DIVD-2025-00041 - Victim Notification Operation Endgame S03E01

Summary

On November 13th 2025, The Dutch National Police, in cooperation with Europol, Eurojust and the police of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the UK and the US announced they took down 1025 servers of botnet operators worldwide in a another episode of Operation Endgame, the biggest continued anti-botnet operation to date. During this takedown, stolen data has been seized.

As part of this operation, stealer logs containing information on many victims of the targeted malware platforms have been shared with: DIVD, Have I Been Pwned, Spamhaus, Project No More Leaks, Project Check je Hack, the (Dutch) NCSC, CSIRT-DSP, and Digital Trust Center.

A group of partners, including NCSC, DTC, and us of DIVD are doing their best to notify the victims in the various datasets.

Datasets involved

So far we have received the following datasets:

1. Logs of the Rhadamanthys infostealer - 36GB - 93,010,313 records, 5,107,559 unique email addresses - Received on 13-11-2025

The datasets contain

The datasets contain stolen user data, including usernames, redacted passwords, the URL and timestamp of the last observed use, and, where available, the victim’s IP address, device (computer) name, and local user account.

Possible impact if no action is taken

The data on its own might appear harmless or insignificant, but when combined with reused passwords, lack of MFA (Multi-Factor Authentication), or internal host and user context, it makes account takeovers, fraud, and network intrusion possible. Taking action helps protect your accounts and personal information from being misused.

What you can do

Since the datasets contain data of too many individuals, we will not be sending out individual notifications. Instead we are enabling certs, csirts and security teams to check of data of their users is present in the datasets we received and, if present, to request the details. We have outlined the full procedure on our credentials page.

If you want to find out if your organisation was impacted, you can find out as follows:

• Download the Endgame S03E01 datasets:
  • Batch 1: Rhadamanthys - 13-11-2025
• Open the files (watch out Excel truncates them due to their size) and look for domains you are responsible for.
• If you have found domains that belong to you, you can send an email to divd-2025-00041@csirt.divd.nl to request the data that belongs to these domains.

Please note: we will validate your claim and only send you data if your country has a sufficiently high score on the Human Rights Index.

I / my users are on the list now what?

Here are the steps you can take depending on your situation:

• Instructions for when your data has been stolen/your computer has been compromised
• Instructions for when users of your organisations have been compromised
• Instructions for when users of your service have been compromised

What we are doing

As we receive more information, we will analyse them and publish more apex sets. Make sure you keep an eye on this space and our CSIRT blog or RSS feed

Frequently asked questions

General

Q: Is this a scam?

A: It’s great that you’re skeptical. However, this is legit and definitely not a scam. This operation is a collaboration between the Dutch National Police, Europol, Digital Trust Center, NCSC and others. We, the Dutch Institute of Vulnerability Disclosure (DIVD), are mentioned on the partner page of the Operation Endgame site as well as the press release of Europol and the Dutch National Police.

Q: Do you have my password?

A: No, we do not have your password. We may have sent you an email containing a partial password, with only the last few characters visible. This is the only part of your password we possess. The Dutch Police ensured that all passwords were hidden before sharing the data with us.

Q: Are you going to go after the criminals who stole my information?

A: No, we are not. That is a matter for law enforcement. As per article 9 of our code of conduct: We analyze online threats, not threat actors. We are researchers and don’t serve the needs of governments or law enforcement.

Q: if you “don’t serve the needs of governments or law enforcement”, why are you cooperating with the Dutch National Police on this case?

A: Acting on this data set is directly in line with article 3 of our code of conduct: Analyze databases with leaked credentials and report to the organizations or people who are compromised to take appropriate measures.

We analyze every database we receive, including those from law enforcement. However, we do this independently, without any obligation or intention to share any specific information in return.

Technical

Q: Do you know how the Dutch National Police obtained this information?

A: No we don’t know any details, but we know that Operation Endgame contains information from several criminal operations.

Q: Do you know from which criminal operation my data was obtained?

A: In some cases we know the name of the infostealer malware, but further details were not shared with us.

Legal

Q: You are processing my personal data without my consent, is that legal?

A: Yes it is. Under Dutch law and European privacy regulations, we can process this data based on a so-called “legitimate interest.” DIVD is a private foundation that operates under a strict code of conduct, with the aim to make the digital world safer.

Timeline

More information

• Operation Endgame website
• Europol press release
• Press release of Dutch police (in Dutch)
• Bleeping computer article about takedown of Rhadamanthys infostealer