Summary
- Europol announced on Wednesday that over €41 million (approximately $47 million) in illicit cryptocurrency has been frozen as part of Operation Endgame.
- This operation dismantled the infrastructure of three malware families—SocGholish, Amadey, and StealC—known for stealing passwords and cryptocurrency wallet information.
- Authorities took down 326 servers and 142 domains, recovering nearly 27 million stolen credentials from over 385,000 compromised systems.
A worldwide initiative targeting "cybercrime-as-a-service" malware has led to the freezing of millions in stolen cryptocurrency.
In the latest phase of Operation Endgame, Europol reported that law enforcement agencies have identified and frozen more than €41 million (about $47 million) in criminal crypto assets. This two-week operation involved multiple countries and successfully dismantled the networks of three malware families: SocGholish, Amadey, and StealC.
These malware types primarily target cryptocurrency users. StealC, which has been available as a service since 2023, extracts passwords, browser cookies, and crypto wallet details from infected devices. Its control panel even featured a plugin designed to decrypt victims' MetaMask wallet seed phrases, as discovered by researchers from Proofpoint.
Amadey is responsible for gaining initial access and deploying additional malware, whereas SocGholish, associated with the Russian group Evil Corp, spreads through deceptive browser-update prompts on compromised websites. Together, they contribute to attacks that result in drained wallets, account takeovers, and ransomware incidents.
Law enforcement managed to shut down 326 servers and 142 domains, recover almost 27 million stolen credentials from over 385,000 infected systems, and clean up nearly 15,000 compromised websites, many of which belonged to small businesses. Microsoft, a collaborator in this initiative, linked Amadey and StealC to over 140,000 infected computers globally during the first two weeks of May alone.
Understanding Infostealers
Infostealers have emerged as a leading method for stealing cryptocurrencies, surreptitiously extracting wallet files, private keys, and seed phrases from users' devices. They employ various tactics to target crypto users, including fraudulent AI tools, Steam wallpapers, and pirated game modifications.
The scale of potential theft is enormous. An earlier phase of Operation Endgame last year revealed login credentials for over 100,000 crypto wallets that had been stolen but not yet exploited.
Separately, Microsoft's Digital Crimes Unit has filed a racketeering lawsuit in the U.S. that uniquely classified two malware families as part of a single criminal conspiracy. By utilizing AI tools like Copilot to analyze the malware, investigators determined that Amadey and StealC, although created by different groups, operated on shared infrastructure, allowing Microsoft to pursue legal action against both entities under the RICO Act and dismantle over 200 command-and-control servers. They have since identified more than 18,000 victim computers and initiated efforts to cut off the attackers' control.
.@Microsoft Digital Crimes Unit has taken down five operations in nine months that were enabling Cybercrime as a Service (CaaS).
Cybercrime runs on coordination. Disrupting it takes the same approach, working with partners to break up the systems that make these attacks… pic.twitter.com/b7ZVqdCatY
— Microsoft On the Issues (@MSFTIssues) June 24, 2026
While such operations rarely eliminate malware entirely, operators often regroup, with StealC releasing a new version as recently as this month. Currently, Europol and its partners are directing victim notifications through platforms like Have I Been Pwned, allowing users to verify if their credentials and wallet keys are already compromised.