Servers Behind Hadamanthys Stealer May Have Been Seized, Admin Calls for Reinstalls

Rumors circulating in cybercrime monitoring circles indicate a significant disruption to the infrastructure supporting the Rhadamanthys information stealer, following multiple reports that its onion domains and control panels are offline.

Several threat intelligence trackers, including analysts known as Gi7w0rm and g0njxa, suggest that Rhadamanthys’ infrastructure could have been seized as part of a coordinated international law enforcement operation.

The administrators of the underground platform allegedly urged users to “pause all work” and reinstall their servers, signaling widespread backend instability and possible compromise.

Users have also reported being unable to access control panels and payment gateways linked to the stealer’s infrastructure. These symptoms, sudden downtime, administrative warnings, and inability to log in, are consistent with past takedowns of cybercriminal ecosystems.

Infrastructure Disruption and Hybrid Architecture

The Rhadamanthys Stealer, a modular Malware-as-a-Service (MaaS) platform, relied on a hybrid infrastructure combining Tor-based onion panels and bulletproof VPS servers for command-and-control (C2) operations.

Its administrators maintained several redundant nodes to manage datasets exfiltrated from infected endpoints, including credentials, browser autofill data, and cryptocurrency wallets.

As of November 12, monitoring sources confirm that the main onion domains associated with Rhadamanthys are inaccessible.

Attempts to reach these domains via standard Tor checkers result in connection failures, suggesting either domain seizure banners or voluntary withdrawal by server operators.

Indicators point to a possible seizure by law enforcement, though no official statements have been released as of this writing.

Previous law enforcement operations, such as those targeting Raccoon Stealer and Vidar, showed similar characteristics: domains going dark, administrators issuing cautionary updates, and community discussions around data exposure risks for both operators and affiliates.

The same pattern seems to be emerging here, reinforcing speculation about a coordinated takedown.

Implications for the Malware Ecosystem

Rhadamanthys has been one of the most active credential-stealing families in 2024–2025, widely distributed through phishing and malvertising campaigns.

Its infrastructure supported a thriving underground affiliate program, allowing threat actors to purchase and manage infected hosts globally.

The potential seizure of its infrastructure could mark a significant blow to the infostealer market. Disruptions of this scale typically cause ripple effects across other stealer operators that rely on shared bulletproof hosting or overlapping data-handling infrastructure.

However, given the resilience and decentralization often seen in MaaS operations, partial recovery or rebranding under a new name remains possible in the coming weeks.

This is a developing story; details will be updated as law enforcement or credible intelligence sources release verified statements.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Servers Behind Hadamanthys Stealer May Have Been Seized, Admin Calls for Reinstalls appeared first on Cyber Security News.