In mid-November 2025, an international law-enforcement effort dealt a decisive blow to the cybercrime ecosystem. Coordinated by Europol and Eurojust, Operation Endgame successfully dismantled or disrupted 1,025 servers responsible for supporting some of the world’s most active criminal malware networks. The operation drew on the combined capabilities of authorities from Europe, North America and Australia, marking one of the most extensive cybercrime interventions to date.

The campaign specifically targeted infrastructure associated with several prominent malware-as-a-service offerings. Among the most significant were Rhadamanthys, an infostealer known for harvesting browser credentials and cryptocurrency wallet data; VenomRAT, a remote-access trojan enabling full system control; and Elysium, a large-scale botnet platform often used to deliver malicious payloads and enable initial access for further exploitation. These services have collectively fuelled global cyber-criminal activity, from enterprise breaches to attacks against critical infrastructure.

What makes this operation particularly notable is its deliberate focus on dismantling the underlying infrastructure of cybercrime rather than simply disrupting individual actors or campaigns. By removing the servers, domains and associated control systems used to manage these services, law enforcement has inflicted a much deeper, long-term disruption on the cyber-criminal supply chain. Many of the compromised servers were responsible for managing the infections of hundreds of thousands of devices worldwide. In some cases, operators were found to possess access to hundreds of thousands of victims’ credentials and crypto wallets.

The takedown also highlights the evolving threat landscape facing critical infrastructure organisations. While some of the malware families involved primarily target traditional IT systems, the overlap between IT and OT environments continues to shrink. Botnet-driven attacks and infostealer campaigns often act as a gateway to more serious intrusions affecting industrial operations. As digital systems across sectors become increasingly interconnected, the risks to operational technology environments rise accordingly.

For defenders, Operation Endgame offers a valuable opportunity to reassess and strengthen security measures. Malware operators will undoubtedly attempt to rebuild their infrastructure, but this temporary disruption gives organisations time to harden their environments. Improving endpoint visibility, reinforcing network segmentation, reviewing credential hygiene and conducting targeted threat-hunting exercises should be top priorities. Many victims of these malware campaigns were unaware their systems had been compromised, underscoring the importance of continuous monitoring and rapid detection capabilities.

Just as crucial is the need to strengthen collaboration. Operation Endgame succeeded not only because of cross-border cooperation amongst law-enforcement agencies, but also due to the involvement of hosting providers, security researchers and private-sector intelligence teams. Organisations can similarly benefit from greater information sharing and partnerships that enhance their visibility of emerging threats.

Ultimately, while this operation represents a significant win, it is not an end to cybercrime. Criminal networks are resilient and adaptive, and history shows they recover quickly. However, by treating this moment as a catalyst for enhanced preparedness rather than a time to relax defences, organisations can reduce their exposure and improve their long-term resilience.