Law enforcement froze more than €41 million (approximately $47 million) in criminal cryptocurrency as part of Operation Endgame, Europol announced Wednesday. The two-week multi-country operation dismantled infrastructure behind three malware families—SocGholish, Amadey, and StealC—that steal passwords and crypto wallet data to enable fraud and ransomware attacks. The strike targeted cybercrime-as-a-service platforms that quietly drain crypto wallets by scraping credentials and private keys from infected systems.
Malware Families Target Crypto Wallet Credentials
All three malware families specifically target crypto users through different attack vectors. StealC, an infostealer sold as a service since 2023, scrapes passwords, browser cookies, and crypto wallet data from infected machines. Researchers at Proofpoint found its control panel included a plugin attempting to decrypt seed phrases from victims' MetaMask wallets.
Amadey establishes initial system access and deploys additional malware. SocGholish, linked to Russian group Evil Corp, infects users through fake browser-update prompts on compromised websites. The malware chain culminates in drained wallets, account takeovers, and ransomware deployment.
Infostealers have become a primary route to stolen crypto by extracting wallet files, private keys, and seed phrases from victims' devices. Attack vectors include fake AI tools, Steam wallpapers, and pirated game modifications.
Police Dismantle 326 Servers and Recover 27 Million Credentials
The operation took down 326 servers and 142 domains. Police recovered almost 27 million stolen credentials from more than 385,000 compromised systems and cleaned nearly 15,000 infected websites, many belonging to small businesses.
Microsoft, a partner in the operation, tied Amadey and StealC to over 140,000 infected computers worldwide in the first two weeks of May alone. An earlier Operation Endgame action late last year uncovered login data for more than 100,000 crypto wallets stolen from victims but not yet emptied.
Microsoft Files RICO Lawsuit Against Malware Operators
Microsoft's Digital Crimes Unit filed a U.S. racketeering lawsuit treating two malware families as a single criminal conspiracy. Using AI tools including Copilot to analyze the malware, investigators found Amadey and StealC, though built by different criminals, ran on shared infrastructure.
The legal action allowed Microsoft to charge enablers across both operations under the RICO Act and disrupt more than 200 command-and-control servers. The company has identified over 18,000 victim computers and begun severing attackers' control.
Victim Alerts Routed Through Have I Been Pwned Service
Europol and its partners are routing victim alerts through services like Have I Been Pwned, allowing users to check whether their credentials and crypto wallet keys are in criminal hands. StealC operators shipped a fresh malware build as recently as this month.
FAQ
What did Europol announce on Wednesday regarding Operation Endgame?
Europol announced that law enforcement froze more than €41 million ($47 million) in criminal cryptocurrency and dismantled infrastructure behind three malware families—SocGholish, Amadey, and StealC—during a two-week multi-country operation.
How many servers and credentials did police recover in the Operation Endgame takedown?
Police took down 326 servers and 142 domains, recovered almost 27 million stolen credentials from more than 385,000 compromised systems, and cleaned nearly 15,000 infected websites during the operation.
