One-two punch delivered in global operation disrupts cybercrime "assembly line"

Ars Technica News

Summary

A coordinated global operation called Operation Endgame disrupted major malware networks (Amadey, Stealc, SocGholish), seizing hundreds of servers and recovering 27 million stolen credentials and $47 million in crypto assets.

<p>International authorities and a raft of private technology companies say they have disrupted a cybercrime “assembly line” that allowed crooks to collect millions of login credentials and steal more than $47 million in ransom payments and by other fraudulent means.</p> <p>The crux of the operation was the simultaneous targeting of two unrelated tools that are widely used in various online scams. The first is Amadey, a malware-as-a-service platform for compromising devices and delivering malicious payloads for ransomware and other scams. Amadey has been observed in the wild since at least 2018 and was <a href="https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-github-to-distribute-its-payloads/">seen last year</a> abusing GitHub as it collected system information from infected devices and installed customized payloads. The second tool was StealC, an infostealer-as-a-service platform that collects credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files whose names match customer-defined patterns.</p> <h2>Severing a critical link in the cybercrime chain</h2> <p>Amadey and StealC are separate tools that are run independently of each other. Given their widespread use, however, many customers use both in their individual cybercrime activities. The tools also, it turns out, relied on some of the same underlying infrastructure to run. Microsoft said it made this determination after analyzing the tools using AI. This insight allowed Microsoft attorneys to seek an order disrupting both at the same time.</p><p><a href="https://arstechnica.com/security/2026/06/one-two-punch-delivered-in-global-operation-disrupts-cybercrime-assembly-line/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/06/one-two-punch-delivered-in-global-operation-disrupts-cybercrime-assembly-line/#comments">Comments</a></p>
Original Article
View Cached Full Text

Cached at: 06/24/26, 10:53 PM

# One-two punch delivered in global operation disrupts cybercrime "assembly line" Source: [https://arstechnica.com/security/2026/06/one-two-punch-delivered-in-global-operation-disrupts-cybercrime-assembly-line/](https://arstechnica.com/security/2026/06/one-two-punch-delivered-in-global-operation-disrupts-cybercrime-assembly-line/) With evidence that the tools had overlapping infrastructure, company attorneys invoked[RICO](https://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corrupt_Organizations_Act)statutes that target organized crime; the legal action was then able to treat both tools as part of a single conspiracy\. As a result, Microsoft said, it disrupted more than 200 command\-and\-control servers and severed criminal control of more than 18,000 infected computers\. Europol, which helped coordinate the law\-enforcement part of the operation,[said](https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks)it recovered as many as 27 million stolen login credentials and uncovered $47 million worth of “crypto assets of criminal origin\.” “During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol said\. “By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover\.” Other companies assisting in “Operation Endgame” include[ESET](https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/),[Proofpoint and IBM X\-Force](https://www.ibm.com/think/x-force/stealc-you-later-proofpoint-x-force-support-operation-endgame-disruptions),[Bitsight](https://www.bitsight.com/blog/bitsight-aids-disruption-efforts-on-amadey-malware-and-stealc-malware), and[Mitsui Bussan Secure Directions](https://www.mbsd.jp/research/20260624/amadey-c2-en/)\. Europol said that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp\. that spreads through compromised websites\. Visitors to these sites are tricked into installing trojanized apps posing as browser extensions or other legitimate software\. Europol said it has responded by cleaning infected WordPress sites and urging administrators of the sites to change credentials and tighten security\. It has also worked to notify parties whose data and credentials were exposed through SocGholish activities\. Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US\.

Similar Articles

Botnet of more than 17 million devices dismantled

Ars Technica

Dutch authorities, in collaboration with the National Cyber Security Center, dismantled a botnet comprising over 17 million devices managed by 200 servers, linked to Russian proxy service provider ASOCKS.

Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

Krebs on Security

U.S., Canadian, and German authorities have dismantled four IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched record-breaking DDoS attacks, including against the Department of Defense.

Disrupting a covert Iranian influence operation

OpenAI Blog

OpenAI disclosed the disruption of a covert Iranian influence operation (Storm-2035) that used ChatGPT accounts to generate political content targeting the 2024 U.S. election and other topics across social media and fake news websites. The operation achieved minimal audience engagement and was identified through collaboration with Microsoft's threat intelligence.