Major International Cybercrime Operation Disrupts Infostealer Malware Networks
In a significant global effort to combat cybercrime, an international law enforcement operation has successfully disrupted the infrastructure of two notorious information-stealing malware strains, known as StealC and Amadey. This operation is part of the ongoing initiative termed Operation Endgame, which aims to tackle ransomware and associated cybercriminal activities on a worldwide scale.
The recent crackdown was spearheaded by Germany’s Federal Criminal Police Office in collaboration with Europol. The European law enforcement agency provided crucial intelligence and technical analysis through its European Cybercrime Centre (EC3), and strategic oversight was maintained by the Joint Cybercrime Action Taskforce (J-CAT). Legal support was also facilitated by Eurojust, ensuring a comprehensive approach to this complex operation.
Prominent industry partners played a vital role in the action against StealC and Amadey, including notable organizations such as BitSight, ESET, IBM X-Force, Lumen, Microsoft, Mitsui Bussan Secure Directions, and Proofpoint. This multi-faceted collaboration has illustrated the importance of a united front in the fight against malware and cyber threats.
The recent efforts come on the heels of another significant law enforcement achievement, where Dutch police dismantled the SocGholish botnet, also part of Operation Endgame. This botnet has been heavily exploited by ransomware groups, further emphasizing the need for ongoing vigilance in the realm of cybercrime.
Understanding StealC and Amadey
Operation Endgame successfully seized around 50 domains and disrupted nearly 200 active command-and-control (C2) servers linked to StealC and Amadey. Both malware strains function as infostealers and have been employed extensively by cybercriminals for various malicious purposes.
StealC is primarily engineered to extract sensitive information, including passwords, access data, and digital identities from compromised systems. The stolen information is then leveraged for illicit activities, such as data trading and financial fraud. Conversely, Amadey acts as a precursor in a larger attack sequence, capable of deploying additional malware into compromised systems, thereby enhancing its malicious potential. According to Europol, the two malware families represent a critical component in the overall cybercrime ecosystem.
Research from Microsoft reveals that during the first two weeks of May 2026, Amadey and StealC were responsible for infecting over 140,000 computers globally. This statistic underscores the pervasive nature of the threat posed by these types of malware.
Leveraging AI for Cybercrime Disruption
Microsoft’s Digital Crimes Unit (DCU) played a crucial role in the recent takedown by employing a simultaneous, court-authorized strategy that led to the disruption of more than 200 C2 servers linked to these infostealers. The investigators initially identified over 18,000 victimized computers and initiated efforts to sever the criminal control over these devices, while also collaborating with telecommunications providers to safeguard affected customers globally.
A cutting-edge aspect of this operation was the utilization of artificial intelligence, including Microsoft’s Copilot, to analyze the malware. By adopting an approach where investigators could pose questions in plain English rather than sifting through complex code, they gained significant efficiencies. This AI-driven method accelerated the investigative process, allowing officials to identify the shared infrastructure between the two malware families, despite their differing developers. This newfound insight facilitated a combined legal approach, treating both malware families as part of one overarching conspiracy.
Steven Masada, assistant general counsel at Microsoft’s DCU, emphasized the importance of this coordinated disruption, stating that tackling interconnected elements of cybercrime makes it harder for criminals to launch, scale, and recover from attacks. The focus on targeting the cyber-attack supply chain rather than isolated threats represents a paradigm shift in how cybercriminal enterprises are confronted.
Financial Implications and the Future of Cybercrime
In a public statement released by Europol on June 24, the agency reported that the most recent phase of Operation Endgame led to the freezing of €41 million ($46.5 million) in criminal cryptocurrency assets, in addition to recovering 27 million stolen login credentials. The operation also resulted in the dismantling of 326 servers and the seizure of 142 domains, which significantly crippled the distribution networks of these malware strains.
Besides Germany and the Netherlands, the scope of Operation Endgame included numerous other countries, such as Canada, Denmark, the UK, and the US, highlighting the transnational nature of cybercrime and the need for collaborative efforts to counteract it.
Additionally, various other partners contributed to this extensive operation, including the Shadowserver Foundation, Registrar of Last Resort (RoLR), Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, and Spamhaus.
As the persistent threat of cybercrime continues to evolve, international cooperation and innovative strategies like AI-assisted analysis will be crucial in combating malicious actors and protecting individuals, businesses, and public infrastructure alike.