Before most online fraud happens — before the drained bank account, the hijacked email, the ransomware note — somebody has to steal the keys. For hundreds of thousands of computers around the world, the thieves had names: StealC and Amadey.
On June 24, 2026, Europol announced that the latest phase of Operation Endgame — the ongoing international campaign against the cybercrime supply chain — had dismantled the infrastructure behind both malware families, along with the SocGholish distribution network. The haul: 326 servers taken down and 142 domains seized, roughly €41 million (about $46.5 million) in criminal cryptocurrency assets identified and frozen, and 27 million stolen login credentials recovered from the criminals’ systems.
What StealC and Amadey Actually Did
Infostealers are the pickpockets of the malware world — quiet, fast, and everywhere. Once installed on a victim’s computer, StealC rifled through the machine for anything valuable: saved browser passwords, session cookies, autofill data, crypto wallet files, and stored digital identities. Everything it found was packaged and shipped to criminal marketplaces, where “logs” — bundles of one victim’s credentials — sell for a few dollars each.
Amadey played a different position. A modular loader, it served as the first link in a longer attack chain: infect a machine, establish a foothold, then rent that access out to whoever paid — dropping StealC, ransomware, cryptominers, or remote access trojans onto the same victim. Security researchers found that in the first two weeks of May 2026 alone, the two families were linked to more than 140,000 infected computers worldwide.
Investigators ultimately identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems — a reminder that a single infection rarely costs a victim just one password. It costs all of them.
How Investigators Connected Two Malware Empires
The breakthrough, according to officials, was proving that two separately developed malware families were one conspiracy. StealC and Amadey were built by different cybercriminals — but the investigation revealed they relied on the same underlying infrastructure. Investigators used AI-assisted analysis to compress work that normally takes days into minutes, mapping the shared servers and money flows that let prosecutors treat both operations as a single criminal enterprise.
The action was led by the Dutch National High Tech Crime Unit with Germany’s Federal Criminal Police Office (BKA) playing a central role, coordinated through Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce, with legal support from Eurojust. Law enforcement in Denmark, the United Kingdom, and the United States joined the sweep, alongside private-sector partners including Microsoft and Bitsight, whose telemetry helped map the malware’s reach.
Why a Malware Takedown Is a Scam Story
Every credential in those 27 million records was a scam waiting to happen. Infostealer logs are the raw material of modern fraud. Criminals buy them to drain bank and crypto accounts, hijack email to intercept invoices and run business email compromise, take over social media profiles to pitch investment scams to the victim’s friends, and log into shopping accounts with stored cards.
Session cookies are the underrated menace: with a stolen cookie, an attacker can often walk straight into an account without the password and without triggering multi-factor authentication, because the browser session already looks logged in.
Europol framed the goal bluntly: disrupt the “assembly lines” that cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure. Operation Endgame has been working up that assembly line since 2024 — droppers, botnets, counter-antivirus services, and now the infostealers that feed the account-takeover economy.
The Realistic Caveat
Takedowns disrupt; they rarely erase. Previous Endgame phases have shown that malware operators attempt rebuilds, and stolen logs already sold remain in circulation. The 27 million recovered credentials are being fed into breach-notification channels so victims can be warned — but anyone whose machine was infected should assume their data is still out there.
Protecting Yourself
Check whether your credentials are already circulating. Visit haveibeenpwned.com and search your email addresses. Law enforcement routinely shares recovered credentials with the service after operations like this one.
If you’ve ever had a malware infection — or even a suspicion of one — change passwords from a clean device. Changing them on the infected machine just hands the new ones to the stealer. Start with email, banking, and any account that can move money.
Stop letting your browser be your password manager if your device hygiene is uncertain. Infostealers specifically target browser-saved passwords. A dedicated password manager with a strong master password raises the bar considerably.
Turn on multi-factor authentication everywhere — and prefer app-based or hardware keys over SMS. Then remember cookies: after cleaning an infected device, log out of all sessions everywhere (most major services offer a “sign out of all devices” option) so stolen session cookies die too.
Be careful what you download. StealC and Amadey spread through cracked software, fake updates, and malicious ads — SocGholish specialized in bogus browser-update prompts. If a website tells you your browser needs an urgent update, close the tab; real updates come from the browser itself.
The servers are down and the wallets are frozen. But the passwords those machines stole are only as dead as you make them.



