Operation Endgame Continues: CrazyRDP Bulletproof Hoster Dismantled as Dutch Police Seize Thousands of Servers in Coordinated Cybercrime Crackdown

THE HAGUE — In a major escalation of the international Operation Endgame cybercrime offensive, Dutch police have seized thousands of servers owned by CrazyRDP, a notorious bulletproof hosting provider implicated in 80 law enforcement investigations spanning cybercrime operations and child sexual abuse material (CSAM) distribution. The operation marks the latest and most significant phase of the ongoing global effort to dismantle the infrastructure enabling ransomware, malware distribution, and organized cybercrime.

Between November 10-13, 2025, coordinated raids across 11 locations in the Netherlands, Germany, and Greece resulted in the seizure of 1,025 servers and 20 criminal domains associated with three major malware operations: Rhadamanthys (a sophisticated infostealer), VenomRAT (a Remote Access Trojan), and Elysium (a botnet). The operation, coordinated by Europol and Eurojust from The Hague, represents the most comprehensive action yet against the cybercrime infrastructure that has caused hundreds of millions of dollars in global damages.

CrazyRDP's infrastructure is now completely offline—both the website and the autonomous system number (ASN) used to host CrazyRDP nodes have been taken down, severing the digital lifeline for hundreds of criminal operations that relied on the bulletproof hoster's promise of immunity from law enforcement action.

The main suspect behind VenomRAT was arrested in Greece on November 3, 2025, and authorities report that this individual had access to more than 100,000 cryptocurrency wallets, potentially representing millions of euros in stolen assets.

The Significance: Operation Endgame's Expanding Scope

Operation Endgame, which began in 2022, has evolved from targeting individual malware families to dismantling the entire cybercrime ecosystem that supports ransomware operations, data theft, and digital extortion.

"By taking down the criminal infrastructure, the entire business model of many cybercriminals has been disrupted," said Stan Duijf, head of Operations at the Netherlands' National Law Enforcement and Intervention Unit. "Operation Endgame, started in 2022, is the largest international effort ever to combat ransomware and cybercrime globally."

This latest phase builds on the momentum of previous Operation Endgame actions. As we documented in our comprehensive analysis, Operation Endgame Strikes Again: 1,025 Servers Dismantled in Coordinated Takedown of Rhadamanthys, VenomRAT, and Elysium, the operation has systematically targeted the infrastructure that enables cybercrime rather than merely chasing individual threat actors.

Operation Endgame Timeline: A Multi-Phase Offensive

Phase 1 (May 2024): The Foundation

• Targeted dropper malware ecosystem including IcedID, SystemBC, Pikabot, SmokeLoader, and Bumblebee
• Took down over 100 servers worldwide
• Resulted in four arrests
• Established the operational framework for coordinated international action

Phase 2 (May 2025): Expanding the Offensive

• Dismantled 300 servers worldwide
• Neutralized 650 domains
• Issued international arrest warrants against 20 targets
• Disrupted Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie

Phase 3 (November 2025): The CrazyRDP Takedown

• 1,025 servers seized (83 in the Netherlands alone)
• 20 criminal domains taken offline
• 11 coordinated searches across three countries
• CrazyRDP bulletproof hosting infrastructure completely dismantled
• Main VenomRAT suspect arrested with access to 100,000+ cryptocurrency wallets
• Targeted Rhadamanthys, VenomRAT, and Elysium—the latest generation of malware threats

Cumulative Impact:

• Over 1,425 servers taken offline across all phases
• 670+ domains neutralized
• More than 600,000 infected computers worldwide identified and remediated
• 20+ international arrest warrants issued
• Critical infrastructure supporting the ransomware kill chain destroyed

CrazyRDP: The Bulletproof Hoster Shielding Cybercrime

What is Bulletproof Hosting?

Bulletproof hosting (BPH) represents the backbone of the modern cybercrime ecosystem—technical infrastructure services provided by internet hosting providers that are deliberately resilient to complaints of illicit activities.

Unlike legitimate hosting providers that respond to abuse complaints and law enforcement requests, bulletproof hosters:

Core characteristics:

• Ignore abuse complaints from victims and security researchers
• Refuse to cooperate with law enforcement takedown requests
• Actively shield criminal operations through technical obfuscation
• Advertise complete anonymity and protection from authorities
• Accept cryptocurrency payments to obscure financial trails
• Provide rapid infrastructure replacement when services are disrupted

Technical methods employed:

• Fast-flux DNS hosting: Constantly rotating IP addresses to evade detection and blocking
• Distributed infrastructure: Spreading servers across multiple jurisdictions to complicate legal action
• Proxy and gateway layers: Routing malicious traffic through ever-shifting intermediary servers
• Purchased IP address ranges: Acquiring legitimate-appearing network infrastructure
• Encryption and obfuscation: Making content analysis difficult for security researchers

The cybercrime-as-a-service model:
Bulletproof hosting enables the cybercrime-as-a-service ecosystem by providing:

1. Infrastructure for ransomware operations: Command and control servers, data exfiltration endpoints, payment portals
2. Malware distribution platforms: Hosting malicious payloads beyond the reach of takedowns
3. Phishing infrastructure: Spoofed websites and credential harvesting pages
4. Illegal marketplaces: Platforms for drug trafficking, stolen data sales, and CSAM
5. DDoS command and control: Botnets coordinating distributed denial-of-service attacks

CrazyRDP's Criminal Ecosystem

CrazyRDP operated as a sophisticated bulletproof hosting provider serving the international cybercrime community with infrastructure specifically designed to resist law enforcement action.

Known criminal uses:

• 80+ law enforcement investigations: CrazyRDP infrastructure was identified in at least 80 ongoing criminal investigations across multiple countries
• Ransomware operations: Hosting command and control infrastructure for ransomware groups
• Malware distribution: Serving as the backbone for Rhadamanthys, VenomRAT, and Elysium campaigns
• Child sexual abuse material: Distribution platforms for CSAM networks
• Data exfiltration: Endpoints for stolen credentials and sensitive information
• Cryptocurrency theft: Infrastructure supporting cryptojacking and wallet draining operations

Business model:
CrazyRDP marketed itself as "DMCA ignored hosting" and "offshore hosting", clear signals to cybercriminals that the service would not respond to legal complaints. The company offered:

• Virtual private servers (VPS) with various operating systems
• Remote Desktop Protocol (RDP) access for anonymous operations
• Cryptocurrency payment options for operational security
• Rapid deployment and replacement of compromised infrastructure
• Minimal identification requirements for customers

The scale of operations:
The seizure of thousands of servers indicates CrazyRDP operated one of the largest bulletproof hosting infrastructures in the cybercrime ecosystem. By comparison:

• Previous major bulletproof hosting takedown (XHost/Zservers) involved 127 servers
• Russian bulletproof hoster Aeza Group (sanctioned by U.S. Treasury in July 2025) served hundreds of cybercriminals
• CrazyRDP's thousands of servers suggest it was providing infrastructure for hundreds or even thousands of simultaneous criminal operations

The Complete Infrastructure Shutdown

What went offline:

1. CrazyRDP.com website: The main customer portal and service marketplace is completely inaccessible, preventing new customer acquisition and existing customer management.

2. Autonomous System Number (ASN): The BGP routing infrastructure that announced CrazyRDP's IP address space to the internet has been taken offline, making all hosted services unreachable regardless of individual server status.

3. Customer infrastructure: All criminal operations hosted on CrazyRDP servers were simultaneously disconnected, including:

• Ransomware command and control servers
• Malware distribution endpoints
• Phishing infrastructure
• Data exfiltration collection points
• CSAM distribution platforms

4. Customer databases: Seized servers likely contain comprehensive records of:

• Customer identities and payment information
• Hosted content and criminal operations
• Communication records between criminals
• Financial transaction history

Impact on criminal operations:
The simultaneous shutdown of CrazyRDP's entire infrastructure creates catastrophic disruption for dependent criminal operations:

• Ransomware groups lose the ability to communicate with infected systems and receive ransom payments
• Malware campaigns can no longer distribute payloads or receive stolen data
• Phishing operations immediately cease as spoofed websites become unreachable
• Botnet operators lose command and control over compromised systems
• Data brokers lose access to stored stolen credentials and sensitive information

Operation Endgame Strikes Again: 1,025 Servers Dismantled in Coordinated Takedown of Rhadamanthys, VenomRAT, and Elysium

Law enforcement delivers crushing blow to cybercrime infrastructure, seizing control of major infostealer and RAT operations affecting hundreds of thousands of victims worldwide Executive Summary Between November 10 and 14, 2025, international law enforcement agencies coordinated from Europol’s headquarters in The Hague executed the latest phase of Operation Endgame, successfully

Breached CompanyBreached Company

The Malware Triad: Rhadamanthys, VenomRAT, and Elysium

The November 2025 Operation Endgame phase specifically targeted three sophisticated malware families that had infected hundreds of thousands of systems worldwide and caused millions in damages.

Rhadamanthys: The Premier Infostealer

Rhadamanthys represents the current state-of-the-art in information-stealing malware, designed to extract valuable credentials, financial data, and sensitive information from compromised systems.

Technical capabilities:

• Credential harvesting: Steals passwords from browsers, email clients, FTP clients, and password managers
• Cryptocurrency wallet targeting: Extracts private keys and wallet files for Bitcoin, Ethereum, and other cryptocurrencies
• Browser cookie theft: Captures authentication cookies allowing attackers to bypass login credentials
• Form data extraction: Harvests autofill data including credit card numbers, addresses, and personal information
• Screenshot capture: Takes periodic screenshots to gather visual information
• File harvesting: Searches for and exfiltrates documents matching criminal interest patterns

Scale of infection:
Between March and November 2025, authorities identified:

• 525,303 unique Rhadamanthys infections across 226 countries and territories
• 86.2 million "information stealing events"—individual instances of data theft
• Average of 163 data theft events per infected system, indicating persistent, ongoing credential harvesting

Criminal underground economy:
Rhadamanthys follows a Malware-as-a-Service (MaaS) model:

• Developers sell or lease access to the malware
• Criminal affiliates deploy it against targets
• Stolen credentials are sold on underground markets
• Prices for "logs" (collections of stolen credentials) range from $1 to $100+ depending on the victim's value

The cryptocurrency connection:
Europol reported that the principal suspect behind Rhadamanthys controlled access to more than 100,000 cryptocurrency wallets, with potential losses reaching millions of euros. This represents:

• Direct theft from compromised cryptocurrency wallets
• Access to exchange accounts with stored cryptocurrencies
• Private keys enabling transfer of stored digital assets
• Potential for long-term monitoring and theft as wallet values increase

VenomRAT: Remote Access and Control

VenomRAT (Remote Access Trojan) provides attackers with comprehensive remote control over compromised systems, serving as a persistent backdoor for ongoing malicious activities.

Core functionalities:

• Remote desktop access: Attackers can view and control the victim's screen in real-time
• File system manipulation: Upload, download, delete, and execute files on compromised systems
• Keylogging: Record all keystrokes to capture credentials and sensitive communications
• Webcam and microphone access: Spy on victims through their own devices
• Process management: Start, stop, and manipulate running programs
• Credential dumping: Extract stored passwords and authentication tokens
• Persistence mechanisms: Ensure the malware survives system reboots and security scans

The Greek arrest:
On November 3, 2025, Greek authorities arrested the main suspect behind VenomRAT as part of Operation Endgame's coordinated actions. This individual reportedly:

• Developed or operated the VenomRAT infrastructure
• Had access to 100,000+ cryptocurrency wallets compromised through the malware
• Potentially faces millions of euros in criminal proceeds charges
• Coordinated with other cybercriminals using CrazyRDP infrastructure

VenomRAT deployment methods:

• Phishing campaigns: Malicious email attachments or links
• Software supply chain compromise: Trojanized legitimate software downloads
• Exploit kit delivery: Automated exploitation of software vulnerabilities
• Social engineering: Tricking victims into executing malicious files

Elysium: The Botnet Amplifier

Elysium operated as a botnet—a network of compromised computers controlled as a coordinated system for criminal purposes.

Botnet capabilities:

• Distributed denial-of-service (DDoS) attacks: Overwhelming targets with coordinated traffic from thousands of infected systems
• Spam distribution: Sending massive volumes of phishing emails and malware distribution messages
• Cryptomining: Using victim computing resources to mine cryptocurrencies
• Proxy networks: Routing criminal traffic through innocent victims' computers to obscure attacker origins
• Credential stuffing: Testing stolen username/password combinations across multiple services

The ransomware connection:
Botnets like Elysium serve as critical infrastructure for ransomware operations:

1. Initial access: Botnet-infected systems provide entry points to corporate networks
2. Reconnaissance: Compromised computers gather information about network architecture
3. Lateral movement: Attackers pivot from botnet-infected workstations to servers and critical systems
4. Ransomware deployment: Once access is established, ransomware is deployed across the network

Scale and impact:
While specific Elysium infection numbers weren't disclosed, authorities stated that the three targeted malware families collectively infected hundreds of thousands of computers worldwide, suggesting Elysium contributed tens of thousands of compromised systems to the criminal ecosystem.

International Coordination: A Global Law Enforcement Offensive

The 11-Nation Coalition

Operation Endgame demonstrates unprecedented international cooperation in combating cybercrime, involving authorities from:

Core participants:

• Netherlands: Led the infrastructure takedowns with 9 searches in Dutch data centers
• Germany: Conducted searches and provided technical expertise (1 search location)
• Greece: Arrested the VenomRAT main suspect (1 search location)
• United States: FBI and other agencies provided intelligence and technical support
• United Kingdom: National Crime Agency participation
• Denmark: Cybercrime investigation units
• France: DGSI and cybercrime police
• Belgium: Federal Computer Crime Unit
• Australia: Australian Federal Police
• Canada: RCMP cybercrime division
• Lithuania: Criminal Police Bureau

Coordination bodies:

• Europol: Coordinated intelligence sharing and operational planning from The Hague headquarters
• Eurojust: Facilitated cross-border judicial cooperation and evidence sharing
• Joint Cybercrime Action Taskforce (J-CAT): Provided operational coordination platform

The Dutch Role: Cybercrime Hub Becomes Enforcement Center

The Netherlands' central role in Operation Endgame reflects both a problem and a response:

The problem: Netherlands as cybercrime infrastructure hub

• Major international internet exchange point (AMS-IX)
• Advanced telecommunications infrastructure
• Business-friendly data center regulations
• Historically light oversight of hosting providers
• Geographic position between European jurisdictions

The response: Aggressive law enforcement

• 9 of 11 searches conducted in Dutch data centers
• 83 of 1,025 servers seized in the Netherlands
• Development of specialized cybercrime investigation units
• Investment in technical forensics capabilities
• Willingness to target infrastructure providers, not just end users

Stan Duijf's perspective:
As head of Operations at the National Law Enforcement and Intervention Unit, Duijf emphasized: "Law enforcement and the cybersecurity sector need each other to keep the digital world as safe as possible. This operation shows the power of intensive international collaboration with both public and private partners."

Private Sector Partnership

Operation Endgame involved more than 30 private organizations, including:

Cybersecurity vendors:

• Proofpoint: Threat intelligence on malware distribution campaigns
• CrowdStrike: Endpoint detection and malware analysis
• Bitdefender: Antivirus telemetry and threat hunting
• Additional security firms: Providing threat intelligence, analysis, and victim notification capabilities

Infrastructure providers:

• Data center operators cooperating with law enforcement
• Internet service providers assisting with network analysis
• Domain registrars facilitating domain seizures

This public-private partnership enabled:

• Real-time threat intelligence sharing
• Victim identification and notification
• Technical analysis of seized infrastructure
• Coordination of simultaneous global actions

Tracking the Threat: ThreatFox IOCs and OpEndgame

The Role of Abuse.ch ThreatFox

ThreatFox is a platform from abuse.ch and Spamhaus dedicated to sharing indicators of compromise (IOCs) associated with malware operations. The platform has played a critical role in Operation Endgame by:

1. IOC aggregation: Collecting and validating indicators from security researchers, law enforcement, and automated analysis
2. Community sharing: Making IOCs freely available to defenders, security vendors, and law enforcement
3. Law enforcement support: Providing structured threat intelligence to support investigation and attribution
4. Victim notification: Enabling organizations to identify if they've been compromised by Operation Endgame-related malware

Accessing OpEndgame IOCs

Security professionals, network defenders, and law enforcement can access Operation Endgame-tagged IOCs through ThreatFox:

Direct access:
https://threatfox.abuse.ch/browse/tag/OpEndgame/

IOC types available:

• Domains: Command and control domains, malware distribution sites, phishing infrastructure
• IP addresses: Server locations hosting malicious infrastructure
• URLs: Specific malicious endpoints for malware downloads or data exfiltration
• File hashes: SHA256, MD5, and SHA1 hashes of malware samples
• Network signatures: Patterns for identifying malicious traffic

Export formats:
ThreatFox provides IOCs in multiple formats for integration with security tools:

• MISP events: Daily exports for threat intelligence platforms
• Host files: Domain-only blocklists for DNS filtering
• Suricata IDS rulesets: Network intrusion detection signatures
• Response Policy Zones (RPZ): DNS firewall configurations
• JSON files: Structured data for custom integrations

Malware family coverage:
The OpEndgame tag includes IOCs for all malware families disrupted across all operation phases:

• Rhadamanthys infostealer indicators
• VenomRAT command and control infrastructure
• Elysium botnet endpoints
• IcedID, SmokeLoader, Pikabot, Bumblebee from Phase 1
• Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, Warmcookie from Phase 2

Using OpEndgame IOCs for Defense

Immediate actions for security teams:

1. Threat hunting:

- Search your environment for connections to OpEndgame IOCs
- Review historical logs for past compromise indicators
- Identify potentially infected systems requiring investigation

2. Blocking and prevention:

- Import OpEndgame domains and IPs into firewall deny lists
- Configure DNS filtering to block known malicious domains
- Update IDS/IPS signatures with OpEndgame network patterns
- Add file hashes to antivirus/EDR block lists

3. Continuous monitoring:

- Set up alerts for any connections to OpEndgame infrastructure
- Monitor for new IOCs added to ThreatFox OpEndgame tag
- Correlate internal security events with OpEndgame TTPs

4. Victim assessment:
Organizations should check politie.nl/checkjehack (Dutch police victim notification service) and repeat the check in coming weeks as new data from seized servers is analyzed and added.

IOC Lifecycle and Freshness

Important considerations:

• IOC expiration: Since May 2025, ThreatFox expires IOCs older than 6 months, recognizing that cybercriminals regularly rotate infrastructure
• Dynamic updates: New IOCs are added as analysis of seized servers continues
• False positive potential: Some IOCs may represent legitimate services that were compromised and abused
• Context matters: IOC detection should trigger investigation, not automatic blocking of critical business services

The Ransomware Kill Chain: Breaking the Business Model

How Malware Enables Ransomware

Operation Endgame specifically targets the infrastructure supporting ransomware operations, recognizing that ransomware groups depend on a complex ecosystem of supporting services.

The ransomware kill chain:

Stage 1: Initial Access

• Phishing campaigns using malware like VenomRAT
• Exploit kits delivered via botnet-compromised websites
• RDP brute forcing facilitated by credential theft from infostealers like Rhadamanthys

Stage 2: Credential Harvesting

• Infostealers like Rhadamanthys extract credentials from compromised endpoints
• Stolen credentials sold on underground forums or used directly by ransomware groups
• Lateral movement within networks using harvested privileged credentials

Stage 3: Network Reconnaissance

• RATs like VenomRAT provide persistent access for network mapping
• Botnets like Elysium enable broad scanning of network infrastructure
• Data exfiltration of sensitive information for double-extortion tactics

Stage 4: Ransomware Deployment

• Command and control hosted on bulletproof infrastructure like CrazyRDP
• Simultaneous encryption of systems across the network
• Payment infrastructure hosted on resilient bulletproof servers

Stage 5: Extortion and Payment

• Data leak sites hosted on bulletproof infrastructure
• Cryptocurrency wallets for anonymous ransom payment
• Victim communication via secure channels on criminal infrastructure

Disrupting the Ecosystem

By dismantling CrazyRDP and seizing 1,025 servers, Operation Endgame attacks multiple stages simultaneously:

Impact on Stage 1-2 (Access and Credentials):

• VenomRAT infrastructure offline prevents new system compromises
• Rhadamanthys takedown reduces credential theft feeding the underground economy
• Existing botnet-infected systems lose command and control

Impact on Stage 3-4 (Reconnaissance and Deployment):

• RAT operators lose access to previously compromised systems
• Ransomware groups can't deploy payloads through disrupted infrastructure
• Criminal coordination platforms hosted on CrazyRDP are inaccessible

Impact on Stage 5 (Extortion):

• Data leak sites become unavailable
• Payment infrastructure disrupted
• Victim communication channels severed

The economic calculation:
Cybercriminals now face:

• Higher infrastructure costs: Replacing thousands of seized servers is expensive
• Increased operational risk: Bulletproof hosters are being aggressively targeted
• Reduced reliability: Criminal services repeatedly disrupted
• Legal consequences: Associates arrested, cryptocurrency wallets seized

"By taking down the criminal infrastructure, the entire business model of many cybercriminals has been disrupted," Duijf noted—this is the strategic objective of Operation Endgame.

The 600,000 Infected Computers: Victim Notification and Remediation

Scale of Victimization

Authorities identified more than 600,000 infected computers worldwide through Operation Endgame investigations, representing:

Individual victims:

• Home users with compromised personal computers
• Small business workstations infected with malware
• Mobile devices compromised through malicious apps

Organizational victims:

• Corporate networks with infected endpoints
• Government agencies with compromised systems
• Educational institutions hosting malware
• Healthcare facilities with patient data at risk

Geographic distribution:
Rhadamanthys alone infected systems in 226 countries and territories, indicating truly global victimization with no region spared.

Victim Notification Process

Dutch victims:

• Check politie.nl/checkjehack to determine if your information was compromised
• Repeat the check in coming weeks as additional data from seized servers is analyzed
• Follow remediation guidance provided based on specific malware found

International victims:

• Law enforcement in participating countries conducting victim notification
• Europol coordinating cross-border notification through Telegram channels
• Private sector security companies assisting with identification and outreach

What data was stolen:

From Rhadamanthys infections:

• 86.2 million information stealing events including:
  • Saved passwords from browsers and applications
  • Cryptocurrency wallet private keys
  • Email account credentials
  • Banking and financial service logins
  • Personal documents and files
  • Browser cookies enabling session hijacking

From VenomRAT infections:

• Keylogged credentials and communications
• Screenshots containing sensitive information
• Files uploaded from compromised systems
• Real-time access to victim computers

From Elysium botnet:

• System information used for targeting
• Network credentials for lateral movement
• Proxied traffic revealing victim browsing

Remediation Steps for Victims

If you discover your system was infected:

Immediate actions:

1. Disconnect from network to prevent further data exfiltration
2. Change all passwords from a clean device (assume all credentials compromised)
3. Enable multi-factor authentication on all accounts
4. Contact your bank if financial credentials may have been stolen
5. Run comprehensive antivirus scan with updated definitions

Password security:

• Assume all saved passwords were stolen
• Change passwords for:
  • Email accounts (priority—used for password resets)
  • Financial services (banking, investment, cryptocurrency)
  • Work accounts and VPNs
  • Social media and personal services
• Use unique passwords for each service (password managers recommended)

Cryptocurrency holders:

• If you stored cryptocurrency on infected systems, assume private keys were compromised
• Immediately transfer cryptocurrency to new wallets with new private keys
• Monitor compromised wallets for unauthorized transactions
• Report theft to exchanges and law enforcement

Ongoing monitoring:

• Credit monitoring services to detect identity theft
• Financial account monitoring for unauthorized transactions
• Dark web monitoring for your credentials appearing in breach databases
• Repeat victim notification checks as more data is analyzed

Professional assistance:
Organizations should:

• Engage incident response specialists
• Conduct comprehensive forensic analysis
• Review data exfiltration logs
• Assess compliance implications (GDPR, HIPAA, etc.)
• Notify affected stakeholders as required by law

The Broader Context: Global Bulletproof Hosting Crackdown

Recent Enforcement Actions Against BPH Providers

The CrazyRDP takedown is part of a broader international offensive against bulletproof hosting:

July 2025: U.S. Treasury Sanctions Aeza Group

• Russian bulletproof hosting provider Aeza Group designated by OFAC
• Provided infrastructure to Meduza ransomware and Lumma infostealer operators
• St. Petersburg-based operation serving global cybercriminals
• Sanctions prohibit U.S. persons from doing business with Aeza

Previous Dutch actions:

• XHost/Zservers takedown: 127 servers seized from bulletproof hoster
• Dismantled infrastructure hosting tens of DDoS botnets
• Targeted providers advertising DMCA-ignored and anonymous services

International pattern:

• Increasing focus on infrastructure rather than just individual criminals
• Coordination between financial sanctions and law enforcement seizures
• Technical actions (server seizures) combined with legal measures (domain seizures)
• Public attribution and "name and shame" campaigns

Why Bulletproof Hosting Remains Resilient

Despite aggressive enforcement, bulletproof hosting continues to operate because:

1. Geographic arbitrage:

• Hosters operate in jurisdictions with weak cybercrime laws or enforcement
• Russia, certain Eastern European countries, and some offshore jurisdictions provide safe harbor
• International legal process is slow and complex

2. Technical sophistication:

• Fast-flux DNS makes tracking and blocking difficult
• Distributed infrastructure across multiple jurisdictions
• Rapid migration to new servers when disrupted
• Use of legitimate hosting providers through fraudulent accounts

3. Financial incentives:

• Extremely lucrative business model
• Criminals willing to pay premium prices for immunity from takedown
• Cryptocurrency payments difficult to trace
• High demand from ransomware and malware operators

4. Operational security:

• Operators use anonymization techniques
• Compartmentalized operations limit exposure
• Minimal identification requirements for customers
• Communication through encrypted channels

The Law Enforcement Response Strategy

Multi-pronged approach:

1. Server seizures:

• Physical takedowns of infrastructure like the CrazyRDP operation
• Disrupts criminal operations and seizes evidence
• Provides victim notification data
• Creates operational costs for criminals

2. Financial pressure:

• Sanctions against BPH providers (Aeza Group example)
• Cryptocurrency seizures (100,000+ wallets in VenomRAT case)
• Payment processor cooperation to block criminal transactions
• Asset freezes and seizures

3. Domain takedowns:

• Seizure of criminal domains (20 in this operation)
• Coordination with domain registrars
• Sinkholing malicious domains to gather intelligence

4. Public exposure:

• Operation Endgame website publicly exposes failed criminal services
• "Name and shame" approach deters future customers
• Transparency builds public trust
• Educates potential victims

5. Vendor cooperation:

• Data center operators increasingly cooperating with law enforcement
• ISPs blocking malicious infrastructure
• Cloud providers terminating abusive accounts
• Payment processors refusing bulletproof hoster transactions

Legal and Policy Implications

The 80 Ongoing Investigations

The disclosure that CrazyRDP infrastructure appears in 80 law enforcement investigations has significant implications:

Investigation types likely include:

• Ransomware operations: Groups using CrazyRDP for command and control
• CSAM distribution: Platforms hosted on CrazyRDP servers
• Drug trafficking: Dark web marketplaces
• Financial fraud: Phishing and business email compromise infrastructure
• State-sponsored espionage: APT groups potentially using bulletproof infrastructure for deniability

Evidence goldmine:
Seized servers likely contain:

• Customer databases: Identities, payment information, communication records
• Hosted content: Criminal websites, malware, stolen data repositories
• Log files: Connections between criminals and their infrastructure
• Financial records: Cryptocurrency transactions, payment histories

Downstream prosecutions:
The CrazyRDP takedown will likely generate:

• Additional arrests of customers who used the service
• Evidence for existing criminal cases
• New leads for ongoing investigations
• International cooperation requests

Challenges in Prosecuting Bulletproof Hosters

Legal complexity:

1. Jurisdiction issues:

• Hosters operate across multiple countries
• Determining which jurisdiction has authority
• Conflicting legal standards for hosting provider liability
• Extradition challenges

2. Liability standards:

• When does hosting provider become criminally liable for customer content?
• "Safe harbor" provisions in some jurisdictions
• Proving knowledge of illegal content
• Distinguishing passive hosting from active facilitation

3. Evidence requirements:

• Proving operators knew about criminal use
• Demonstrating intent to facilitate crime vs. merely providing services
• Overcoming anonymization and encryption
• Establishing connections between corporate entities and individual operators

Policy Recommendations

For governments:

1. Harmonize legislation:

• International standards for hosting provider liability
• Clear legal frameworks for when passivity becomes complicity
• Streamlined mutual legal assistance procedures
• Joint investigation team authorities

2. Enhanced cooperation:

• Real-time information sharing platforms
• Coordinated enforcement actions like Operation Endgame
• Joint training for investigators and prosecutors
• Technical assistance for developing countries

3. Financial pressure:

• Expanded sanctions authority for cybercrime infrastructure
• Cryptocurrency tracking and seizure capabilities
• Payment processor cooperation requirements
• Swift bank transfers blocking for criminal services

For the private sector:

1. Data center operators:

• Enhanced customer verification procedures
• Abuse monitoring and rapid response
• Cooperation protocols with law enforcement
• Industry standards for acceptable use

2. Internet service providers:

• Network traffic analysis for malicious patterns
• Rapid takedown procedures for criminal infrastructure
• Coordination with security researchers
• Threat intelligence sharing

3. Security vendors:

• Continued Operation Endgame support
• IOC sharing through platforms like ThreatFox
• Victim notification assistance
• Technical analysis of seized infrastructure

Conclusion: The Endless Game Continues

The seizure of CrazyRDP's thousands of servers and the dismantling of Rhadamanthys, VenomRAT, and Elysium infrastructure represents a major victory in the ongoing battle against cybercrime. Yet the name "Operation Endgame" reflects both ambition and reality—this is not the final operation, but rather a sustained campaign to make cybercrime increasingly difficult, expensive, and risky.

What This Means for Cybercriminals

The message is clear:

• Bulletproof hosting is not bulletproof: Even the largest providers like CrazyRDP can be dismantled
• Infrastructure is vulnerable: Thousands of servers and years of operations can be seized simultaneously
• International cooperation works: 11 countries coordinating means there are fewer safe havens
• Arrests are happening: The VenomRAT suspect's arrest and seizure of 100,000+ cryptocurrency wallets demonstrates personal consequences
• The costs are rising: Replacing seized infrastructure, rotating domains, and rebuilding operations is expensive

Stan Duijf's assessment rings true: "By taking down the criminal infrastructure, the entire business model of many cybercriminals has been disrupted."

What This Means for Defenders

Reasons for optimism:

• 600,000+ infected systems identified for remediation
• 86.2 million credential theft events disrupted
• Ransomware kill chain broken at multiple stages
• Victim notification enabling proactive defense
• ThreatFox IOCs available for threat hunting and blocking

Continued vigilance required:

• Cybercriminals will migrate to new infrastructure
• New bulletproof hosters will emerge to fill the void
• Malware families will evolve and adapt
• The underlying vulnerabilities that enable compromise remain

What Comes Next

Expected developments:

1. Criminal adaptation:

• Migration to new bulletproof hosters
• Increased use of decentralized infrastructure
• More sophisticated operational security
• Shorter operational lifespans for infrastructure

2. Law enforcement response:

• Continued Operation Endgame phases targeting new threats
• Expansion of international cooperation
• Enhanced technical capabilities
• More aggressive financial sanctions

3. Victim support:

• Ongoing analysis of seized servers
• Additional victim notifications in coming weeks and months
• Recovery assistance and guidance
• Prosecution of criminals using stolen data

The Broader Fight

Operation Endgame demonstrates that the international community is finally treating cybercrime infrastructure with the seriousness it deserves. Rather than merely chasing individual hackers—who can easily be replaced—law enforcement is targeting the business model itself.

As the Dutch authorities emphasized, victims and potential victims should:

• Check politie.nl/checkjehack for compromise notifications
• Repeat the check regularly as more data is analyzed
• Implement strong security hygiene (unique passwords, MFA, regular updates)
• Report suspicious activity to authorities and security researchers

The war against cybercrime infrastructure continues. CrazyRDP is offline, but the next bulletproof hoster is already operating. Rhadamanthys, VenomRAT, and Elysium are disrupted, but new malware families are in development.

Operation Endgame is not the end—it's a new phase of sustained, coordinated, international pressure that makes the cybercrime business model increasingly untenable.

The game continues, but the rules have changed.

Key Takeaways

• ✅ CrazyRDP bulletproof hoster completely dismantled - thousands of servers seized, website offline, ASN down
• ✅ 1,025 servers taken down globally (83 in the Netherlands alone)
• ✅ 20 criminal domains seized associated with malware operations
• ✅ 11 coordinated searches across Netherlands (9), Germany (1), and Greece (1)
• ✅ VenomRAT main suspect arrested in Greece on November 3, 2025
• ✅ 100,000+ cryptocurrency wallets accessed by arrested suspect
• ✅ 80 law enforcement investigations involved CrazyRDP infrastructure
• ✅ Rhadamanthys infostealer disrupted - 525,303 infections across 226 countries
• ✅ 86.2 million credential theft events identified
• ✅ 600,000+ infected computers worldwide identified for remediation
• ✅ Operation Endgame coordination by Europol and Eurojust from The Hague
• ✅ 11-nation coalition including US, UK, Netherlands, Germany, Greece, France, Denmark, Belgium, Australia, Canada, Lithuania
• ✅ 30+ private sector partners including Proofpoint, CrowdStrike, and Bitdefender
• ✅ ThreatFox IOCs available at https://threatfox.abuse.ch/browse/tag/OpEndgame/
• ✅ CSAM infrastructure among criminal services hosted on CrazyRDP
• ✅ Largest international effort ever to combat ransomware and cybercrime globally

Operation Endgame has struck again, and the message to bulletproof hosting providers is unmistakable: there is no safe harbor for criminal infrastructure.

Related Reading:

• Operation Endgame Strikes Again: 1,025 Servers Dismantled in Coordinated Takedown of Rhadamanthys, VenomRAT, and Elysium
• Russian GRU Officer Alexey Lukashev Arrested in Thailand: FBI's Most Wanted Hacker Behind 2016 DNC Breach Faces US Extradition
• Chinese Cyber Mercenaries Sentenced in Singapore: $3 Million Cryptocurrency Operation Uncovered with PlugX Malware and Government Data

Check if your systems were compromised:

• Dutch victims: Visit politie.nl/checkjehack and check regularly as new data is added
• International victims: Contact your local law enforcement cybercrime division
• Security professionals: Search your environment for OpEndgame IOCs at https://threatfox.abuse.ch/browse/tag/OpEndgame/

For threat intelligence and IOC feeds:

• ThreatFox OpEndgame Tag: https://threatfox.abuse.ch/browse/tag/OpEndgame/
• Operation Endgame Official Site: https://operation-endgame.com/

Disclaimer: This article is for informational purposes only. All information is based on official law enforcement announcements, public reporting, and open-source intelligence. Operation Endgame is an ongoing investigation and details may evolve as more information becomes available.