Summary5 min read

Risky Bulletin: Europol Takes Down Elysium, VenomRAT, and Rhadamanthys

Podcast: Risky Bulletin (Risky.biz)
Date: November 14, 2025
Host: Claire Aird

Episode Overview

This episode delivers the latest in cybersecurity news, focusing on significant law enforcement operations disrupting major malware networks (Elysium, VenomRAT, and Rhadamanthys), fresh industry incidents, new government initiatives, and key updates from tech giants like Google. Presented in a concise, news-bulletin style by Claire Aird, the podcast covers international cyber operations, regulatory actions, attacks on infrastructure, and the evolving threat landscape.

Key Discussion Points & Insights

1. Europol’s Operation Endgame: Major Malware Takedown

[00:04-01:30]

Europol and international law enforcement seized over 1,000 servers and 20 domains linked to:
- Rhadamanthys Infostealer
- VenomRAT
- Elysium botnet
These malware platforms infected "hundreds of thousands of users" and "stole tens of millions of credentials."
Recent arrest: Operator of VenomRAT apprehended in Greece.
Operation Endgame is described as a "coordinated campaign targeting criminal infrastructure that enables ransomware attacks."

“Authorities seized more than 1,000 servers and 20 domains used by the Ratamanthus Infostealer, the Venom Rat and the Elysium botnet.”
— Claire Aird [00:17]

2. Checkout.com Refuses Ransom, Donates to Research

[01:30-02:10]

Checkout.com declined to pay a ransomware demand after an old cloud server breach, choosing to donate the requested amount to university cybercrime research.
Data affected was from 2020, impacting less than a quarter of customers.
Attacker: Shiny Hunters group identified as the perpetrator.

“Checkout.com says it will donate the requested ransom to universities conducting cybercrime research instead.”
— Claire Aird [01:36]

3. Cyber Attacks Disrupt European Broadcasting

[02:10-02:40]

Radio Ncivelle (Germany) suffered hardware damage and IT system rebuilds after a cyber attack.
Incident followed a similar attack on Dutch broadcaster RTV Nord, indicating a pattern.

4. Google Targets Phishing and Announces Security Changes

[02:40-03:40]

Google lawsuit: Filed against Lighthouse, a China-based “phishing as a service” group behind large SMS spam campaigns impersonating Google and USPS, scamming over a million victims in 120 countries.
Seeks judicial shutdown and injunction against 25 individuals.
Private AI Compute: New Google feature allows AI data processing on encrypted cloud servers, following Apple’s lead.
Android developer policy change: Google walks back from fully mandatory registration:
- Some unverified developers (students, hobbyists) will be allowed.
- Experienced users can install from unverified sources.
- This decision follows backlash and grassroots reporting campaigns from the mobile dev community.

“Google says, having considered feedback, it will allow some developers to go unverified, such as students and hobbyists.”
— Claire Aird [03:28]

5. Government & Regulatory Developments

[03:40-05:10]

EU Democracy Shield: Not all member states required to participate; initiative aims to boost anti-disinformation in elections.
UK Proposed Cyber Laws: Targeting public utilities and supply chain, enforcing minimum cybersecurity standards with turnover-based fines for noncompliance.
Australian Critical Infrastructure: Chinese state-backed groups (Salt Typhoon, Volt Typhoon) implicated in recent attacks and threats of sabotage.
North Korean Intelligence Reorg: RGIB consolidates cyber, signals, human intelligence, and satellite data operations.
US Seizure of Crypto: Disputed $15 billion crypto grab from Cambodian scam operators, with China claiming some funds were from a 2020 domestic breach.

6. Russia’s New Mobile Connectivity Rule

[05:10-05:35]

Russian SIM cards used abroad will be blocked for 24 hours upon reentry, aiming to disrupt Ukrainian drone operations using Russian networks.
Users can expedite reconnection via CAPTCHA.

7. US Crackdown on Southeast Asian Scam Compounds

[05:35-06:00]

DOJ’s SCAM Centre Strikeforce: New task force targeting scam compound operators, already seized $400 million in crypto.
Treasury sanctions against Myanmar’s Democratic Karen Benevolent Army and its leaders for running scam compounds—also targeting associated businesses and individuals.

8. Other Significant Cybercrime Updates

[06:00-06:30]

French and Italian police arrested five connected to an international car theft network selling radio key fob decoders (€50,000 each) in 17+ countries.
Vietnam: Foreigner arrested for mass phishing via SMS blaster, impersonating national institutions.

9. AI Tools in Cyber Attacks

[06:30-07:00]

Unnamed Chinese APT group used Anthropic’s Claude generative AI to automate cyberattacks: scanning, lateral movement, and exfiltration, with “minimal human interaction.”
First known “scientific-scale” APT campaign leveraging AI agents.

10. Memory Safety Improvements in Android

[07:00-07:20]

Google reports memory safety vulnerabilities in Android are now below 20%, crediting its use of Rust language.
Rust also reduced code review time by 25% and code rollbacks by a factor of four.

“The proportion of memory safety vulnerabilities in Android has fallen below 20% for the first time. Google credited the improvement to its adoption of the Rust programming language.”
— Claire Aird [07:09]

Notable Quotes & Memorable Moments

“Authorities seized more than 1,000 servers and 20 domains used by the Ratamanthus Infostealer, the Venom Rat and the Elysium botnet.” — Claire Aird [00:17]
“Checkout.com says it will donate the requested ransom to universities conducting cybercrime research instead.” — Claire Aird [01:36]
“Google says, having considered feedback, it will allow some developers to go unverified, such as students and hobbyists.” — Claire Aird [03:28]
“The proportion of memory safety vulnerabilities in Android has fallen below 20% for the first time. Google credited the improvement to its adoption of the Rust programming language.” — Claire Aird [07:09]

Timestamps for Key Segments

Europol Takedown: [00:04-01:30]
Checkout.com Response: [01:30-02:10]
Broadcast Attacks: [02:10-02:40]
Google vs. Phishing + Policy Change: [02:40-03:40]
EU/UK/Aus/US Regulatory Changes: [03:40-05:10]
Russia Mobile Block: [05:10-05:35]
Scam Centre Strikeforce: [05:35-06:00]
Car Theft Network/Vietnam Phishing: [06:00-06:30]
AI-Augmented Intrusions: [06:30-07:00]
Android Memory Safety: [07:00-07:20]

Overall Tone and Takeaway

Direct, factual, and succinct, this episode delivers a sweeping rundown of pivotal cybersecurity news, with an emphasis on international threats, advanced law enforcement action, and tech industry responses. It’s an essential update for security professionals, policy watchers, and anyone interested in how geopolitical and technical shifts are shaping today’s cyber risks.

Loading summary

Transcript1 lines

[00:04]
A
Europol takes down servers behind three malware operations the US Sanctions another Burmese military group linked to scam compounds, Google backs down from mandatory Android developer registration and checkout.com donates its ransom to cybercrime researchers instead of paying hackers. This is the risky bulletin prepared by Catalyn Kim Panu, established and read by me, Claire aird. Today is the 14th of November and this podcast episode is brought to you by cloud security company Prowler. In today's top story, Europol and other law enforcement agencies have disrupted three malware operations. Authorities seized more than 1,000 servers and 20 domains used by the Ratamanthus Infostealer, the Venom Rat and the Elysium botnet. Europol claims that the malware infected hundreds of thousands of users and stole tens of millions of credentials. Earlier this month, the operator of Venom Rat was arrested in Greece. The takedown is part of Europol's Operation Endgame, a coordinated campaign targeting criminal infrastructure that enables ransomware attacks. In other news, payment provider checkout.com has declined to pay a ransom demand after older cloud servers were hacked. The company says it will donate the requested ransom to universities conducting cybercrime research instead. Checkout.com says the servers held data from 2020 and the breach impacted less than a quarter of its customers. The company said a group known as Shiny Hunters was responsible for the hack. A cyber attack has disrupted the broadcast of a German radio station. Radio Ncivelle said hardware components were damaged in the attack and had to be replaced. The broadcaster also said it had to rebuild large parts of its IT network. The hack occurred days after a similar incident crippled the transmission of Dutch radio and TV station RTV Nord. Google has filed a lawsuit against a Chinese phishing as a service platform. The Lighthouse platform is allegedly behind recent waves of SMS spam that targeted users globally. Posing as Google and USPS, the service hooked a million victims across 120 countries. Google's seeking a court order to shut down the platform's infrastructure and is seeking injunctions against 25 individuals staying with Google. And the company has announced a new feature that will take user data and process it on encrypted cloud servers. Private AI Compute will allow users to offload heavy duty AI tasks to Google servers. The feature is similar to Apple's private cloud Compute, which was launched last year. Meantime, Google is easing upcoming restrictions for Android developers. In August, the company announced it planned to block all Android users from installing apps from unverified developers. In a blog post this week, Google says, having considered feedback, it will allow some developers to go unverified, such as students and hobbyists. The company will also allow experienced users to install apps from unverified developers. In response to Google's initial announcement, the mobile development community created a website to help mass report Google to antitrust agencies. EU member states won't be required to participate in the bloc's new anti disinformation group. Plans for the Democracy Shield initiative are set to be announced this week. Participating countries will share guidance and alerts on election meddling, foreign interference and disinformation campaigns. Proposed new laws in the UK aim to strengthen cyber defences for essential public services. They target healthcare, drinking water, transport and energy providers. The laws would also apply to some suppliers such as IT companies, help desk support and cybersecurity providers. If passed, all entities will have to meet minimum security requirements or face turnover based fines. Chinese state sponsored hackers have attempted to breach Australian telcos and critical infrastructure. The head of Australia's Security Intelligence Organisation, Mike Burgess, warned of possible economic disruption and sabotage. Burgess linked the attacks to salt, Typhoon and Volt Typhoon. North Korea has reorganised its military intelligence agency. The Reconnaissance General Bureau is now the Reconnaissance Information General Bureau. Under the new structure, the RGIB will handle signals, cyber and human intelligence operations as well as satellite surveillance and data analysis. China has claimed the US wrongly seized funds belonging to a Chinese crypto mining company. The U.S. justice Department announced last month it had seized $15 billion worth of bitcoin from a Cambodian operator of scam compounds. The US claimed the funds were owned by the Prince Group and its CEO Chen Ji. In a report last week, China's CERT said the funds in fact came from the 2020 hack of Chinese crypto. Lubyan, Russia will block domestic SIM cards that are being used overseas for 24 hours once they re enter the country. The rule aims to prevent Ukraine from using Russian mobile networks to communicate with its drones attacking the country. Russia imposed a similar 24 hour cooldown for foreign SIM cards last month. Users can restore connectivity faster by completing a capture challenge. The US government has established a new task force to target scam compound operators across Southeast Asia. The SCAM Centre Strikeforce is part of the Justice Department. It tracks and prosecutes individuals and entities that support the scam ecosystem. Officials say the strike force has already seized more than $400 million tied to crypto scams. Meanwhile, the US treasury has sanctioned a military group in Myanmar for running scam compounds. Sanctions were levied on the Democratic Karen Benevolent army and four of its senior leaders. Additional sanctions were also imposed on three companies and a Thai national for helping the military group build the centres. French and Italian police have arrested five members of an international car thief network. The suspects allegedly built devices that could decode radio key fobs to unlock cars. The group sold the devices for up to €50,000 each to car thieves in more than 17 countries. A man's been arrested in Vietnam for sending phishing messages across Hanoi using an SMS blaster. He he was caught with a device inside a suitcase. The phishing messages impersonated Vietnam's national bank and national post service. The suspect has only been identified as a foreign national. A suspected Chinese APT group has abused the Claude Code AI tool to target corporate environments. The campaign targeted 30 organisations and was successful in a small number of cases. Anthropic says this was the first APT campaign that used AI agents at scientific scale. The unnamed APT used Claud to scan targets, map the attack surface breach networks, move laterally and collect and exfil data, all with minimal human interaction. And finally, the proportion of memory safety vulnerabilities in Android has fallen below 20% for the first time. Google credited the improvement to its adoption of the Rust programming language. Google says Rust has also cut code review duration by 25% and changes are rolled back four times less often. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Prowler. Find them at prowler. Com. Thanks for your company.