Listen to this Post
A New Blow Against
The global fight against cybercrime has reached another significant milestone after international law enforcement agencies successfully dismantled major parts of the infrastructure behind two notorious information-stealing malware families, StealC and Amadey. The operation, conducted under the umbrella of Operation Endgame, represents one of the most coordinated efforts yet to disrupt the cybercriminal ecosystem that fuels ransomware attacks, financial fraud, and large-scale digital espionage.
Authorities from multiple countries joined forces with cybersecurity companies and intelligence partners to target the backbone of these malware operations. Rather than focusing on individual hackers, investigators attacked the infrastructure, services, and support systems that enable cybercriminal groups to operate globally. The result was the seizure of hundreds of malicious servers, dozens of domains, millions of stolen credentials, and tens of millions of euros in criminal cryptocurrency assets.
Operation Endgame Expands Its Reach
Operation Endgame has rapidly become one of the world’s most ambitious anti-cybercrime initiatives. The latest phase was coordinated by Europol and Germany’s Federal Criminal Police Office, with strategic support from the European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT), and Eurojust.
Several private-sector cybersecurity leaders contributed intelligence and technical expertise, including Microsoft, ESET, IBM X-Force, BitSight, Lumen, Proofpoint, Mitsui Bussan Secure Directions, and others.
The operation follows closely behind the successful disruption of the SocGholish botnet, another major malware platform frequently leveraged by ransomware organizations. Together, these actions demonstrate a growing international strategy focused on dismantling the criminal infrastructure that supports cyberattacks rather than merely arresting individual operators.
Understanding the Threat of StealC
StealC emerged as one of the most dangerous modern infostealers. Its primary purpose was to infiltrate victim computers and harvest valuable data, including passwords, browser credentials, stored authentication tokens, financial information, and digital identities.
Once stolen, this information often found its way into underground cybercrime marketplaces where it could be sold to ransomware gangs, identity thieves, and fraud networks.
The danger of StealC extended beyond simple credential theft. By compromising corporate accounts and administrative access, attackers could use the stolen information to launch broader attacks against organizations, governments, and critical infrastructure providers.
Amadey: The Gateway to Larger Attacks
While Amadey shared many information-stealing capabilities with StealC, its true strength lay in acting as a malware delivery platform.
Cybercriminals frequently used Amadey as the first stage of an attack. Once installed on a victim’s machine, it could download and deploy additional malicious payloads, including ransomware, remote access trojans, spyware, and credential theft tools.
This modular architecture made Amadey particularly valuable within criminal operations. Rather than creating an entirely new infection process, attackers could simply use Amadey to deliver whatever malware they required.
Europol described both malware families as critical components within the cybercrime supply chain, highlighting their importance in enabling larger criminal campaigns.
Massive Global Infection Numbers Revealed
According to intelligence gathered by Microsoft, the first two weeks of May 2026 alone saw more than 140,000 infected devices worldwide linked to Amadey and StealC activity.
These figures provide a glimpse into the enormous scale of modern cybercrime. Every infected device potentially represented stolen credentials, compromised financial accounts, business secrets, or entry points into larger organizational networks.
The sheer number of infections also demonstrates why law enforcement agencies increasingly view malware operators as infrastructure providers within a criminal economy rather than isolated threat actors.
How Artificial Intelligence Changed the Investigation
One of the most fascinating aspects of the operation was Microsoft’s use of artificial intelligence to accelerate malware analysis and infrastructure mapping.
Traditionally, malware investigations require analysts to manually reverse engineer code, trace network communications, and correlate massive datasets. This process can take weeks or even months.
By utilizing AI technologies including Copilot, investigators were able to ask natural language questions about malware behavior and relationships. The system rapidly surfaced hidden connections, extracted key indicators, and validated findings that would otherwise require substantial human effort.
Tasks that once demanded days of manual investigation were reportedly completed within minutes.
Most importantly, AI revealed that although StealC and Amadey originated from separate cybercriminal developers, both malware families relied on overlapping infrastructure components. This discovery became a crucial factor in the legal strategy that followed.
A New Legal Strategy Against Cybercrime
Microsoft’s Digital Crimes Unit adopted an innovative legal approach by combining AI-assisted intelligence gathering with expanded use of the Racketeer Influenced and Corrupt Organizations Act (RICO).
Historically, cybercrime investigations often targeted individual malware tools separately. This fragmented approach allowed criminals to rebuild infrastructure and resume operations relatively quickly.
By treating multiple interconnected actors as participants in a single criminal conspiracy, investigators were able to pursue a broader disruption strategy. The goal was not simply to remove malware from circulation but to dismantle the ecosystem supporting its development, hosting, distribution, and monetization.
This marks an important evolution in cybercrime enforcement and could become a model for future operations.
The Technical Takedown
The scale of the disruption was substantial.
Operation Endgame successfully seized approximately 50 domains and nearly 200 active command-and-control servers connected to Amadey and StealC.
Microsoft’s Digital Crimes Unit independently disrupted more than 200 additional command-and-control servers and identified over 18,000 victim devices affected by the malware campaigns.
Authorities worked with telecommunications providers and internet service operators to sever connections between infected systems and criminal infrastructure, preventing attackers from maintaining control over compromised machines.
Security researchers also developed specialized StealC emulators that helped identify operational patterns, infrastructure nodes, and malware payload delivery mechanisms.
Millions in Criminal Assets Frozen
Beyond infrastructure seizures, investigators achieved significant financial disruption.
Europol announced that authorities identified and froze approximately €41 million worth of cryptocurrency assets connected to criminal activity.
In addition, law enforcement recovered roughly 27 million stolen login credentials and dismantled hundreds of servers supporting malware distribution networks.
Overall, the operation resulted in the takedown of 326 servers and the seizure of 142 domains, severely damaging the ability of cybercriminal groups to spread malware at scale.
The financial impact may ultimately prove more damaging to cybercriminal organizations than the technical disruption itself.
International Cooperation Becomes the New Standard
Operation Endgame highlights a growing reality of cybersecurity: no single nation can effectively combat global cybercrime alone.
Countries including Germany, the Netherlands, Canada, Denmark, the United Kingdom, and the United States participated in various aspects of the operation.
Additional support came from organizations such as the Shadowserver Foundation, Registrar of Last Resort, Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned, and Spamhaus.
This level of cooperation demonstrates how public and private sectors increasingly view cybercrime as a shared global threat requiring coordinated international responses.
Deep Analysis: Why Infrastructure Takedowns Matter More Than Malware Removal
Modern cybercrime operates similarly to legitimate technology businesses. Malware developers create products. Hosting providers offer infrastructure. Access brokers sell compromised credentials. Ransomware operators purchase access and launch attacks.
Removing a single malware strain rarely solves the problem.
Instead, authorities are increasingly targeting the operational backbone that supports criminal services.
Linux-Based Threat Hunting and Investigation Commands
Identify suspicious outbound connections
netstat -tulpn
Monitor active network sessions
ss -antp
Review authentication logs
journalctl -u ssh
Search for persistence mechanisms
systemctl list-unit-files --state=enabled
Check suspicious cron jobs
crontab -l ls -la /etc/cron
Identify unusual processes
ps aux --sort=-%cpu
Analyze network traffic
tcpdump -i any
Check open files by process
lsof -i
Hunt malware indicators
find / -type f -mtime -7
Review user activity
last
Detect rootkits
chkrootkit
Audit system integrity
rkhunter --check
Search suspicious binaries
find /tmp /var/tmp -type f
Analyze DNS requests
cat /var/log/syslog | grep DNS
Monitor file changes
auditctl -w /etc/passwd -p wa
Infrastructure-focused operations attack multiple stages of the cybercrime lifecycle simultaneously.
This creates cascading failures throughout criminal networks.
A malware developer loses hosting.
A ransomware operator loses infected devices.
A credential broker loses stolen data.
A money laundering network loses financial channels.
This interconnected disruption dramatically increases operational costs for criminals.
Furthermore, AI-assisted investigations are changing the speed at which these ecosystems can be mapped and dismantled.
Future operations will likely become faster, broader, and increasingly predictive.
What Undercode Say:
The takedown of StealC and Amadey signals a major strategic shift in how cybersecurity defenders approach organized cybercrime.
For years, security teams focused heavily on malware signatures and endpoint detection.
While effective to some degree, those methods often treated symptoms rather than causes.
Operation Endgame demonstrates that the real battleground is infrastructure.
Cybercriminal operations today resemble technology startups.
They have developers.
They have customer support.
They have infrastructure providers.
They have marketing channels on underground forums.
They have revenue streams.
Destroying one malware family no longer guarantees security.
Attackers can simply rebrand and relaunch.
However, destroying the infrastructure connecting multiple criminal groups creates broader disruption.
The role of AI in this operation may be the most important development.
Investigators used natural language interactions to uncover relationships between seemingly unrelated malware campaigns.
This dramatically reduced investigation timelines.
The legal implications are equally significant.
Using RICO-style approaches against cybercriminal ecosystems rather than isolated actors creates stronger prosecutorial opportunities.
Future law enforcement actions may increasingly target entire criminal supply chains.
The frozen cryptocurrency assets are another critical success.
Cybercrime survives because it remains profitable.
Reducing profitability often produces stronger deterrence than technical takedowns alone.
Private-sector involvement also deserves attention.
Without intelligence from Microsoft, ESET, IBM X-Force, Proofpoint, and others, achieving this level of disruption would have been far more difficult.
This operation highlights how cybersecurity has become a shared responsibility.
Governments alone cannot win.
Private companies alone cannot win.
Collaboration is becoming mandatory.
The recovery of millions of credentials may help prevent future attacks before they occur.
Attack prevention is becoming just as important as attack response.
We are witnessing the emergence of intelligence-driven cybersecurity.
AI-assisted investigations.
Cross-border legal frameworks.
Infrastructure targeting.
Financial disruption.
These four pillars will likely define future cybercrime enforcement strategies.
The message sent to cybercriminals is clear.
The era of isolated investigations is ending.
The era of ecosystem disruption has arrived.
✅ Multiple international law enforcement agencies participated in the operation, making this one of the largest coordinated cybercrime disruption efforts in recent years.
✅ Authorities reportedly seized hundreds of servers, numerous domains, recovered millions of credentials, and froze approximately €41 million in criminal cryptocurrency assets.
✅ Microsoft confirmed the use of AI-assisted analysis during the investigation, helping researchers identify relationships between StealC and Amadey infrastructure significantly faster than traditional methods.
Prediction
(+1) AI-powered threat intelligence platforms will become standard tools for law enforcement agencies, reducing malware investigation times from weeks to hours. 🚀
(+1) Future Operation Endgame phases are likely to target additional malware-as-a-service ecosystems, leading to larger global cybercrime disruptions. 🔐
(+1) Stronger collaboration between governments and private cybersecurity firms will increase the success rate of international takedown operations. 🌍
(-1) Cybercriminal groups will attempt to rebuild using decentralized infrastructure, encrypted communication channels, and more resilient hosting providers.
(-1) Malware developers may increasingly adopt AI-assisted code generation to accelerate the creation of new malware variants after major takedowns.
(-1) Stolen credentials already circulating on underground markets will continue fueling attacks despite the infrastructure disruption unless organizations improve authentication security.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
