It turns out that even the most secure systems always have a loophole for experienced analysts.
A vulnerability in the Rhadamanthys infostealer's control panel unexpectedly opened a rare window of opportunity to protect victims, though it didn't lead to a resounding victory over the attackers. The story, revealed at the SANS CTI Summit 2026, highlights a less visible side of the fight against cybercrime: even valuable discoveries often run up against the authority of private companies, preventing a quick shutdown of the entire operation.
Rhadamanthys emerged on the infostealer market in the summer of 2022 and quickly became a popular tool for stealing logins, passwords, browser data, crypto wallets, and other sensitive files. These infection logs then become a commodity on underground marketplaces, where the stolen accounts are resold for further attacks.
The report's authors described a weakness in early versions of Rhadamanthys' web panels. Operators typically required a login and password to access the interface, but some API requests remained unchecked. This flaw allowed them to view infection details and download data directly from the command-and-control server.
A team of specialists and trusted partners decided to use the access not to interfere with other people's infrastructure, but to mitigate damage. From November 2022 to early January 2023, the group collected recently compromised credentials that appeared on vulnerable dashboards and then transmitted the information through existing victim notification and response channels. At its peak, the monitoring dataset encompassed 303 command-and-control servers and over 70,000 infection logs.
The operation failed to completely disrupt Rhadamanthys' operations . The malware continued to operate, and after the bug was fixed and the operators upgraded to newer versions, access to the data was lost. According to the study's author, in such a situation, the private sector can use the opportunity to mitigate the consequences, but does not have the right to independently change other people's systems or disable their infrastructure.
The Rhadamanthys story exemplifies the limitations of private companies without the involvement of law enforcement. For a lasting impact, coordination with those who can act within the legal framework, notify victims on a large scale, and preserve evidence is essential.
Compared to joint international operations like Endgame and Cronos, the Rhadamanthys case highlights a different reality: significant cybersecurity gains often look less like a high-profile shutdown of a malicious network than like targeted, careful damage mitigation.
A vulnerability in the Rhadamanthys infostealer's control panel unexpectedly opened a rare window of opportunity to protect victims, though it didn't lead to a resounding victory over the attackers. The story, revealed at the SANS CTI Summit 2026, highlights a less visible side of the fight against cybercrime: even valuable discoveries often run up against the authority of private companies, preventing a quick shutdown of the entire operation.
Rhadamanthys emerged on the infostealer market in the summer of 2022 and quickly became a popular tool for stealing logins, passwords, browser data, crypto wallets, and other sensitive files. These infection logs then become a commodity on underground marketplaces, where the stolen accounts are resold for further attacks.
The report's authors described a weakness in early versions of Rhadamanthys' web panels. Operators typically required a login and password to access the interface, but some API requests remained unchecked. This flaw allowed them to view infection details and download data directly from the command-and-control server.
A team of specialists and trusted partners decided to use the access not to interfere with other people's infrastructure, but to mitigate damage. From November 2022 to early January 2023, the group collected recently compromised credentials that appeared on vulnerable dashboards and then transmitted the information through existing victim notification and response channels. At its peak, the monitoring dataset encompassed 303 command-and-control servers and over 70,000 infection logs.
The operation failed to completely disrupt Rhadamanthys' operations . The malware continued to operate, and after the bug was fixed and the operators upgraded to newer versions, access to the data was lost. According to the study's author, in such a situation, the private sector can use the opportunity to mitigate the consequences, but does not have the right to independently change other people's systems or disable their infrastructure.
The Rhadamanthys story exemplifies the limitations of private companies without the involvement of law enforcement. For a lasting impact, coordination with those who can act within the legal framework, notify victims on a large scale, and preserve evidence is essential.
Compared to joint international operations like Endgame and Cronos, the Rhadamanthys case highlights a different reality: significant cybersecurity gains often look less like a high-profile shutdown of a malicious network than like targeted, careful damage mitigation.
