Operation Endgame Cybercrime Crackdown Seizes Thousands of Criminal Servers

Operation Endgame, an international law enforcement initiative targeting major cybercriminal operations, has dismantled a large network of servers used to support ransomware campaigns, botnets, infostealers, phishing activity, and other forms of organized cybercrime. Dutch authorities confirmed that thousands of servers were seized across The Hague and Zoetermeer in a coordinated international effort that involved police forces and cyber agencies across Europe, North America, and Australia.

This action continues a series of major enforcement waves launched under Operation Endgame, which began in 2022 and has evolved into one of the largest global cybercrime disruption missions to date. Earlier phases of the operation resulted in the takedown of key malware families, arrests of major operators, and the seizure of infrastructure supporting criminal-as-a-service networks across multiple countries.

Servers Used for Ransomware, Botnets, and Illegal Content

The hosting company targeted this week was identified as a criminal service provider that marketed itself as a bulletproof infrastructure hub. According to Dutch police reports, the company had directly supported ransomware activity, large-scale botnets, credential harvesting operations, phishing campaigns, and the distribution of illegal content. Authorities stated that the company appeared in more than eighty cybercrime investigations since 2022 and had been offering complete anonymity to customers while openly refusing cooperation with law enforcement.

During the coordinated takedown, law enforcement removed approximately two hundred and fifty physical servers from data centers in The Hague and Zoetermeer. Because these physical machines hosted numerous virtualized environments, thousands of virtual servers used in cyberattacks and fraud schemes were simultaneously taken offline.

Global Partners and Widespread Infrastructure Seizures

Operation Endgame is a multinational partnership involving agencies in the Netherlands, Germany, Denmark, France, Belgium, the United Kingdom, the United States, Canada, and Australia. The collaboration is supported by Europol, Eurojust, and several private cybersecurity organizations. Dutch officials confirmed that nine data centers across the Netherlands were searched in recent days, alongside additional operations in Germany and Greece.

In total, more than one thousand servers were removed globally. Dutch authorities stated that eighty three of these were located inside the Netherlands, and twenty domains connected to criminal operations were seized. One major suspect linked to VenomRAT, a remote access Trojan widely used in corporate intrusions, was arrested in Greece.

Disruption of Infostealers and Major Malware Families

The latest phase of the operation specifically targeted the infrastructure behind well known malware ecosystems. Key takedowns include:

• Rhadamanthys, one of the most active infostealers used for credential theft and crypto wallet compromise
• VenomRAT, a remote access Trojan used to gain full control over infected systems
• The Elysium botnet, known for distributing ransomware loaders and automating large scale attacks

Infostealers and botnets remain among the most common tools used by cybercriminals to steal login credentials, banking information, identity data, and cryptocurrency wallet secrets. Law enforcement officials estimate that these malware strains have infected more than six hundred thousand victims worldwide, and tens of millions of stolen credentials have been circulated across criminal marketplaces.

Impact on Victims and Notification System

The Dutch police announced that they have secured and isolated stolen data found on the seized servers. This includes email addresses, login information, and other personal data. Victims can now check whether their information was discovered on the compromised infrastructure by using the official Dutch police portal at politie.nl/checkjehack.

Authorities recommend that individuals check the portal again in the coming weeks because new credentials are being processed and added to the detection system as forensic work continues. The volume of seized data is significant, and analysis of the full dataset remains underway.

International Coordination and Private Sector Support

Operation Endgame involved more than thirty private and public cybersecurity partners. Organizations such as Shadowserver, Proofpoint, CrowdStrike, Trellix, Cymru, Abuse.ch, Have I Been Pwned, and multiple national CERT teams played major roles in enabling infrastructure mapping, malware intelligence, and victim notification processes.

According to Dutch officials, this collaborative model reflects a broader shift in how global cybercrime operations are disrupted. No single agency can investigate and dismantle malware networks on its own. As threat actors grow more specialized, well funded, and globally distributed, coordinated cross border enforcement has become essential.

Ongoing Investigations and Future Phases

Law enforcement emphasized that Operation Endgame is an ongoing effort. While significant infrastructure has been seized and multiple suspects arrested, additional operators and customers of these criminal services remain under investigation. Many users of the affected malware platforms have been directly contacted and informed that they are involved in criminal conduct, and further actions are expected.

Authorities released a seizure notice stating that anyone who operated or used services hosted on the seized infrastructure is subject to criminal investigation. The takedown banner displayed on the affected domains includes contact information for individuals seeking to report additional intelligence or clarify involvement.

Checking for Malware Infections

Individuals and organizations concerned that they may have been affected by malware linked to the seized servers should perform immediate system scans and monitor for unusual account activity. Running a full system scan with Malwarebytes can help identify infections, remove active threats, and prevent credential theft from compromised devices.

Further updates on Operation Endgame and other major cybercrime disruption events can be found in the Cybersecurity category, which features ongoing coverage of global threat activity, malware investigations, and law enforcement actions.