Vaarta.space
Back to Blog
2026-06-24· 5 min read

Operation Endgame: Law Enforcement Disrupts StealC and Amadey Malware, Freezes $47M in Crypto

International law enforcement agencies disrupted StealC and Amadey malware infrastructure, seized 106 servers, remediated 15,000 compromised websites, and froze 41 million euros in crypto assets.

Malware Law Enforcement Cybercrime Ransomware Operation

Operation Endgame Strikes Again


Operation Endgame, the largest international law enforcement operation aimed at disrupting ransomware and cybercrime infrastructure, has claimed its latest targets: StealC and Amadey malware networks.


What Was Disrupted


Infrastructure Takedowns

  • 106 servers and domains taken down worldwide
  • 15,000 compromised websites remediated
  • 41 million euros (~$47 million USD) in crypto assets frozen
  • 27 million stolen login credentials tracked down

    • The Malware Families


    **StealC** — An information stealer that harvests credentials, cookies, and sensitive data from infected machines. Researchers found it downloading LockBit Black ransomware payloads.


    **Amadey** — A botnet that distributes malware and maintains backdoor access to compromised systems.


    Together, they were linked to **140,000+ infected computers** in the first two weeks of May 2026 alone.


    The Operation


    Partners Involved

  • Law enforcement from Netherlands, Canada, USA, and Germany
  • Europol and Eurojust
  • Microsoft Digital Crimes Unit
  • Proofpoint and IBM X-Force researchers

    • Technical Approach

    Researchers identified a vulnerability in the StealC C2 panel and built a bot emulator to simulate normal StealC infection activity. This allowed them to:


    1. Extract configurations from StealC samples

    2. Retrieve and analyze malicious payloads

    3. Map the criminal infrastructure

    4. Coordinate takedown activities


    The SocGholish Connection


    This follow-up action came after the disruption of SocGholish malware infrastructure on June 18, 2026. SocGholish was a major initial access broker that:


  • Compromised websites to deliver fake browser updates
  • Provided access to ransomware gangs
  • Was linked to multiple high-profile breaches

    • Stolen credentials from SocGholish have been added to Have I Been Pwned, allowing users to check if they were affected.


    Why This Matters


    1. Infostealers Lead to Ransomware

    StealC was actively delivering LockBit Black ransomware. Stolen credentials are the first step in most ransomware attacks.


    2. Crypto Seizures Hurt Criminals

    Freezing $47 million in crypto assets directly impacts the financial incentives driving cybercrime.


    3. International Cooperation Works

    This operation involved agencies from multiple countries and private sector partners, showing that coordinated action can disrupt even large-scale operations.


    What You Should Do


    Check for Exposure

  • Visit Have I Been Pwned to see if your credentials were compromised
  • Change passwords for any affected accounts
  • Enable multi-factor authentication everywhere

    • Protect Against Infostealers

  • Keep antivirus software updated
  • Don't download software from untrusted sources
  • Be wary of fake browser update prompts
  • Use a password manager to avoid credential reuse

    • Monitor Your Domain

    Use Vaarta.space to scan for security issues that could make you a target.


    [Free security scan](https://vaarta.space)


    Related Articles

    2026-06-05

    Ransomware as a Service (RaaS) in 2026 — The Underground Economy Explained

    Understand how RaaS platforms operate, who the major players are, and how to protect your organization from the fastest-growing cybercrime model.

    2026-05-25

    Cryptojacking in 2026 — How Criminals Steal Your Computing Power

    Learn how cryptojacking malware hijacks servers, browsers, and cloud resources to mine cryptocurrency. Detection methods and prevention strategies explained.

    2026-06-15

    ShinyHunters Gang: How a Single Cybercriminal Group Breached Oracle, Instructure, and the FBI in 2026

    The ShinyHunters extortion gang is behind some of the worst breaches of 2026 — Oracle PeopleSoft zero-day, Instructure Canvas (30M+ students), FBI surveillance systems, and 7-Eleven. Learn how they operate and how to protect your organization.

    Ready to check your domain security?

    Run a free scan to identify potential vulnerabilities.

    Start Free Scan