TZUTC: -0500
MSGID: 1702.consprcy@1:2320/105 2d7b1fcb
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Top infostealer disrupted after criminals lose server access

Date:
Wed, 12 Nov 2025 14:54:03 +0000

Description:
The Rhadamanthys infostealer has been disrupted, possibly by German law
enforcement.

FULL STORY

The Rhadamanthys infostealer, one of the most popular malware-as-a-service
(MaaS) offerings on the dark web, has apparently been disrupted, with many of
its customers locked out. 

Researchers known as g0njxa and Gi7w0rm saw multiple cybercriminals reporting
troubles using the tool, since the police obtained access to their web 
panels. 

The MaaS developer blamed the German police for the disruption, saying
entities with German IP addresses were logging into the web panels hosted in
EU data centers right before access was revoked.

German police blamed 

German police are yet to confirm or deny these claims, though. Speaking to
BleepingComputer , G0njxa said Rhadamanthys Tor site is also offline, but it
currently doesnt have the usual police seizure banner, so there is still a
chance that this is the work of a different actor. 

For one user, SSH access now requires a certificate instead of root password,
preventing entry: "If your password cannot log in. The server login method 
has also been changed to certificate login mode, please check and confirm, if
so, immediately reinstall your server, erase traces, the German police are
acting," that person allegedly wrote. 

"I confirm that guests have visited my server and the password has been
deleted.rootServer login became strictly certificate-based, so I had to
immediately delete everything and power down the server, another one wrote.
Those who installed it manually were probably unscathed, but those who
installed it through the "smart panel" were hit hard. 

At the same time, BleepingComputer uncovered the website for Operation
Endgame, an ongoing police action targeting different MaaS operations,
currently has a countdown timer, set to expire in approximately 21 hours. 

Operation Endgames last activity was in May 2025, when Europol and Eurojust
dismantled a ransomware kill chain. In that operation, the police seized
roughly 300 servers, took down 650 domains, and issued international arrest
warrants against 20 individuals. The police also seized 3.5 million in 
various cryptocurrencies. 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/top-infostealer-disrupted-after-crimina
ls-lose-server-access

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426