International law enforcement and a coalition of tech companies have disrupted what they’re calling a cybercrime “assembly line” — taking down two separate malware platforms that turned out to share underlying infrastructure.
The two targets were Amadey, a malware-as-a-service platform that’s been active since at least 2018, and StealC, an infostealer-as-a-service tool that harvests login credentials, authentication cookies, and cryptocurrency wallets. Both were widely used by cybercriminals despite being run independently.
The breakthrough came when Microsoft analyzed both tools using AI and discovered they relied on some of the same infrastructure. That insight allowed attorneys to invoke RICO statutes and treat both as part of a single conspiracy.
The result: over 200 command-and-control servers disrupted and more than 18,000 infected computers freed from criminal control. Europol says it recovered 27 million stolen login credentials and uncovered $47 million in crypto assets of criminal origin.
Europol reported that 326 servers and 142 domains were actioned by law enforcement and private sector partners. The operation, dubbed “Operation Endgame,” also disrupted SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp that spreads through compromised websites.
Other companies involved include ESET, Proofpoint, IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions. Countries participating: Canada, Denmark, Germany, the Netherlands, the UK, and the US.
Europol has cleaned infected WordPress sites and is notifying parties whose data was exposed. For admins of WordPress sites that were compromised: change credentials and tighten security immediately.
