $128 million Balancer-related vulnerability on Berachain and the $93 million Stream Finance collapse. Bitcoin trades at $91,465 and Ethereum at $3,023 as the market digests both the security incidents and the enforcement action.

The Mitigation Strategy

Operation Endgame was a joint effort spearheaded by Europol and Eurojust, bringing together law enforcement from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. Over 30 public and private partners contributed technical intelligence, including Cryptolaemus, Shadowserver, Proofpoint, and Bitdefender. The coalition employed advanced threat intelligence sharing, sinkholing of command-and-control infrastructure, and coordinated legal action across jurisdictions.

Authorities have established a dedicated website and Telegram channel for Operation Endgame, where victims can check whether their systems were affected and receive guidance on remediation steps. Europol has emphasized that this operation is ongoing, with continued efforts to identify both the operators and users of the criminal services.

Lessons Learned

The scale of the Rhadamanthys compromise underscores a persistent vulnerability in cryptocurrency security: the human factor. Despite advances in hardware wallets and multi-signature solutions, many users continue to store significant amounts of digital assets in browser-based wallets that remain susceptible to infostealer malware. The fact that a single suspect gained access to over 100,000 wallets illustrates how efficiently modern malware can aggregate credentials at scale.

The operation also highlights the growing sophistication of law enforcement in tracing and disrupting cybercrime infrastructure that targets cryptocurrency users. International coordination across 11 countries demonstrates that jurisdictional boundaries, long considered a shield for cybercriminals, are becoming less effective as agencies improve their cooperation mechanisms.

User Action Required

If you have used a browser-based cryptocurrency wallet at any point in 2025, consider the following immediate steps. Run a full system malware scan using reputable security software. Change the passwords and revoke active sessions on all cryptocurrency exchange accounts. Migrate funds from browser-based wallets to hardware wallets such as Ledger or Trezor. Enable hardware-based two-factor authentication using devices like YubiKey rather than SMS or authenticator apps, which can be intercepted by remote access trojans. Verify that your browser extensions are downloaded only from official stores and review the permissions granted to each extension regularly.

For enterprise users managing crypto assets, implement endpoint detection and response solutions, enforce strict browser extension policies, and conduct regular security awareness training focused on infostealer attack vectors. The threat landscape has evolved — your security practices must evolve with it.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified security professionals regarding your specific situation.