Rhadamanthys Infostealer Disrupted; Panels Locked, Tor Offline

Rhadamanthys infostealer operation suffered major disruption as subscribers reported losing access to their web panels and servers. Multiple customers on underground forums stated their SSH access was locked out—login methods switched from root passwords to certificate-based authentication without warning. The timing and access patterns suggest law enforcement involvement. According to malware researchers g0njxa and Gi7w0rm monitoring the operation, Rhadamanthys customers believe German police gained access to their infrastructure. One subscriber reported: "The server login method has been changed to certificate login mode...the German police are acting." Another confirmed: "guests have visited my server and the password has been deleted...Server login became strictly certificate-based." Those who used Rhadamanthys' "smart panel" automated installation were hit hardest, while manual installations may have remained accessible. The Rhadamanthys developer told customers that web panels hosted in EU data centers showed German IP addresses logging in before operators lost access. The malware's Tor onion sites went offline but don't display police seizure banners yet. Rhadamanthys operates as malware-as-a-service, offering subscription plans where customers pay monthly fees for access to the infostealer, support, and web panels that collect stolen credentials from browsers, email clients, and applications. Researchers believe this may connect to Operation Endgame—the ongoing law enforcement initiative that previously disrupted ransomware infrastructure, AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC operations. The Operation Endgame website shows a timer indicating new action disclosure coming Thursday.