Source linked

27 Million Stolen Credentials Recovered in Operation Endgame Takedown

bleepingcomputer.com@wild_condor1 hour ago·Cybersecurity·0 comments

Europol and Microsoft disrupted 326 servers and 142 domains used by Amadey and StealC, recovering €41 million in crypto and 27 million credentials from 385k compromised systems.

europolmicrosoftamadeystealcoperation endgamemalware disruption

Europol, Microsoft, and a dozen international partners just yanked 326 servers and 142 domains serving Amadey and StealC off the internet. They also recovered €41 million ($47 million) in cryptocurrency and 27 million credentials stolen from over 385,000 compromised systems. That's not a takedown, that's a surgical clearinghouse shutdown.

The Numbers That Matter

Microsoft's Digital Crimes Unit identified more than 200 malicious command-and-control domains and IPs tied to the two malware families. During just the first two weeks of May 2026, those same families infected over 140,000 devices. ESET contributed by disrupting roughly 50 domains and nearly 200 active C2 servers. Proofpoint and IBM X-Force provided intelligence. Bitsight helped map the infrastructure. This wasn't a lucky hit, it was coordinated, court-ordered, and executed across Canada, Denmark, Germany, Netherlands, UK, and US.

Malware as a Service Meets Law Enforcement

Amadey and StealC operate as malware-as-a-service. Affiliates pay for builders, management panels, and infrastructure. Amadey gives initial footholds for ransomware and state-sponsored groups. StealC specializes in credential theft, cryptocurrency wallet harvesting, and selling the results to initial-access brokers. The stolen credentials from StealC end up on underground markets, then used to breach networks and deploy ransomware. This operation cut off the supply chain at the infrastructure layer.

What Actually Got Hit

Europol's announcement also named SocGholish (FakeUpdates) as a target, the malware loader that infects visitors via fake browser update prompts on compromised sites. But the main event was the Amadey-StealC infrastructure. 326 servers, 142 domains, €41 million in crypto, 27 million credentials, and 385k compromised hosts. That's a lot of friction injected into the criminal economy. The downside: unless arrests follow, these operations commonly rebuild. But for now, every affiliate looking to push a loader or steal credentials just lost their upstream.

The disruption raises the cost of doing business for the next wave of ransomware attacks. That's the point.

Source: Amadey, StealC malware operations disrupted in Operation Endgame action
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Three Ubiquiti CVE Chain Delivers Full RCE, CISA Orders 3-Day Patch

CISA adds three max-severity Ubiquiti flaws to its KEV catalog after Bishop Fox demonstrates a chained attack for remote code execution.

KongTuke's Mistic Backdoor Loads Cobalt Strike BOFs In Memory

Symantec and Zscaler track a new backdoor that uses Beacon Object Files for memory-only execution, delivered via ClickFix and side-loading to target insurance, education, and IT firms.

SharkLoader Delivers Cobalt Strike via ProxyLogon and Openfire Exploits

Kaspersky uncovers a campaign targeting diplomatic and government entities in 10+ countries, using exploits for ProxyLogon, Openfire, and GeoServer to drop SharkLoader and Cobalt Strike Beacon.

RIFT-Bench Automates Red-Teaming Across 45 Agentic AI Architectures

RIFT-Bench uses a graph-based methodology to dynamically probe and score security vulnerabilities in autonomous LLM-powered systems, tested across 45 diverse implementations.

Comments load interactively on the live page.