Operation Endgame 3.0 took down 1025 servers including CrazyRDP
Europol and Shadowserver have announced today they have completed "third phase" of Endgame operation targeting infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium.
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.
The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.
The coordinated actions led to:
1 arrest in Greece 11 locations searched (1 in Germany, 1 in Greece, and 9 in the Netherlands) Over 1 025 servers taken down or disrupted worldwide 20 domains seized
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down (archive)
https://www.shadowserver.org/news/rhadamanthys-historical-bot-infections-special-report/ (archive)
At least that's the official story. What wasn't mentioned, is the likely seizure of CrazyRDP.com (archive) hosting provider from the Netherlands, known for providing bulletproof hosting services to malware operators and spammers.
It was rumored to be operated by people affiliated with Serverion according to information that was put up on their page years ago, after they have been breached.
2 days ago their entire infrastructure went down, and their Telegram communication channels were deleted, their website is also down. No information has been posted since then, and the infrastructure remains offline.
https://bgp.tools/as/401110 - their "transit" ASN, so they can say their downstreams are abusive and not them, makes it easier to get transit.
Actual ASN's used for bulletproof hosting;
https://bgp.tools/as/401120
https://bgp.tools/as/401116
https://bgp.tools/as/401109
All of which do not announce any prefixes anymore. When they did, they used a fan favorite company Aurologic/Combahton operated by Joseph Hofmann, known for platforming such providers.
It is rumored that its directly related to Endgame 3.0. I will be posting more information in this thread, when I obtain it.
Comments
I have found the ASN that used to host CrazyRDP nodes, which is also down and of course also operated by Serverion. It used InterEdge upstream which is Serverion's "transit network", operating in similar fashion to CrazyRDP's one.
HAWAIIAN TELCOM FIBER LLC
https://bgp.tools/as/18950
Information was exposed in SSL cert issuer, served by Proxmox nodes
Subject
C=US, ST=Berkshire, L=Newbury, O=My Company, CN=crazynodenl52, [email protected]
CrazyRDP seizure confirmed, they were indeed located in The Hague. Looks like besides malware, they also had copious amount of CSAM.
https://nltimes.nl/2025/11/14/dutch-police-seize-thousands-servers-used-ransomware-child-sex-abuse-footage (archive)
https://www.politie.nl/nieuws/2025/november/14/02---duizenden-servers-in-beslaggenomen-in-omvangrijk-cybercrime-onderzoek.html (archive)
The list of IOCs/C2's taken down by Endgame 3.0
https://threatfox.abuse.ch/browse/tag/OpEndgame/
Hits sorted by provider:
82 51396|PFCLOUD, DE
81 24940|HETZNER-AS, DE
38 215826|PARTNER-HOSTING-LTD, GB
36 396073|MAJESTIC-HOSTING-01, US
26 210644|AEZA-AS, GB
23 215730|H2NEXUS-AS H2NEXUS LTD, GB
19 213702|QWINS-LTD QWINS AS-SET: ~ # AS213702:AS-CUSTOMERS, GB
17 35916|MULTA-ASN1, US
17 216071|VDSINA, AE
14 42624|SWISSNETWORK02, SC
14 214943|RAILNET, US
14 149440|EVOXTENTERPRISE-AS-AP Evoxt Enterprise, MY
13 59711|HZ-EU-AS, BG
13 399629|BLNWX, US
13 215540|GCS-AS, GB
12 44208|FARAHOOSH, IR
12 41745|FORTIS-AS Hosting services, RU
11 63023|AS-GLOBALTELEHOST, US
10 9009|M247, RO
10 48282|VDSINA-AS, RU
9 48753|AVAHOHST, MD
9 22439|PERFECT-INTERNATIONAL, US
9 19318|IS-AS-1, US
8 214351|FEMOIT, GB
8 207043|DEDIK-IO DEDIK SERVICES LIMITED DEDIK.IO, GB
8 14956|ROUTERHOSTING, US
7 51852|PLI-AS, PA
7 214036|ULTAHOST-AS, US
7 212477|ROYALE-AS, NL
7 198953|PROTON66, RU
It does not include CrazyRDP IP's, I assume they just didn't put them there, as they took down the entire provider instead.
Full IP list:
What a mess hate to be the admin that tries to clean any of those ranges or IPs.
Those stacks of servers… Somewhat hypnotic. And look at that, M247 RO. Those guys participate in all major net crimes.
I am sure those guys were into big money and thus paid handsomely for their servers...
If you want information, feign ignorance reply with the wrong answer. Internet people will correct you ASAP!
It’s OK if you disagree with me. I can’t force you to be right!
This part of my OP was modified by moderation at request of INDIVIDUAL1.
It previously used to state that he might've been involved in CrazyRDP operations, but that's only a speculation.
However he undeniably provided them with colocation and other services, since CrazyRDP's inception. I'm aware that he is trying to say that he didn't even host them after finding out they are a Bulletproof host, but that's a lie.
CrazyRDP at first used one of his companies, "Des Equity LLC" ASN to host on, as well as his IP prefixes.
When the situation got too heated, they switched to their own ASN "Limenet" AS394711, while staying colocated with Serverion.
And later to ASN's I listed in the OP.
CN name is from the name CrazyRDP, and Email address points out to the alleged operator of CrazyRDP, who operates a company called "AVS B.V". This is INDIVIDUAL2.
This directly proves that they were still INDIVIDUAL1's customer at the time of the raid, one of CrazyRDP's ASN's used exclusively for hosting their internal infra, and using InterEdge upstream (another of INDIVIDUAL'S companies).
As you can guess, both CrazyRDP public facing infra, and internal, went down at the same time and haven't recovered since, further confirming that it was them.
public infra
https://radar.cloudflare.com/as401120?dateRange=28d
internal infra (HAWAII)
https://radar.cloudflare.com/as18950?dateRange=28d
Both ColoCenter in Zoetermeer, and DFDC in the Hague were raided, both are Serverion's main locations.
@InterEdge feel free to comment publicly, if you feel like I am defaming you. It was common knowledge in bulletproof hosting circles that you host CrazyRDP, should've kept better opsec.
Mod edit: removing individual names until enough concrete evidence is presented that links these names to criminal activities.
Mod note: Names have been redacted because there is currently no verified law-enforcement or court documentation publicly identifying these individuals as responsible for the activity described. While rumors and speculation exist, they don’t meet the standard needed to directly attach real names to alleged criminal conduct. Until authoritative sources confirm otherwise, we’re keeping the discussion focused on facts, not unverified personal accusations.
Head Janitor @ LES • About • Rules • Support
They should have serious evidences to seize an entire hosting company.
Not serious enough to Mason leave names of the perpetrators...
Fair enough. I won't mention their names on this site anymore.
I doubt the names will be publicly released, ever. As they are both from the Netherlands.