Infostealers and botnets are used to steal sensitive personal data, such as passwords and banking details, from devices worldwide. Cybercriminals purchase botnets, large networks of infected computers, to take control of these computers and transfer data to their own servers. A RAT is software that enables criminals to control registered computers remotely, thereby gaining full control over the digital system.

By targeting the infostealer and botnet, authorities, together with multiple private cybersecurity organisations, took down a criminal infrastructure that is critical for several cybercriminals’ businesses. Rhadamanthys, an infostealer that surfaced on cybercrime forums in 2022, has since turned into a commercial ‘malware-as-a-service’ offering. It steals data from browsers, emails, messaging apps and cryptocurrency wallets, among others. VenomRAT, the RAT that was taken down this week, delivered its malware through phishing emails containing malicious attachments or links. It also used fake antivirus pages to trick its victims.

The actions taken this week resulted in the takedown of 1025 servers worldwide and the seizure of 20 domain names used by cybercriminals. The main suspect connected to the RAT was arrested in Greece. Eleven searches were conducted to gather information and collect evidence. Authorities found login data from more than 100 000 cryptocurrency wallets during the actions. They were stolen from victims but not yet used to steal assets .

Since 2022, Operation Endgame has brought together law enforcement and judicial authorities from 10 different countries to target botnets, infostealers and RATS. By working together continuously, authorities aim to halt the malware used by criminals to steal sensitive data from millions of people worldwide. The actions of Operation Endgame focus on interrupting the kill chain of ransomware attacks as early as possible.

Judicial authorities work together through Eurojust to exchange information and synchronise their actions. During this week’s actions, Eurojust deployed an expert to assist with on-the-spot judicial requests from the authorities involved and allowed real-time communication between the investigating prosecutors.

Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation.

The actions were carried out by the following authorities:

• Germany: German Federal Criminal Police Office (BKA); Public Prosecutor General's Office Frankfurt am Main - Cybercrime Office
• France: PPO Paris Cybercrime unit J3; Investigative judges JUNALCO; BL2C (Cyber unit of Paris Police Prefecture); OFAC (Central Office against cybercrime)
• Netherlands: Netherlands Public Prosecution Service (National Office); Netherlands Police
• Denmark: Danish Prosecution Service; Danish Police
• United Kingdom: National Crime Agency (NCA)
• United States: Department of Justice; Federal Bureau of Investigation; Defense Criminal Investigative Service
• Australia: Australian Federal Police (AFP)
• Canada: Royal Canadian Mounted Police (RCMP); Sûreté du Québec