Operation Endgame guts the StealC, Amadey and SocGholish ransomware on-ramps
Europol, Microsoft and partners take 326 servers and 142 domains, freezing €41m in crypto
Summary
On 24 June 2026 Europol announced the latest chapter of Operation Endgame, a 15-19 June takedown of the SocGholish, Amadey and StealC malware families, the infostealer and loader "on-ramps" that seed Ransomware and fraud. Police from Canada, Denmark, Germany, the Netherlands, the UK and the US, with Microsoft, Bitdefender, ESET, IBM X-Force, Proofpoint and others, took down 326 servers and seized 142 domains, recovered ~27m stolen credentials and identified and froze over EUR 41m ($47m) in criminal crypto. Microsoft's Digital Crimes Unit ran a parallel court-authorised disruption; the firm linked the malware to 140,000+ infected machines in the first two weeks of May 2026 alone.
By the numbers
- 326, servers taken down; 142 domains seized.
- €41m ($47m), criminal crypto identified and frozen.
- 27m, stolen login credentials recovered.
- 140,000+, computers infected by Amadey/StealC in early May 2026 (Microsoft).
- 6, countries' police agencies in the operation, plus several private firms.
Why it matters
Infostealers and loaders are the wholesale layer beneath ransomware: cheap initial access that gangs buy to launch extortion. Degrading the assembly line raises costs across the ecosystem, but elastic crime-as-a-service infrastructure tends to rebuild, so the win is measured in months.
What to watch
- Whether the operators rebuild or rebrand within weeks.
- Arrests or indictments following the infrastructure seizures.
- Crypto-tracing of the frozen €41m back to ransomware affiliates.