Brief
- A global law enforcement operation has frozen more than €41 million ($47 million) in criminal cryptocurrency as part of Operation Endgame, Europol announced on Wednesday.
- This attack dismantled the infrastructure behind three malware families, SocGholish, Amadey and StealC, which steal passwords and data from crypto wallets to fuel fraud and ransomware.
- Police destroyed 326 servers and 142 domains and recovered some 27 million stolen credentials from more than 385,000 infected systems.
A global crackdown on “cybercrime as a service” malware that quietly drains crypto wallets has frozen tens of millions of dollars in stolen funds.
Law enforcement identified, reported and froze more than €41 million (around $47 million) in criminal crypto assets during the latest phase of Operation Endgame, Europol announced on Wednesday. This two-week attack, carried out in several countries, dismantled the infrastructure behind three malware families: SocGholish, Amadey and StealC.
All three target crypto users. StealC, an information stealer sold as a service since 2023, recovers passwords, browser cookies and crypto wallet data from infected machines. Its control panel even included a plugin that attempted to decrypt victims’ seed phrases. MetaMask wallets, Proofpoint researchers discovered.
Amadey gains a foothold and removes other malware, while SocGholish, linked to Russian group Evil Corp, infects people via fake browser update prompts on hacked websites. Together, they form the front line of attacks that result in drained wallets, account takeovers, and ransomware.
Police took down 326 servers and 142 domains, recovered nearly 27 million stolen credentials from more than 385,000 compromised systems, and cleaned up nearly 15,000 infected websites, including many small businesses. Operation partner Microsoft linked Amadey and StealC to more than 140,000 infected computers worldwide in the first two weeks of May alone.
What are information thieves?
Infostealers have become a main route to stolen crypto, quietly raising wallet files, private keysAnd starting sentences from victims’ devices. They use various vectors to target crypto users, including fake AI tools, Steam wallpapers, and hacked game mods.
The scale of exposure is vast. A previous Operation Endgame operation late last year uncovered login data for more than 100,000 crypto wallets, stolen from victims but not yet emptied.
Microsoft’s digital crimes unit separately filed a racketeering complaint in the United States that, for the first time, treated two malware families as a single criminal conspiracy. Using AI tools, including Copilot, to analyze malware, investigators discovered that Amadey and StealC, although built by different criminals, operated on shared infrastructure, allowing Microsoft to charge tools for both operations under the RICO Act and disrupt more than 200 command and control servers. Since then, it has identified more than 18,000 victim computers and has begun to break the attackers’ control.
@Microsoft Digital Crimes Unit shut down five operations in nine months that enabled cybercrime as a service (CaaS).
Cybercrime relies on coordination. Disrupting it requires the same approach, working with partners to dismantle the systems that carry out these attacks… pic.twitter.com/b7ZVqdCatY
— Microsoft on Issues (@MSFTIssues) June 24, 2026
Such removals rarely kill malware, and operators tend to consolidate, with StealC shipping a new version as recently as this month. For now, Europol and its partners route alerts to victims through services like Have I Been Pwned, so users can check if their credentials and wallet keys are already in criminal hands.
