Operation Endgame 3.0 took down 1025 servers including CrazyRDP
Europol and Shadowserver have announced today they have completed "third phase" of Endgame operation targeting infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium.
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.
The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.
The coordinated actions led to:
1 arrest in Greece 11 locations searched (1 in Germany, 1 in Greece, and 9 in the Netherlands) Over 1 025 servers taken down or disrupted worldwide 20 domains seized
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down (archive)
https://www.shadowserver.org/news/rhadamanthys-historical-bot-infections-special-report/ (archive)
At least that's the official story. What wasn't mentioned, is the likely seizure of CrazyRDP.com (archive) hosting provider from the Netherlands, known for providing bulletproof hosting services to malware operators and spammers.
It was operated by people affiliated with Serverion, rumored to be "Desmond van der Winden", or "Mohammad Tareq Sahebzadah" according to information that was put up on their page years ago, after they have been breached.
2 days ago their entire infrastructure went down, and their Telegram communication channels were deleted, their website is also down. No information has been posted since then, and the infrastructure remains offline.
https://bgp.tools/as/401110 - their "transit" ASN, so they can say their downstreams are abusive and not them, makes it easier to get transit.
Actual ASN's used for bulletproof hosting;
https://bgp.tools/as/401120
https://bgp.tools/as/401116
https://bgp.tools/as/401109
All of which do not announce any prefixes anymore. When they did, they used a fan favorite company Aurologic/Combahton operated by Joseph Hofmann, known for platforming such providers.
It is rumored that its directly related to Endgame 3.0. I will be posting more information in this thread, when I obtain it.
Comments
I have found the ASN that used to host CrazyRDP nodes, which is also down and of course also operated by Serverion. It used InterEdge upstream which is Serverion's "transit network", operating in similar fashion to CrazyRDP's one.
HAWAIIAN TELCOM FIBER LLC
https://bgp.tools/as/18950
Information was exposed in SSL cert issuer, served by Proxmox nodes
Subject
C=US, ST=Berkshire, L=Newbury, O=My Company, CN=crazynodenl52, [email protected]
CrazyRDP seizure confirmed, they were indeed located in The Hague. Looks like besides malware, they also had copious amount of CSAM.
https://nltimes.nl/2025/11/14/dutch-police-seize-thousands-servers-used-ransomware-child-sex-abuse-footage (archive)
https://www.politie.nl/nieuws/2025/november/14/02---duizenden-servers-in-beslaggenomen-in-omvangrijk-cybercrime-onderzoek.html (archive)
The list of IOCs/C2's taken down by Endgame 3.0
https://threatfox.abuse.ch/browse/tag/OpEndgame/
Hits sorted by provider:
82 51396|PFCLOUD, DE
81 24940|HETZNER-AS, DE
38 215826|PARTNER-HOSTING-LTD, GB
36 396073|MAJESTIC-HOSTING-01, US
26 210644|AEZA-AS, GB
23 215730|H2NEXUS-AS H2NEXUS LTD, GB
19 213702|QWINS-LTD QWINS AS-SET: ~ # AS213702:AS-CUSTOMERS, GB
17 35916|MULTA-ASN1, US
17 216071|VDSINA, AE
14 42624|SWISSNETWORK02, SC
14 214943|RAILNET, US
14 149440|EVOXTENTERPRISE-AS-AP Evoxt Enterprise, MY
13 59711|HZ-EU-AS, BG
13 399629|BLNWX, US
13 215540|GCS-AS, GB
12 44208|FARAHOOSH, IR
12 41745|FORTIS-AS Hosting services, RU
11 63023|AS-GLOBALTELEHOST, US
10 9009|M247, RO
10 48282|VDSINA-AS, RU
9 48753|AVAHOHST, MD
9 22439|PERFECT-INTERNATIONAL, US
9 19318|IS-AS-1, US
8 214351|FEMOIT, GB
8 207043|DEDIK-IO DEDIK SERVICES LIMITED DEDIK.IO, GB
8 14956|ROUTERHOSTING, US
7 51852|PLI-AS, PA
7 214036|ULTAHOST-AS, US
7 212477|ROYALE-AS, NL
7 198953|PROTON66, RU
It does not include CrazyRDP IP's, I assume they just didn't put them there, as they took down the entire provider instead.
Full IP list:
What a mess hate to be the admin that tries to clean any of those ranges or IPs.
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop? | In my cave if you need me ping me.
Those stacks of servers… Somewhat hypnotic. And look at that, M247 RO. Those guys participate in all major net crimes.
I am sure those guys were into big money and thus paid handsomely for their servers...
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!