Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity.
In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Sources
Related Stories
Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations. Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
4 months ago
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
3 weeks agoLaw Enforcement Disruption and Ransomware Group Realignment in 2025
Law enforcement agencies have intensified their efforts against major ransomware groups, leading to significant disruptions in the global ransomware ecosystem. In Q2 2025, prominent ransomware-as-a-service (RaaS) groups such as LockBit and RansomHub either ceased operations or stopped publishing victim data, resulting in a fractured landscape previously dominated by a few powerful actors. This shift was largely attributed to coordinated international law enforcement operations, which in May 2025 dismantled over 300 malicious servers, shut down more than 650 domains, and issued arrest warrants for at least 20 individuals connected to ransomware and initial access malware infrastructure. The takedown of LockBit’s infrastructure in late 2024 under Operation Cronos set a precedent, demonstrating the vulnerability of even the most prolific ransomware groups when faced with unified global action. As a result, the ransomware ecosystem became more fragmented, with smaller, agile actors attempting to fill the void left by the dismantled groups. Concurrently, the profitability of ransomware attacks has declined due to evolving regulations, including bans on ransom payments, further pressuring threat actors. Despite these setbacks, LockBit has attempted a resurgence, announcing a strategic alliance with other major ransomware groups, Qilin and DragonForce, in Q3 2025. This coalition aims to share techniques, resources, and infrastructure, potentially restoring LockBit’s reputation among affiliates and increasing the operational capabilities of all involved groups. The emergence of LockBit 5.0, capable of targeting Windows, Linux, and ESXi systems, marks a technological advancement in their toolkit, first advertised in September 2025. Qilin, now the most active ransomware group, claimed over 200 victims in Q3 2025, with a particular focus on North American organizations. The alliance between LockBit, Qilin, and DragonForce is expected to trigger a surge in attacks, especially on critical infrastructure and sectors previously considered low risk. The ongoing evolution of the ransomware threat landscape underscores the dynamic interplay between law enforcement actions and the adaptability of cybercriminal groups. The future trajectory of ransomware will likely depend on the continued effectiveness of law enforcement operations and the ability of threat actors to reorganize and innovate. Organizations are advised to remain vigilant, as the threat landscape remains volatile and unpredictable. The collaboration among major ransomware groups signals a potential escalation in both the scale and sophistication of future attacks. The global cybersecurity community must continue to coordinate efforts to counter these evolving threats and mitigate their impact on critical sectors.
5 months ago