€41m ($46.5m) in crypto assets of criminal origin has been identified and frozen as part of a coordinated, multinational disruption that severed core infrastructure used by two prolific information-stealer malware families, Europol said on June 24.
Europol, Germany’s Federal Criminal Police Office, J‑CAT and Eurojust coordinated the takedown
An international law‑enforcement action under the banner of Operation Endgame targeted the infrastructure behind the StealC and Amadey infostealers. Europol provided intelligence and technical analysis support via its European Cybercrime Centre (EC3) and strategic oversight through the Joint Cybercrime Action Taskforce (J‑CAT). Germany’s Federal Criminal Police Office was specifically involved, with additional legal support supplied by Eurojust. Europol said the main goal was “to disrupt the ‘assembly lines’ cybercriminals use to launch ransomware, financial fraud and attacks on critical infrastructure.”
Amadey and StealC: roles, scale and technical function
Both StealC and Amadey are information stealers with dropper functionality, widely used by cybercriminals. Europol and the reporting partners describe StealC as primarily designed to extract passwords, stored access data and digital identities from compromised machines for later trade and fraud. Amadey had similar data‑exfiltration capabilities but “primarily served as the first link in a larger attack chain,” with the ability to deploy additional malware into infected systems. Microsoft reported that in the first two weeks of May 2026, Amadey and StealC were linked to over 140,000 infected computers worldwide.
Microsoft’s AI‑enabled analysis, legal strategy, and action
Microsoft’s Digital Crimes Unit (DCU) said it executed a simultaneous, court‑authorized disruption and used AI, including Copilot, to analyze the malware. According to Microsoft’s blog, investigators “asked questions in plain English,” letting AI “surface key details, uncover hidden data, and test findings in a fraction of the time.” The company said that AI turned tasks that normally took hours or days into minutes and revealed that although Amadey and StealC were developed by separate cybercriminals, both relied on the same infrastructure. Those insights “allowed the legal team to treat both malware families as part of a single conspiracy.”
Microsoft also described an expanded legal approach: combining AI analysis with “an expanded use” of the US Racketeer Influenced and Corrupt Organizations Act (RICO) to “charge multiple complicit enablers involved across the operation” under one conspiracy. Steven Masada, assistant general counsel at Microsoft’s DCU, argued that when multiple parts of an operation are disrupted together, “attacks are harder to launch, scale and recover from,” and defenders “need to interrupt how the attacks are put together.”
Operational results: servers, domains, credentials and frozen funds
Different partners reported overlapping but complementary results. Operation Endgame actions involved seizure and disruption of infrastructure: one count in the reporting said around 50 domains and nearly 200 active IP‑based command‑and‑control (C2) servers associated with Amadey and StealC were seized. Microsoft stated it disrupted more than 200 C2 servers and identified over 18,000 victim computers, severing criminal control of those devices and working with telecommunications providers to help protect affected customers globally.
Europol summarized the wider impact across the operation as 326 servers taken down and 142 domains seized, the recovery of 27 million stolen login credentials and €41m ($46.5m) of criminal crypto assets identified and frozen. Europol said officers and private‑sector partners “severely crippl[ed] the malware’s distribution network.” The announcement also noted that the SocGholish botnet takedown by Dutch police — disclosed a few days earlier — formed part of the same Operation Endgame effort.
Industry partners: technical contributions and tools
The operation drew on a broad group of private partners. Microsoft, BitSight, ESET, IBM X‑Force, Lumen, Mitsui Bussan Secure Directions and Proofpoint were named among contributors. ESET, BitSight and Mitsui Bussan Secure Directions reported providing technical analyses, statistical data, known C2 servers, encryption keys, campaign and build identifiers and other threat intelligence. Proofpoint and IBM X‑Force threat researchers developed a StealC emulator to identify and track operations, infrastructure and payloads. Additional partners in the wider effort include the Shadowserver Foundation, Registrar of Last Resort (RoLR), Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned and Spamhaus.
What this means for law enforcement, tech teams, and affected customers
- Law enforcement and prosecutors: Coordinated cross‑border actions combining court authorization, forensic intelligence and legal frameworks such as RICO were central to treating multiple malware families and enablers as a single conspiracy, allowing simultaneous disruption of shared infrastructure.
- Tech vendors and security teams: The effort shows an operational role for AI in accelerating malware analysis and for collaborative tooling — such as emulators and shared indicators — to map and disrupt infrastructure quickly.
- Telecommunications providers and affected customers: Microsoft’s team worked with telecom operators after identifying more than 18,000 victim computers, a reminder that remediation can require private‑sector assistance to protect end users at scale.
Operation Endgame’s latest chapter presents a concrete example of law enforcement and industry blending technical, legal and AI‑driven approaches to dismantle the plumbing that cybercriminals reuse. Europol describes the effort as disrupting the “assembly lines” of cybercrime — but the record published on June 24 leaves a clear, practical question: how rapidly and at what cost will adversaries rebuild new infrastructure once these domains, servers and frozen funds are removed? The answer will shape whether this disruption is a long‑term setback or a temporary impediment.
