A sprawling international operation aimed at the "cybercrime-as-a-service" malware that silently drains money from digital wallets has locked down tens of millions of dollars in stolen funds.
In the newest phase of Operation Endgame, investigators identified, flagged and froze more than €41 million, roughly $47 million, in criminal crypto holdings, Europol announced on Wednesday. The coordinated push, spanning two weeks and several countries, tore down the backbone supporting three malware families: SocGholish, Amadey and StealC.
Three strains, one shared target: crypto users
StealC is an infostealer that has been sold as a service since 2023. It scrapes passwords, browser cookies and crypto wallet data from infected machines. Its control panel even shipped with a plugin that tried to decrypt the seed phrases of victims' MetaMask wallets, something researchers at Proofpoint uncovered.
Amadey is the one that gets the initial foothold and then drops further malware, while SocGholish, which is linked to the Russian group Evil Corp, infects people through fake browser-update prompts planted on hacked websites. Together they form the opening stage of attacks that end in emptied wallets, hijacked accounts and ransomware.
What the crackdown seized
Police took down 326 servers and 142 domains, recovered almost 27 million stolen credentials from more than 385,000 compromised systems, and cleaned nearly 15,000 infected websites, many of them small businesses. Microsoft, a partner in the operation, tied Amadey and StealC to over 140,000 infected computers worldwide in the first two weeks of May alone.
Why infostealers are the new path to crypto theft
Infostealers have become a primary route to stolen crypto, quietly lifting wallet files, private keys and seed phrases straight off victims' devices. They lean on a range of tricks to reach crypto users, including fake AI tools, Steam wallpapers and pirated game mods.
The scale of exposure is enormous. An earlier Operation Endgame action late last year surfaced login data for more than 100,000 crypto wallets, already stolen from victims but not yet drained.
Microsoft's legal offensive
Microsoft's Digital Crimes Unit separately filed a U.S. racketeering lawsuit that, for the first time, treated two malware families as a single criminal conspiracy. Using AI tools including Copilot to analyze the malware, investigators found that Amadey and StealC, though built by different criminals, ran on shared infrastructure. That allowed Microsoft to charge enablers across both operations under the RICO Act and knock out more than 200 command-and-control servers. It has since identified over 18,000 victim computers and started severing the attackers' control.
The same unit has dismantled five operations in nine months that were powering cybercrime-as-a-service (CaaS).
The fight is far from over
Takedowns like this rarely wipe out malware for good, and the operators behind it tend to regroup, with StealC pushing out a fresh build as recently as this month. For now, Europol and its partners are routing victim alerts through services such as Have I Been Pwned, so users can check whether their credentials, and the keys to their wallets, are already in criminal hands.
