Global operation disrupts cybercrime tools Amadey and StealC used in ransomware and credential theft

Authorities and private technology companies say they have disrupted a cybercrime “assembly line” that enabled criminals to collect millions of login credentials and steal more than $47 million through ransomware and other fraudulent means. The operation, named Operation Endgame, targeted two widely used tools: Amadey, a malware-as-a-service platform for compromising devices and delivering malicious payloads, and StealC, an infostealer-as-a-service platform that collects credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files matching customer-defined patterns.

Microsoft said it identified overlapping infrastructure between Amadey and StealC using AI analysis, which allowed its legal team to pursue a single court order under RICO statutes to treat both tools as part of a coordinated conspiracy. As a result, Microsoft disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers.

Europol, which coordinated the law-enforcement component of the operation, reported recovering as many as 27 million stolen login credentials and uncovering $47 million in crypto assets of criminal origin. Europol said 326 servers and 142 domains were actioned by law enforcement and private-sector partners, severely crippling the malware’s distribution network.

The operation also targeted SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. Europol said it cleaned infected WordPress sites, urged administrators to change credentials and tighten security, and notified affected parties whose data and credentials were exposed through SocGholish activities.

Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US. Private-sector partners assisting in Operation Endgame include ESET, Proofpoint, IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions.