Microsoft and Europol Disrupt Amadey and StealC Infrastructure in Operation Endgame Phase
Operation Endgame's latest phase takes out Amadey and StealC's shared infrastructure, with Europol and Microsoft reporting 326 servers actioned, 142 domains seized, and roughly 27 million stolen credentials recovered.
Key Takeaways
|
Operation Endgame's latest phase takes out Amadey and StealC's shared infrastructure.
THE HAGUE — Europol on June 24, 2026 announced that the latest phase of Operation Endgame had disrupted the shared infrastructure behind two of the most widely used commodity malware tools in the cybercrime ecosystem: the Amadey loader and the StealC infostealer. Working with Microsoft and a roster of industry partners, law enforcement actioned 326 servers and seized 142 domains that had been used to operate, control, and resupply both malware families, in a coordinated takedown aimed at the early links of the attack chain rather than at a single ransomware crew.
The operation is law-enforcement-led and framed as a disruption rather than a set of arrests. Europol said investigators recovered roughly 27 million credentials stolen from more than 385,000 compromised systems and identified over EUR 41 million (about USD 47 million) in cryptocurrency tied to the activity. It is also the second Operation Endgame action in a week, following the June 18 strike against the SocGholish loader, and the latest move in a campaign that has steadily worked its way through the infrastructure that underpins modern intrusions.
| At a Glance | |
|---|---|
| Field | Details |
| Operation | Operation Endgame (Amadey / StealC phase) |
| Targets | Amadey loader and StealC infostealer shared infrastructure |
| Infrastructure actioned | 326 servers, 142 domains |
| Credentials recovered | ~27 million, from 385,000+ systems |
| Crypto identified | Over EUR 41 million (~USD 47 million) |
| Coordinated by | Europol and Eurojust |
| Vendor partners | Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, others |
| Status | Infrastructure disruption announced June 24, 2026 |
What Was Announced
Europol described the action as a fresh phase of Operation Endgame, the international effort it has used since 2024 to dismantle the services and infrastructure that sit beneath ransomware and large-scale intrusions. This time the targets were Amadey and StealC, two commodity tools that are sold and rented through underground markets and that frequently operate together: Amadey functions as a loader and access broker that establishes a foothold on a victim machine, while StealC harvests passwords, session tokens, and other sensitive data once that foothold exists.
According to Europol, law enforcement and private-sector partners actioned 326 servers and seized 142 domains that had been used to run the two malware families, cutting off the command-and-control and distribution channels that operators relied on. Investigators said they recovered approximately 27 million credentials stolen from more than 385,000 compromised systems and identified over EUR 41 million — roughly USD 47 million — in cryptocurrency connected to the operation. Europol added that, in the first two weeks of May 2026 alone, telemetry tied Amadey and StealC to more than 140,000 infected computers worldwide.
The action was coordinated by Europol's European Cybercrime Centre and Eurojust, with participation from law enforcement agencies in Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Germany's Federal Criminal Police Office (the Bundeskriminalamt) played a central role. A wide group of industry partners supported the technical side, among them Microsoft, ESET, Proofpoint, IBM X-Force, and Bitsight. Microsoft's Digital Crimes Unit and others contributed analysis and infrastructure intelligence, and the company framed the result as a court-backed takedown of two cybercrime tools at once rather than a strike against a single actor.
The 27 Million Recovered Credentials in Context
The headline figure — roughly 27 million credentials recovered from more than 385,000 compromised systems — is the kind of number that is easy to read past, so it is worth being precise about what it represents. These are login credentials that Amadey and StealC harvested from infected machines and staged on the now-disrupted infrastructure: usernames and passwords, and in many cases the saved browser logins, authentication cookies, and session tokens that infostealers are specifically built to collect. Recovering them means investigators and their partners now hold the data that was destined for resale on stealer-log marketplaces, where it would have fuelled account takeover, business email compromise, and the initial access that ransomware crews buy.
Infostealers occupy a quietly central place in the modern attack chain. A single stealer infection can yield the credentials that let an intruder log in rather than break in, which is why stolen-credential abuse has become one of the dominant routes into corporate networks — a shift documented across recent industry reporting on how attackers are getting in. A cache of 27 million credentials is therefore not just a tally of past theft; it is a forward-looking risk pool. Each set of working credentials is a potential foothold, and stealer logs are routinely recycled long after the original infection.
Part of the value of the recovery is what happens next. Operation Endgame partners have, in previous phases, fed recovered data into notification services so that affected individuals and organizations can learn they were exposed and rotate their credentials. Have I Been Pwned and similar services have channelled stealer-log data from earlier actions to victims, and the same model applies here: the practical payoff of recovering 27 million credentials is the chance to invalidate them before they are used. That is why the number matters less as a trophy than as a remediation opportunity for the hundreds of thousands of systems behind it.
Operation Endgame's Multi-Month Arc
This phase did not happen in isolation. Operation Endgame began in May 2024 as the largest-ever coordinated action against botnets and malware loaders, and it has returned repeatedly since. In its second major wave, Operation Endgame 2.0 took down roughly 300 servers and named 20 operators of the ransomware supply chain, going after the loaders and access-broker services that ransomware affiliates depend on. The strategy has been consistent: rather than chase individual ransomware brands, target the shared plumbing that many of them rent.
The Amadey and StealC action lands just six days after a separate Operation Endgame phase disrupted the SocGholish loader operation, another delivery mechanism used to seed follow-on payloads. Taken together, the two June strikes illustrate how the campaign now moves in quick succession against complementary parts of the same ecosystem — the loaders that gain access and the stealers that monetize it. It also sits alongside parallel takedowns of the services that anonymize and launder cybercrime, including a residential-proxy network spanning some 17 million devices that was dismantled earlier in 2026.
The same logic extends to the trust and identity layer that intrusions abuse. Recent enforcement has reached the code-signing-as-a-service operations whose customers were ransomware crews, reflecting a broader doctrine in which law enforcement and vendors treat the cybercrime supply chain — loaders, stealers, proxies, signing services — as the durable target. Disrupting any one tool is temporary; raising the cost and friction across the whole chain is the longer game, and the Amadey and StealC phase is another increment in it.
Defender Posture for Organizations Affected by Amadey/StealC
For defenders, the most useful framing of this news is operational rather than celebratory. A takedown disrupts infrastructure, but it does not retroactively undo an infection. Any organization whose endpoints were touched by Amadey or StealC should assume that whatever those tools could reach was collected and staged before the servers went dark. The recovered-credentials figure is a reminder that the relevant question is not whether the malware is still calling home, but what it already exfiltrated.
The first concrete step is credential hygiene at scale. Because StealC targets stored browser logins, session cookies, and authentication tokens, password rotation alone is necessary but not sufficient — active sessions and tokens should be invalidated so that a stolen cookie cannot be replayed to bypass a freshly changed password. Organizations should prioritize resetting credentials for any account that touched a potentially infected machine, force re-authentication, and treat multi-factor authentication enrollment as a gating control on the accounts that matter most. Monitoring services that ingest Operation Endgame data can help identify which specific identities appeared in the recovered logs.
Beyond the immediate cleanup, the episode reinforces a familiar posture. Amadey is an access-broker tool, so its presence is a signal that an environment was, at least briefly, for sale; that warrants a hunt for the follow-on activity loaders typically enable rather than a single quarantine action. Watching for anomalous logins from recovered credentials, hardening the browser and token-storage surfaces that stealers harvest, and folding stealer-log exposure into an incident-response and identity-monitoring program are the durable controls that outlast any one takedown. The infrastructure disruption buys time; it does not substitute for assuming compromise where these tools were seen.
Open Questions
Several points remain open or unconfirmed, and law-enforcement disruptions of this kind tend to leave the same gaps. Europol framed the action as an infrastructure takedown and did not, in its announcement, claim a slate of arrests tied specifically to the Amadey and StealC operators; absent confirmation, it is safer to read this as a disruption of tooling and infrastructure than as the apprehension of the people behind it. The EUR 41 million in cryptocurrency was described as identified and linked to the activity, which is not the same as fully seized and recovered, and that distinction is worth preserving until clarified.
There is also the durability question that attends every takedown of commodity malware. Amadey and StealC are sold and rented widely, which is what made them worth targeting — but the same commodity nature means operators and customers can attempt to rebuild on new infrastructure or migrate to competing tools. Past Operation Endgame phases have shown that disrupting a malware family imposes real cost and downtime without guaranteeing permanent removal, and the same caveat applies here.
What is firmly established is enough to act on: a coordinated, court-backed disruption of the shared infrastructure behind two of the most prolific commodity tools in the intrusion chain, with 326 servers actioned, 142 domains seized, and roughly 27 million credentials recovered from more than 385,000 systems. For organizations, the prudent reading is to treat the announcement as a prompt — to check exposure against the recovered data, rotate and invalidate affected credentials, and assume that anything Amadey or StealC could reach was already taken.
