Europol and international partners have carried out a major disruption of global cybercriminal infrastructure under Operation Endgame, a large-scale initiative launched in 2024 to dismantle the systems enabling ransomware and malware at industrial scale.
Rather than targeting individual hackers, Operation Endgame focuses on the “assembly line” of cybercrime – servers, domains, malware loaders, and service ecosystems that allow attacks to be replicated and sold.
In the latest two-week action, authorities targeted several malware families, in coordinated operations involving law enforcement from Canada, Denmark, France, Germany, Belgium, the Netherlands, the United Kingdom, the United States, and Australia, with judicial support from Eurojust.
Private partners included Microsoft, Shadowserver Foundation, Proofpoint, IBM X-Force, Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned (HIBP), Spamhaus, and the Registrar of Last Resort (RoLR).
According to Europol, the operation disrupted 326 servers and 142 domains, identified and restricted over €41 million ($47 million) in illicit crypto assets, and recovered roughly 27 million stolen credentials.
A major focus was SocGholish, a malware loader linked to fake browser updates via compromised websites. In total, 14,971 infected websites were cleaned or taken offline, many belonging to everyday businesses.
Amadey and StealC, widely used for initial access and data theft, were also disrupted. Microsoft estimates they were linked to over 140,000 infected systems in early May 2026.
Europol’s EC3 coordinated intelligence sharing, financial tracing, and cross-border operations via SIENA, while J-CAT aligned investigations across countries.
Officials said the shift marks a move toward dismantling the infrastructure of cybercrime-as-a-service, increasing friction across the entire attack chain rather than chasing individual actors.
Click Here For The Original Source.
