Europol announced Wednesday the recovery of approximately 27 million stolen login credentials and the seizure of more than €41 million (roughly $47 million) in criminal cryptocurrency as part of the latest phase of Operation Endgame, the two-year multinational campaign to dismantle the malware infrastructure behind the world’s ransomware economy. The operation, conducted over a two-week window beginning June 15, dismantled the criminal systems behind three malware families — Amadey, StealC, and SocGholish — and seized or actioned 326 servers and 142 domains across six countries. If you use saved browser passwords or store login credentials anywhere on your computer, investigators say this operation is directly relevant to you: your credentials may be among those recovered, and checking your exposure now takes about 60 seconds.
What Operation Endgame Is Targeting — And Why It Matters to Ordinary Users
Operation Endgame launched in May 2024 as the largest coordinated law enforcement action ever mounted against botnet infrastructure. Since then it has expanded with each successive phase — neutralizing IcedID, Smokeloader, Pikabot, Bumblebee, and Trickbot in 2024; DanaBot and related malware services in May 2025; Rhadamanthys, VenomRAT, and the Elysium botnet in November 2025; and now Amadey, StealC, and SocGholish in June 2026.
What makes this phase different is not just its scale but its framing. Rather than targeting individual malware families in isolation, Europol and its partners explicitly went after what they called the “assembly line” that allows cyberattacks to scale — the sequential criminal infrastructure that converts an initial device compromise into a stolen credential, and a stolen credential into a ransomware attack. Amadey breaks down the door, StealC cleans out everything inside, and SocGholish supplies fresh victim traffic to keep the pipeline full.
Three Malware Families, One Criminal Supply Chain
Amadey has operated as a paid dropper-loader service since October 2018, distributing primarily through phishing campaigns. Once installed on a victim’s device, it establishes a foothold and delivers secondary malware payloads — including StealC. ESET researchers identified 53 distinct Amadey affiliate clusters and 73 separate StealC clusters, illustrating how decentralized both operations had become.
StealC, which first appeared on Russian-speaking underground forums in January 2023 as a subscription-based malware service, functions as the harvesting layer. It extracts browser passwords and autofill data, stored cookies, cryptocurrency wallet files, Discord and Telegram tokens, Outlook credentials, and session tokens from compromised machines — packaging them into structured archives for resale on criminal marketplaces or direct use in follow-on fraud. By late 2025 its V2 iteration sold for $300 per month, and Proofpoint confirmed 25.6 million unique credentials stolen from over 385,000 compromised systems. According to Microsoft’s Digital Crimes Unit, in just the first two weeks of May 2026, Amadey and StealC together were linked to over 140,000 infected computers worldwide.
SocGholish — also tracked as FakeUpdates — has operated since at least 2017, maintained by a criminal group associated with the Russian cybercriminal organization Evil Corp, the same group previously responsible for the Zeus and Dridex banking trojans. It spreads through a deceptively simple mechanism: a highly obfuscated JavaScript snippet is injected into compromised legitimate websites, most commonly small businesses running WordPress such as restaurants and auto repair shops. The script profiles each visitor’s browser — verifying they are a real person, not a security scanner — and then presents a convincing fake browser-update prompt. Clicking it silently delivers malware. In May 2026, the Shadowserver Foundation documented more than 1.44 million compromised WordPress instances available for SocGholish’s use, spread across 187 countries.
How Investigators Turned the Malware’s Own Vulnerabilities Against It
The technical story behind this takedown is as distinctive as its scale.
Proofpoint and IBM X-Force discovered a directory traversal vulnerability in the StealC command-and-control panel — a class of flaw that CISA and NSA have classified as “unforgivable” software weaknesses since 2007, and that still appears in OWASP’s Top 25 most dangerous vulnerabilities. The flaw resided in how the StealC backend handled filenames submitted by infected victim machines: the panel failed to properly sanitize forward slashes, which allowed researchers to upload a web shell directly to the StealC server itself — turning the attackers’ own infrastructure into an investigative tool. Law enforcement used the exploit during the disruption activity. The StealC developers patched the flaw in February 2026, but researchers noted the panel code contained additional security weaknesses.
Proofpoint and IBM X-Force also built a StealC bot emulator capable of simulating the normal network activity of an infected machine. The emulator allowed researchers to retrieve and analyze the full range of secondary payloads that StealC operators delivered to victims — ranging from additional infostealers and remote access trojans to loader malware that subsequently downloaded final-stage ransomware. In one documented case, StealC downloaded a secondary loader called XTinyLoader, which then deployed a LockBit Black ransomware payload to the victim.
On Microsoft’s Digital Crimes Unit side, the team deployed AI — including Microsoft Copilot — to compress analysis tasks that would normally have taken days into minutes. That AI-assisted analysis surfaced a finding with direct legal significance: despite being developed by entirely separate criminal groups, Amadey and StealC relied on the same command-and-control infrastructure. Investigators determined that meant both malware families could be treated as part of a single criminal conspiracy under the Racketeer Influenced and Corrupt Organizations Act, enabling a unified court-authorized takedown rather than two separate legal proceedings. The result was the simultaneous disruption of more than 200 C2 servers through a single civil action, with Microsoft filing suit against multiple alleged operators and affiliates in the US District Court for the Southern District of Florida.
Scale of the Combined Disruption
The full scope of the June 2026 action — encompassing both the June 18 SocGholish takedown announced by Dutch police and the June 24 combined StealC and Amadey announcement by Europol — stands as follows:
- 326 servers and 142 domains seized or actioned
- Approximately 27 million stolen login credentials recovered (Proofpoint and IBM X-Force separately confirmed 25.6 million unique credentials from over 385,000 compromised systems in the StealC and Amadey component alone)
- €41 million (~$47 million) in cryptocurrency assets identified, flagged, and frozen
- 14,971 compromised websites cleaned and owners notified
- 18,000 victim computers identified and secured by Microsoft’s Digital Crimes Unit
- Royal Canadian Mounted Police deployed a disruption technique that mass-disinfected 2,488 computers worldwide
Recovered credentials from the SocGholish disruption have been added to Have I Been Pwned, allowing users to check whether their accounts appear in the recovered data. The status of the StealC and Amadey credential sets regarding Have I Been Pwned ingestion had not been confirmed at publication time.
Experts Warn That Disruption Is Not Elimination
Security researchers and the law enforcement participants themselves are careful to temper the scale of the disruption. Proofpoint assessed that the action will likely cause significant disruption to operations — service interruptions, reputational damage among criminal customers, and financial losses — but warned that past Operation Endgame targets have attempted to rebuild infrastructure after each disruption wave.
Alex Cosoi, Chief Security Strategist at Bitdefender, said the takedown is “a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale.” Dr. Renée Burton, vice president of threat intelligence at Infoblox, was pointed about the practical threat level before the disruption: “SocGholish is not a niche threat. Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks.”
Phil Wylie, Senior Consultant at security firm Suzu, framed the durability problem directly: “dismantling one infrastructure doesn’t end the threat. Threat actors adapt fast, and defenders must be faster.”
What an Infostealer Infection Actually Requires to Fix
Law enforcement and security researchers recommend the following for anyone who may have been exposed. Steps 1 and 5 together constitute complete remediation — step 1 alone is not sufficient.
- Check Have I Been Pwned at haveibeenpwned.com to see whether your email addresses appear in the recovered dataset.
- Change passwords on all accounts accessed from any potentially compromised device, prioritizing email, banking, and any account with saved payment data.
- Enable two-factor authentication (2FA) wherever it is available.
- Run a full antivirus scan with a reputable, up-to-date security tool.
- Invalidate all active sessions on accounts used from the affected device — not just reset the password. This step is critical and routinely overlooked: infostealer malware steals active session cookies alongside passwords. An attacker holding those cookies can remain authenticated even after a password change, because the session token does not expire when the password does. Session invalidation — signing out of all active sessions from the account’s security settings — is what closes that window.
- Be cautious of browser update prompts on websites. Legitimate browser updates arrive through the browser’s own mechanism, not through website pop-ups. Any website presenting a download button styled as a browser update should be treated as malicious.
Frequently Asked Questions
How do I check if my password was stolen in Operation Endgame?
Visit Have I Been Pwned and search your email address. Credentials from the SocGholish component of Operation Endgame have already been added to the database. The StealC and Amadey credential batches had not been confirmed as added to Have I Been Pwned at publication time. The Dutch National Police also maintain a dedicated check at politie.nl/checkjehack for affected Dutch residents.
What is infostealer malware and what does it steal?
Infostealer malware is software that silently extracts sensitive data from an infected device and transmits it to criminal infrastructure. It targets saved browser passwords and autofill data, session cookies that keep users logged in to websites, cryptocurrency wallet files, email and messaging app credentials, and credit card numbers stored in browsers. Because infostealers harvest active session cookies alongside passwords, changing your password after an infection is necessary but not sufficient — you also need to invalidate all active sessions on affected accounts, or an attacker holding a valid session cookie can remain logged in regardless of the password change.
Why did Microsoft sue over Amadey and StealC malware?
Microsoft’s Digital Crimes Unit filed a civil lawsuit under the Racketeer Influenced and Corrupt Organizations Act in US federal court against multiple alleged operators and affiliates of the Amadey and StealC malware-as-a-service platforms. Civil litigation allows Microsoft to obtain court orders enabling domain seizures, registrar notifications, and infrastructure takedowns that criminal proceedings alone may not accomplish as quickly. AI-assisted analysis using Microsoft Copilot revealed that Amadey and StealC, although developed by separate criminal groups, shared the same command-and-control infrastructure — a finding that legally supported treating both families as a single conspiracy and enabled a simultaneous, unified takedown of more than 200 servers.
Is Operation Endgame finished?
No. Europol and law enforcement partners from six countries have explicitly framed Operation Endgame as an ongoing campaign. The June 2026 actions follow prior phases in May 2024, May 2025, and November 2025, each targeting different malware families feeding the same ransomware economy. Dutch authorities stated publicly that the June 18 SocGholish action “marks the beginning of further action” against that specific threat. Security researchers note that past Operation Endgame targets have attempted to rebuild infrastructure after each disruption, and that the MaaS model is structurally resilient.
Click Here For The Original Source.
