An international coalition of law enforcement agencies coordinated by Europol targeted and took down three cybercrime operations in its latest round of what authorities call “Operation Endgame.”

In a press release, Europol said that the police operation targeted the infostealing malware Rhadamanthys, a botnet called Elysium, and the remote access trojan VenomRAT. The authorities say all three “played a key role in international cybercrime.” Police seized more than 1,000 servers as part of the operation. 

Europol said police arrested the unnamed “main suspect” behind VenomRAT in Greece on November 3.

“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” the press release read. “Many of the victims were not aware of the infection of their systems.”

According to Europol, the main suspect behind Rhadamantys had access to over 100,000 crypto wallets, “potentially worth millions of euros.”

As an infostealer, Rhadamantys is designed to steal various kinds of information from infected devices, including passwords and cryptocurrency wallet keys. Rhadamantys spiked in popularity in October after authorities took down the popular infostealer Lumma earlier in the year, showing that after takedowns, criminals adapt by using different hacking tools that might be less known at the time.

When Rhadamantys launched in 2022, it initially relied on spreading through malicious Google advertisements, and later grew thanks to word-of-mouth on underground forums, according to Lumen’s Black Lotus Labs, one of the cybersecurity industry partners in Operation Endgame. 

The firm wrote in a blog post that Rhadamantys had a “dramatic uptick” and a “consistent rise in the number of victims” after the Lumma takedown, making it “the largest information-stealer malware by volume.” In October, the infostealer had compromised more than 12,000 victims, according to the firm.

Ryan English, a researcher at Black Lotus Labs, told TechCrunch that Rhadamantys “emerged as the ‘next’ go-to infostealer” after Lumma went down.

“We know that others will take their place, so we just keep tracking to see who’s emerging from that,” said English, adding that law enforcement and the wider industry “can only do so much at any time.” 

“So in a very real sense, it’s whack-a-mole forever,” said English.