Authorities disable 326 servers, seize EUR 41m crypto, recover 27m credentials, use AI analysis, and address 140,000 infections plus 15,000 sites.

Joint cyber operations are increasingly becoming the preferred response to sprawling malware ecosystems, as governments and private firms pool intelligence, infrastructure, and enforcement power to disrupt criminal supply chains at multiple points at once.

On 25 June 2026, Europol announced it has disrupted major malware infrastructure tied to SocGholish, Amadey, and StealC in a broad international action aimed at the cybercrime “production line”. The operation is part of Operation Endgame, a continuing campaign against the tools that help criminals gain initial access, steal credentials, and enable ransomware at scale.

According to the agency, the coalition included law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, working with private partners such as the Shadowserver Foundation, Bitdefender, IBM, Infoblox, Microsoft, Orange Cyberdefense and Proofpoint.

The action reportedly took 326 servers and 142 domains offline, identified EUR 41m in criminal crypto assets, and recovered 27m stolen login credentials.

AI-assisted analysis was used at some point to show that Amadey and StealC shared infrastructure, which helped support a simultaneous disruption effort. Amadey, active since 2018, operates as a modular loader and backdoor that can open the door to infected systems, while StealC, sold as malware-as-a-service since 2023, is used to harvest passwords, browser data, cryptocurrency wallets, and other sensitive information.

The partners in the operation have noted that in just the first two weeks of May 2026, Amadey and StealC were associated with more than 140,000 infected computers worldwide. Europol also said the SocGholish portion of the operation remediated nearly 15,000 infected websites, including sites tied to small businesses such as restaurants and auto repair shops running WordPress.

The broader significance of the campaign is that it targets the support machinery behind cybercrime rather than only the final attacks themselves. By striking shared infrastructure, credential theft operations, and malware distribution channels together, Operation Endgame aims to make it harder for ransomware groups and other criminals to scale their activity.