Europol announced a new phase of Operation Endgame: law enforcement from multiple countries froze more than 41 million euros (about $47 million) in criminal crypto assets and dismantled the infrastructure behind three malware families. An agency statement dated June 25, 2026, named SocGholish, Amadey, and StealC as the targets. Together the three programs formed an automated pipeline for stealing passwords, browser data, and access to crypto wallets across more than 385,000 compromised computers.
What the operation took down
The two-week strike dismantled 326 servers and 142 domains. Investigators extracted nearly 27 million stolen credentials from infected systems. Police also cleaned roughly 15,000 compromised websites, most of them small businesses that had no idea they were hosting malware.
A previous Endgame phase in late 2025 uncovered login data for more than 100,000 crypto wallets that had not yet been drained. This phase went further. Europol froze a large tranche of criminal crypto assets directly tied to the schemes. That freeze means the funds cannot be moved or laundered while investigations continue.
Microsoft and security research firm Proofpoint joined as technical partners. Microsoft also filed a separate civil lawsuit, enabling parallel criminal and civil proceedings. Earlier Endgame phases had already disrupted several major botnet networks in 2024 and 2025.
How the three malware families attacked crypto wallets
SocGholish, Amadey, and StealC each filled a distinct role in the attack chain. SocGholish was the entry point. It spread through fake browser-update prompts displayed on hacked but legitimate-looking websites. Victims saw a familiar dialog box and had no reason to hesitate.
Amadey took over after the initial infection and pulled down additional attack components to expand the attacker's reach. StealC, sold as a service since 2023, harvested passwords, browser cookies, and MetaMask wallet files straight from the victim's disk. Proofpoint researchers found a dedicated plugin inside StealC's control panel designed to decrypt wallet seed phrases. That access gave attackers full control over all funds without any further steps.
- SocGholish spreads through fake browser-update prompts on hacked websites
- Amadey establishes a foothold and pulls down additional attack modules
- StealC harvests passwords and wallet files, available as a paid service since 2023
The three programs together formed a ready-made "cybercrime-as-a-service" model. Anyone could rent StealC and use the existing infrastructure without deep technical expertise.
Microsoft, Copilot, and the first RICO case against two malware families
Microsoft took an active role beyond technical support. The company used AI tools, including Copilot, to analyze the malware code. The analysis surfaced an unexpected finding: Amadey and StealC, despite having separate developers, shared the same command infrastructure.
That finding opened a legal door. Microsoft filed a suit under the RICO Act, applying it for the first time against two distinct malware families at once. The racketeering law, passed in 1970, has traditionally been used against a single criminal enterprise. Now the court must evaluate whether Amadey and StealC qualify as parts of one criminal organization, a precedent that could change how prosecutors approach cybercrime cases going forward.
Microsoft had tracked the scale of infection before the operation concluded. In the first two weeks of May 2026 alone, the two programs hit more than 140,000 computers worldwide. After filing the lawsuit, the company identified an additional 18,000 victims and disrupted more than 200 command-and-control servers.
Risks for crypto holders
Infostealers have become one of the main routes to stolen cryptocurrency. They do not attack the blockchain and do not breach exchange security. They quietly read crypto wallet files, private keys, and seed phrases directly from the victim's device, often without leaving any visible trace.
Attack vectors keep shifting. Threat actors push infostealers through fake AI tools, Steam skin modifications, and pirated game content. Victims install the software themselves, believing it is a legitimate application. Fake AI tools promoted through paid ads (disguised as image generators or translation services) have become a particularly effective lure.
Operation Endgame dismantled the current infrastructure of three specific families. The "malware-as-a-service" model itself, though, did not go away. New variants will appear as long as demand for the service persists. For crypto holders, the practical point is clear: seed phrases should not be stored in a browser, a text file, or cloud storage. An offline backup or hardware wallet remains the most reliable protection against this type of attack.
Comments
Your email address will not be published. Required fields are marked *