Law enforcement struck the cybercrime supply chain again on June 24, 2026, with Europol announcing that Operation Endgame had disrupted two of the world’s most prolific information-stealer strains, StealC and Amadey. The action took down 326 servers, seized 142 domains, recovered 27 million stolen login credentials, and identified and froze €41m ($46.5m) in cryptocurrency assets of criminal origin.

The operation was led by Germany’s Federal Criminal Police Office (BKA), coordinated by Europol, and run with strategic oversight from the Joint Cybercrime Action Taskforce (J-CAT). Private-sector partners Microsoft, BitSight, ESET, and IBM X-Force contributed telemetry and technical analysis to map the infrastructure before the takedown.

Going After the Assembly Lines

Europol framed the takedown in industrial terms. The goal, the agency said, was to disrupt the “assembly lines” that cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure. StealC and Amadey are not the headline-grabbing ransomware brands themselves; they are the machinery feeding them.

StealC is a commodity infostealer sold under a malware-as-a-service model. It harvests browser-stored passwords, session cookies, autofill data, cryptocurrency wallet files, and credentials from dozens of applications, then ships the loot back to operators who package and resell it on criminal markets. Amadey is a long-running loader and botnet that establishes a foothold on a compromised machine and pulls down whatever the buyer wants next, often a stealer, a banking trojan, or a ransomware payload.

Together they represent the unglamorous middle of the cybercrime economy: the initial-access and credential-harvesting layer that turns a single phishing click into a usable foothold. Take out that layer, and the ransomware crews downstream lose a steady stream of fresh victims and valid logins.

That logic explains the 27 million credentials figure. Those are not abstract records; each set represents a potential account takeover, a fraudulent transaction, or a starting point for a network intrusion. Recovering them lets investigators and partners notify victims and force password resets before the data can be monetized.

A Direct Sequel to the SocGholish Takedown

This week’s action is a direct continuation of the SocGholish takedown announced just days earlier on June 18-19, which dismantled the fake-browser-update delivery network tied to Evil Corp affiliates. We covered that operation in Operation Endgame’s SocGholish and Evil Corp strike. Where SocGholish was the delivery mechanism, StealC and Amadey are the payloads and the harvesting engines, two adjacent links in the same chain that Europol is methodically working through.

Operation Endgame has now become the defining brand of coordinated infrastructure takedowns. In November 2025 the same coalition dismantled the Rhadamanthys, VenomRAT, and Elysium operations, as detailed in Operation Endgame strikes again with 1,025 servers dismantled. Around the same period, Dutch police seized thousands of servers tied to bulletproof hosting in the CrazyRDP takedown. The cadence has tightened from quarterly set-piece operations to near-continuous pressure.

Following the Money

The €41m ($46.5m) in frozen crypto assets is one of the most consequential figures in the announcement. Disrupting infrastructure forces criminals to rebuild; seizing their proceeds attacks their incentive to do so. Europol has increasingly paired technical takedowns with financial action, working with blockchain analytics partners to trace wallets used to pay for malware subscriptions, launder ransom payments, and cash out stolen credentials.

The 142 seized domains and 326 dismantled servers form the command-and-control backbone the two malware families relied on. Without functioning C2 infrastructure, deployed StealC and Amadey samples lose the ability to exfiltrate data or receive new instructions, neutralizing infections already sitting on victim machines.

This pattern of proactively reaching into infected estates echoes precedents elsewhere. In Canada, CSIS obtained its first warrant to clean botnet-infected devices, signaling that Western agencies increasingly see remediation, not just disruption, as part of the mandate.

The Fragmentation Problem

There is a recurring caveat to every Operation Endgame victory, and it deserves to be stated plainly: takedowns rarely kill a criminal ecosystem outright. They fragment it. When a malware-as-a-service operation loses its infrastructure, its customer base does not retire. It migrates. Operators rebrand, fork the source code, or scatter to smaller competing services that quickly absorb the displaced demand.

The history of these operations bears this out. Earlier Endgame phases targeting droppers like IcedID, SmokeLoader, and Pikabot were followed by the rise of successor loaders. The same dynamic is likely here. StealC and Amadey users will look for the next commodity stealer, and the market will supply one.

That does not make the takedown pointless, far from it. Each disruption raises costs, burns infrastructure, exposes operators to identification, and buys defenders time. The 27 million recovered credentials are real protection for real victims today. But defenders should treat the StealC and Amadey takedown as a window, not a finish line. Infostealer-delivered credentials remain the dominant entry vector for ransomware, and the underlying demand is undiminished.

What Defenders Should Do Now

Organizations should assume their credentials may be among the recovered set. Practical steps: force password resets for any accounts that may have touched an infected endpoint, invalidate active session tokens to defeat cookie-theft, enforce phishing-resistant multi-factor authentication, and hunt for Amadey and StealC indicators in endpoint telemetry. Because both strains specialize in browser-stored secrets and session hijacking, MFA that resists session replay, such as hardware keys or passkeys, matters more than SMS codes.

Europol and its partners are expected to channel recovered credentials to services like Have I Been Pwned and national CERTs for victim notification, as in prior phases. Watch those channels and act on any hits quickly.

Operation Endgame has demonstrated that sustained, coordinated, public-private pressure can reach deep into the cybercrime supply chain. The StealC and Amadey takedown is the latest proof, and given the cadence of 2026, it will not be the last.

Sources