In brief
- A global law enforcement operation froze more than €41 million ($47 million) in criminal crypto as part of Operation Endgame, Europol said Wednesday.
- The strike dismantled the infrastructure behind three malware families, SocGholish, Amadey, and StealC, that steal passwords and crypto wallet data to fuel fraud and ransomware.
- Police took down 326 servers and 142 domains and recovered some 27 million stolen credentials from more than 385,000 infected systems.
A global crackdown on "cybercrime-as-a-service" malware that quietly drains crypto wallets has frozen tens of millions of dollars in stolen funds.
Law enforcement identified, flagged, and froze more than €41 million (about $47 million) in criminal crypto assets in the latest phase of Operation Endgame, Europol said on Wednesday. The two-week, multi-country strike dismantled the infrastructure behind three malware families: SocGholish, Amadey, and StealC.
All three target crypto users. StealC, an infostealer sold as a service since 2023, scrapes passwords, browser cookies, and crypto wallet data from infected machines. Its control panel even included a plugin that tried to decrypt the seed phrases of victims' MetaMask wallets, researchers at Proofpoint found.
Amadey gains the initial foothold and drops further malware, while SocGholish, linked to the Russian group Evil Corp, infects people through fake browser-update prompts on hacked websites. Together they form the front end of attacks that end in drained wallets, account takeovers, and ransomware.
Police took down 326 servers and 142 domains, recovered almost 27 million stolen credentials from more than 385,000 compromised systems, and cleaned nearly 15,000 infected websites, many of them small businesses. Microsoft, a partner in the operation, tied Amadey and StealC to over 140,000 infected computers worldwide in the first two weeks of May alone.
What are infostealers?
Infostealers have become a primary route to stolen crypto, quietly lifting wallet files, private keys, and seed phrases from victims' devices. They use a variety of vectors to target crypto users, including fake AI tools, Steam wallpapers and pirated game mods.
The scale of exposure is vast. An earlier Operation Endgame action late last year uncovered login data for more than 100,000 crypto wallets, stolen from victims but not yet emptied.
Microsoft's Digital Crimes Unit separately filed a U.S. racketeering lawsuit that, for the first time, treated two malware families as a single criminal conspiracy. Using AI tools including Copilot to analyze the malware, investigators found that Amadey and StealC, though built by different criminals, ran on shared infrastructure, letting Microsoft charge enablers across both operations under the RICO Act and disrupt more than 200 command-and-control servers. It has since identified over 18,000 victim computers and begun severing the attackers' control.
.@Microsoft Digital Crimes Unit has taken down five operations in nine months that were enabling Cybercrime as a Service (CaaS).
Cybercrime runs on coordination. Disrupting it takes the same approach, working with partners to break up the systems that make these attacks… pic.twitter.com/b7ZVqdCatY
— Microsoft On the Issues (@MSFTIssues) June 24, 2026
Such takedowns rarely kill malware outright, and operators tend to regroup, with StealC shipping a fresh build as recently as this month. For now, Europol and its partners are routing victim alerts through services like Have I Been Pwned, so users can check whether their credentials, and the keys to their wallets, are already in criminal hands.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.