The Open Vault: How a Flaw in the Rhadamanthys Control Panel Saved 70,000 Victims

A vulnerability within the control panel of the Rhadamanthys infostealer unexpectedly provided a rare opportunity to safeguard victims, though it stopped short of a definitive victory over the adversaries. This narrative, unveiled at the SANS CTI Summit 2026, illuminates a subtle dimension of the conflict against cybercrime: even significant breakthroughs often collide with the jurisdictional limitations of private enterprises, preventing the immediate cessation of a criminal enterprise.

Rhadamanthys emerged within the infostealer market in the summer of 2022, rapidly establishing itself as a formidable tool for exfiltrating credentials, browser telemetry, cryptocurrency wallets, and other sensitive artifacts. These stolen logs subsequently become commodities on clandestine marketplaces, where compromised accounts are traded to facilitate further incursions.

The researchers delineated a critical flaw in earlier iterations of the Rhadamanthys web panels. While operators typically required authentication to access the interface, certain API endpoints remained exposed without verification. This oversight permitted unauthorized observers to scrutinize infection metrics and extract data directly from the command-and-control server.

A collective of specialists and trusted partners chose to utilize this access not to disrupt the hostile infrastructure, but to mitigate the fallout. From November 2022 through early January 2023, the group harvested recently purloined credentials surfacing on vulnerable panels and disseminated this intelligence through established victim-notification and incident-response channels. At its zenith, this endeavor encompassed 303 command-and-control servers and over 70,000 infection logs.

Ultimately, the operation did not precipitate a collapse of Rhadamanthys’ activities. The malware persisted, and once the operators remediated the flaw and migrated to updated versions, the window of access vanished. As the lead researcher noted, while the private sector can seize such moments to attenuate the damage, it lacks the legal mandate to unilaterally alter foreign systems or dismantle infrastructure.

The Rhadamanthys case serves as a poignant illustration of the constraints faced by private firms in the absence of law enforcement collaboration. For a long-term impact, coordination is essential with entities capable of operating within legal frameworks, notifying victims on an industrial scale, and preserving forensic evidence. In the shadow of high-profile international maneuvers such as Operations Endgame and Cronos, Rhadamanthys reveals a different reality: meaningful achievements in cybersecurity often manifest not as the spectacular dismantling of a network, but as the precise and meticulous reduction of harm.