International law enforcement authorities, working with private technology companies, have disrupted a cybercrime “assembly line” that enabled criminals to steal millions of login credentials and collect more than US$47 million through ransomware and fraud.
The operation, part of the ongoing Operation Endgame, targeted two widely used malware-as-a-service platforms, Amadey and StealC, in a coordinated takedown conducted between June 15 and 19 involving authorities from Belgium, Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States.
Key outcomes include the seizure of 326 servers and 142 domains linked to malware distribution, recovery of 27 million stolen login credentials, restriction of more than US$47 million in cryptocurrency assets tied to criminal activity, and disruption of 15,000 infected WordPress sites used to spread SocGholish malware.
Amadey, a malware loader operational since at least October 2018, is sold as a service for approximately US$600 per license plus US$50 per rebuild. It executes commands, downloads payloads, steals credentials, and deploys secondary malware such as Lumma Stealer, Vidar Stealer, and RedLine Stealer. It peaked in activity in 2025 with 11,635 samples distributed, up from just 66 samples in 2019.
StealC, active since January 2023, is an infostealer-as-a-service platform that harvests credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files matching customer-defined patterns.
Although Amadey and StealC operate independently, Microsoft’s analysis using artificial intelligence revealed that the two tools shared underlying infrastructure. This insight enabled Microsoft attorneys to seek a legal order to disrupt both simultaneously.
Private cybersecurity firms partnering in the operation included Bitdefender, Bitsight, ESET, and Microsoft. The takedown builds on earlier Operation Endgame actions, including the February 2024 disruption of the LockBit ransomware group, which Europol described at the time as a “significant breakthrough in the fight against cybercrime.”
Sources: One-two punch delivered in global operation disrupts cybercrime “assembly line” (Ars Technica, June 24, 2026); Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks (HackRead, June 24, 2026)