Operation Endgame, conducted from June 15 to 19, 2026 by law enforcement from eight countries, dismantled two malware-as-a-service ecosystems active since 2018 and 2023. The result: roughly 27 million credentials recovered, nearly $47 million in criminal cryptocurrency frozen, and criminal control severed over 18,000 victim computers. The novelty isn't just technical: Microsoft secured a unified civil action under the RICO Act, treating Amadey and StealC as a single criminal conspiracy.
- From June 15 to 19, 2026, Belgium, Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States coordinated the takedown of 326 servers and 142 domains linked to the Amadey and StealC malware.
- Microsoft identified 18,000 victim computers and severed their criminal control; Proofpoint and IBM X-Force exploited a vulnerability in the StealC C2 panel to turn the attackers' infrastructure against them.
- The unified legal action under the RICO Act treats the two malware ecosystems as a single criminal conspiracy, setting a precedent for future multi-tool operations.
- No arrests were made; sources close to the investigation warn that infrastructure reconstruction could occur within weeks.
Two Assembly Lines, One Power Cord
Amadey and StealC are not the same criminal operation. Amadey, active since 2018, functions as a loader: purchased for roughly $600 plus $50 per rebuild, it delivers secondary payloads without the user's knowledge. StealC, which emerged in 2023, is an infostealer specialized in stealing credentials saved in browsers, with subscriptions at $300 per month or $1,000 for six months.
According to ESET, the two networks comprised 53 affiliate clusters for Amadey and 73 for StealC. Each affiliate received a self-hosted administration panel to install on their own servers. This distributed model makes it technically difficult to treat the operators as a single organization: they are independent cells sharing only the base code.
The convergence point was the C2 infrastructure. Microsoft identified 200 malicious domains and IP addresses shared between the two families. Hence the legal pivot: if the tools feed from the same servers, the RICO Act allows treating them as part of a single criminal enterprise, even without proving the operators know or coordinate with each other directly.
The Bug That Turned the Attackers' Panel Into a Double-Edged Sword
The most aggressive technical component came from Proofpoint and IBM X-Force. Researchers discovered a directory traversal vulnerability in the StealC C2 control panel that allowed a web shell upload. The flaw was patched in February 2026, but its exploitation during the operation allowed access to the operators' infrastructure and extraction of data useful for neutralization.
ESET provided encryption keys, C&C servers, and campaign identifiers, contributing to the disabling of roughly 50 domains and nearly 200 active C2 servers. The Royal Canadian Mounted Police developed a mass disinfection technique that cleaned 2,488 computers worldwide. In parallel, 14,971 WordPress sites compromised by the SocGholish component were secured.
The numbers overlap partially. TechTimes, citing Proofpoint and IBM X-Force, specifies 25.6 million unique credentials from over 385,000 compromised systems for the Amadey/StealC component alone. The aggregate figure of 27 million, released by Europol, also includes the SocGholish contribution. The discrepancy matters for anyone assessing the specific exposure of the two infostealers.
"The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure" — Europol
The RICO Play: Why a Civil Action Beats Prison (For Now)
Steven Masada, assistant general counsel of the Microsoft Digital Crimes Unit, explained the strategy: "When multiple parts of an operation are disrupted together, attacks become harder to launch, scale, and recover from." The RICO Act, designed for traditional mafia cases, requires proving a shared criminal enterprise: the common C2 infrastructure provided the legal glue.
Microsoft employed artificial intelligence—specifically Copilot—to compress investigation preparation from days to minutes, according to CyberScoop. The specific contribution of AI versus traditional investigative methods is not quantified in available documents.
The absence of arrests is the most obvious limitation. Europol has not confirmed identification of the leadership, and TechRadar explicitly reports that no custodial arrests were executed. This makes the operation an infrastructural victory but not an individual one: operators remain free and potentially able to rebuild.
What to Do Now
- Check exposure on Have I Been Pwned. Credentials recovered from the SocGholish component have been integrated into the service; integration for Amadey/StealC is not confirmed at time of publication.
- Enable two-factor authentication on all critical accounts. Credentials stolen by infostealers are primarily browser-saved passwords; 2FA neutralizes their utility even if exfiltrated.
- Change browser-saved passwords from the months preceding the operation. StealC infections date to 2023; the potential exposure window is broad and not confined to the operation window alone.
- Monitor financial and professional accounts for suspicious activity. Data stolen by infostealers fuels next-level fraud, including ransomware: LockBit Black was distributed via XTinyLoader dropped by StealC.
The Precedent That Changes the Economics of Disruption
Operation Endgame is not the first in the series: previous phases hit IcedID, Smokeloader, DanaBot, and Lumma Stealer between 2024 and 2025. This iteration raises the bar. Legally unifying distinct tools through their shared infrastructure means future takedowns can be broader and faster, bypassing the need to map criminal hierarchies before acting.
The risk is that this approach becomes an anesthetic. Without arrests, the cost for operators to rebuild is low: servers are commodities, domains are re-purchased, panels are rewritten. The history of malware-as-a-service takedowns shows cycles of disruption and resurrection measured in weeks, not years. The real value of the operation lies in the legal model that allowed striking the entire conveyor belt, not just the single machine.
For the end user, the lesson is more concrete: 27 million credentials are not an abstract digital geopolitics problem. They are email, bank, and cloud service passwords extracted from browsers many consider secure by default. Auto-save is convenient. It is also the first target.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
- https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/
- https://cyberscoop.com/microsoft-amadey-stealc-takedown/
- https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/
- https://www.techradar.com/pro/security/27-million-stolen-login-credentials-have-been-recovered-global-coordinated-takedown-hits-socgholish-amadey-and-stealc-malware-networks-where-it-hurt
- https://www.techtimes.com/articles/319042/20260625/stolen-passwords-europol-seizes-27m-credentials-infostealer-takedown.htm
- https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/
- https://www.helpnetsecurity.com/2025/08/22/critical-infrastructure-sltt-cybersecurity-priorities/
- https://www.helpnetsecurity.com/2026/01/26/incident-response-failures-video/
- https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
- https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer/