Europol Freezes $47M and Takes Down 326 Infostealer Servers

iEXExchanger
Europol Freezes $47M and Takes Down 326 Infostealer Servers

In Operation Endgame's latest phase, Europol and Microsoft joined forces with agencies from six countries to seize 27 million stolen credentials, shut down 326 servers, and freeze EUR 41 million in crypto.

On June 24, Europol announced a new phase of Operation Endgame — a coordinated strike against three of the most active malware families that have been quietly draining passwords and cryptocurrency wallets for years. Agencies from six countries took part: Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Microsoft brought critical threat intelligence that helped map the criminal infrastructure ahead of the raid.

Three tools were dismantled: SocGholish, Amadey, and StealC. Each operated under the cybercrime-as-a-service model, meaning their creators rented access to other criminals who used them to steal bank credentials and raid crypto wallets. SocGholish spread via fake browser-update prompts planted on nearly 15,000 compromised WordPress sites, and it has direct ties to the Russian syndicate Evil Corp. Amadey acted as a loader, installing additional malware on infected machines. StealC went on sale openly on underground forums in 2023, specializing in harvesting browser-saved passwords and crypto wallet files.

The numbers are stark. Authorities shut down 326 servers, seized 142 domains, and cleaned malicious code from 14,971 compromised websites. Microsoft separately took out more than 200 command-and-control servers and identified 18,000 infected machines in its own data. Amadey and StealC together drove more than 140,000 new infections in May 2026 alone. Roughly 41 million euros — about 47 million dollars — in cryptocurrency tied to the networks' operators was frozen.

Nearly 27 million stolen login credentials were also recovered and will be shared with victims through Have I Been Pwned, the free service where anyone can check whether their accounts were compromised. For crypto holders, that matters. These credential sets are the raw fuel for automated attacks on exchange accounts and hot wallets — seizure means far fewer hands on the trigger.

Operation Endgame first launched in May 2024 and quickly became one of the largest botnet takedowns in European law enforcement history. The latest phase signals that cross-border actions against criminal infrastructure are becoming systematic rather than exceptional. The groups behind these tools may try to rebuild, but they are starting over with fewer servers and a much shorter list of friendly jurisdictions.

Questions and answers

Frequently asked questions about this article

What is Operation Endgame?

A multi-phase international law enforcement campaign led by Europol against major botnet infrastructure, first launched in May 2024. Each phase targets specific malware families.

Which malware families were taken down?

SocGholish (linked to Russian syndicate Evil Corp), Amadey, and StealC. All three operated on a cybercrime-as-a-service model used to steal passwords and crypto wallet data.

Whose cryptocurrency was frozen?

Approximately EUR 41 million (~$47 million) in cryptocurrency belonging to the operators of the three malware networks. No specific suspects or coin types were officially disclosed.

What should I do if my data may have been compromised?

Check your email on Have I Been Pwned. The 27 million recovered credentials will be shared with the platform to notify potential victims.

Read also