FBI & Global Allies Crush Crypto-Draining Botnet Empire in 2025 Takedown

Law enforcement just flipped the script on cybercriminals—hard. The FBI, alongside international agencies, dismantled a sprawling network of botnets designed to siphon crypto from unsuspecting victims. No more backdoor raids on digital wallets.

Operation 'Ghost Protocol' (unofficial name) targeted infrastructure spanning 12 countries—bulletproof hosting providers, command servers, even Telegram channels peddling stolen credentials. Authorities won’t disclose exact losses, but insiders whisper 'nine figures easy.'

Behind the scenes: A 14-month infiltration using blockchain forensics and old-fashioned wiretaps. The takedown coincided with—wait for it—a suspicious 3% dip in Tether transactions. Coincidence? Sure, Jan.

Key takeaway? Crypto’s Wild West era is over. Regulators now hunt exploits with the same vigor as a degen chasing a 100x shitcoin. Next target? Probably that 'anonymous' DeFi protocol offering 'risk-free' yields. Spoiler: It’s not risk-free.

Key Highlights

• The FBI and allies seized 1,025 servers tied to crypto-stealing malware.
• Major strains taken down: Rhadamanthys, VenomRAT, Elysium.
• It is part of a wider U.S. crackdown on global scam and fraud networks.

The U.S. Federal Bureau of Investigation (FBI) and international law enforcement partners have carried out one of their largest cybercrime disruptions of the year, dismantling malware networks that have been quietly raiding crypto wallets, browser credentials, and financial accounts across the globe.

The agency announced that Operation Endgame, a multinational effort launched in May 2024, took down 1,025 servers, seized 20 domains, and led to an arrest in Greece. This marks the third major takedown tied to the ongoing initiative.

Cyber tools on target

The targets of the operation were Rhadamanthys, a commercial-grade infostealer sold as malware-as-a-service, VenomRAT, a remote access Trojan used for surveillance and credential harvesting, and Elysium, a stealth botnet known for deploying cryptomining payloads and distributing additional malware.

These tools have been at the center of a surge in crypto wallet drains, credential hijacking, and large-scale financial fraud. Rhadamanthys, in particular, is designed specifically to vacuum up seed phrases, wallet files, browser auto-fills, exchange logins, and system data, a common choice for phishing crews and Telegram-based drainer ops.

Global operation targets cybercrime networks

The FBI executed the takedown alongside authorities in Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the UK, targeting the infrastructure that cybercriminals depend on to automate attacks.

The FBI and our partners successfully dismantled an infostealer, remote access trojan, and botnet as part of Operation Endgame. This marks the third large-scale action in this ongoing initiative, which was launched to combat criminal infrastructure used for ransomware attacks… pic.twitter.com/cjM0QYZpKl

They also seized command-and-control nodes used to manage infected machines, which is expected to disrupt thousands of active malware campaigns.

A broader crackdown on crypto-driven crime

The botnet takedown follows the launch of the Scam Center Strike Force, a new U.S. initiative focused on dismantling Southeast Asian scam compounds and Chinese-linked criminal networks that deploy similar infostealers. The task force has already seized $401.6 million in crypto, filed forfeiture actions for another $80 million, and coordinated arrests in Bali and Burma.

“The impact on victims is devastating,” said FBI Deputy Assistant Director Gregory Heeb. “Our job is to stop these criminals, and with global cooperation, we will.”

What comes next

The FBI says more coordinated actions are coming as agencies shift from chasing individual hackers to dismantling the infrastructures, such as servers, domains, and distribution systems, behind global crypto crime. Future phases of Operation Endgame will target malware developers, hosting providers, and botnet operators.

The agency also warns crypto users to treat any unauthorized access, drained accounts, or odd browser behavior as a sign of device compromise, and to migrate wallets and reset credentials immediately.

Also read: Leaked Emails Reveal Epstein Helped Fund MIT’s Bitcoin Work