Answer Brief
A coordinated international law enforcement operation, conducted between June 15–19, 2026, dismantled the criminal infrastructure supporting the Amadey and StealC malware-as-a-service networks, recovering 27 million stolen credentials, identifying and restricting $47 million in cryptocurrency assets, seizing 326 servers and 142 domains, and severing control over 18,000+ infected computers identified by Microsoft telemetry. The takedown targeted the initial access 'assembly line' used to launch ransomware, financial fraud, and critical infrastructure attacks across Belgium, Canada, Denmark, France, Germany, the Netherlands, the UK, and the US.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Operation Endgame action began targeting initial access malware
- 2
Two-week-long law enforcement operation concluded
- 3
Public announcement of Amadey and StealC takedown and credential recovery
Executive Summary: A coordinated international law enforcement operation, conducted between June 15–19, 2026, dismantled the criminal infrastructure supporting the Amadey and StealC malware-as-a-service networks, recovering 27 million stolen credentials, identifying and restricting $47 million in cryptocurrency assets, seizing 326 servers and 142 domains, and severing control over 18,000+ infected computers identified by Microsoft telemetry. The takedown targeted the initial access 'assembly line' used to launch ransomware, financial fraud, and critical infrastructure attacks across Belgium, Canada, Denmark, France, Germany, the Netherlands, the UK, and the US.
Why It Matters
The disruption of the Amadey and StealC malware networks represents a significant operational setback for the global malware-as-a-service (MaaS) ecosystem, particularly due to the scale of credential recovery and the precision of infrastructure targeting. Amadey, active since October 2018, functions as a modular loader that establishes initial footholds on victim systems, primarily through compromised WordPress sites and phishing campaigns, then rents that access to affiliates for deploying secondary payloads such as ransomware, stealers, or botnet agents. Its affiliate model relies on a pay-per-rebuild structure, where users pay an additional fee each time they generate a new binary to rotate command-and-control (C2) infrastructure—a design that increases operational cost but enhances evasion. StealC, emerging in January 2023, complements Amadey as a stealer that harvests sensitive data including credentials, session cookies, credit card information, browsing history, and data from desktop applications like Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram. Notably, both malware families incorporate geofencing mechanisms that disable credential and clipboard stealing when detecting systems in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan, suggesting a deliberate avoidance of targets in those regions, possibly to reduce attribution risk or avoid heightened scrutiny from certain jurisdictions. The operation, explicitly framed as part of Operation Endgame, targeted the 'assembly line' cybercriminals use to launch attacks at scale—specifically the initial access layer that enables downstream ransomware, financial fraud, and critical infrastructure intrusions. By dismantling 326 servers and seizing 142 domains associated with Amadey and StealC C2 infrastructure, law enforcement and private sector partners disrupted the communication channels that sustained the malware networks’ command and control. The recovery of 27 million stolen credentials underscores the vast scale of data harvested over years of operation, much of which likely fueled downstream account takeover, identity theft, and financial fraud. The identification and restriction of $47 million in cryptocurrency assets further highlights the financial incentives driving these operations and demonstrates advancing capabilities in tracing and seizing illicit crypto flows through judicial and administrative mechanisms. Microsoft’s threat intelligence played a pivotal role in the operation, identifying over 18,000 victim computers and flagging 200 malicious Amadey and StealC C2 domains and IP addresses, all of which were subsequently shut down via a combination of court orders, domain seizures, registrar notifications, and provider cooperation. This illustrates the strategic value of integrating telemetry from major technology providers with law enforcement authorities to achieve scalable, technically informed disruption. The collaboration between Europol, Eurojust, national agencies from eight countries, and private firms including Bitdefender, Bitsight, ESET, and Microsoft exemplifies a maturing model of public-private cooperation in cyber defense—one that combines jurisdictional reach, technical expertise, and legal authority to dismantle transnational criminal infrastructure. For global security, AI, cloud, and operations teams, this event reinforces the importance of monitoring initial access vectors like loaders and stealers as early indicators of broader attack campaigns. The MaaS model lowers the barrier to entry for cybercriminals, enabling rapid proliferation of threats through affiliate networks. Defenders should prioritize detection of anomalous C2 communication, credential harvesting behaviors, and unauthorized use of system tools like cmd.exe or PowerShell—common tactics associated with Amadey. Looking ahead, defenders should monitor for signs of infrastructure regeneration, as MaaS operators often rebuild quickly after takedowns by rotating to new domains, leveraging bulletproof hosting, or shifting to alternative loaders such as Emmenhtal or SmokeLoader, which have historically been used to propagate Amadey. The patching of known vulnerabilities in StealC’s C2 panel—such as the directory traversal flaw allowing web shell upload in February 2026—highlights the need for continuous vulnerability management even in criminal infrastructure, as affiliates may exploit unpatched flaws to hijack operations or steal data from peers. Teams should also watch for shifts in tactics, techniques, and procedures (TTPs), such as increased use of alternative initial access vectors, evasion of geofencing checks, or adoption of decentralized C2 protocols that resist seizure. Continued investment in threat intelligence sharing, behavioral analytics, and international coordination will be critical to sustaining pressure on these ecosystems. Future monitoring should include tracking re-registration of seized domains, reactivation of similar C2 infrastructure, and shifts in affiliate behavior toward more resilient or obfuscated MaaS offerings.
Event Type: security
Importance: high
Affected Companies
- Bitdefender
- Bitsight
- ESET
- Eurojust
- Europol
- Microsoft
Affected Sectors
- cybersecurity
- law enforcement
- technology
Key Numbers
- Stolen credentials recovered: 27 million
- Cryptocurrency assets identified and restricted: $47 million
- Servers dismantled: 326
- Domains seized: 142
- Infected computers identified by Microsoft: over 18,000
- Malicious C2 domains/IPs flagged by Microsoft: 200
Timeline
- Operation Endgame action began targeting initial access malware
- Two-week-long law enforcement operation concluded
- Public announcement of Amadey and StealC takedown and credential recovery
Frequently Asked Questions
What is Amadey and how does it function as a malware loader?
Amadey is a C++-based modular backdoor active since October 2018, used as a loader to deliver next-stage malware via compromised WordPress sites and phishing. It operates under a malware-as-a-service model, charging $600 per license plus $50 per rebuild, and supports commands like file downloads, screenshot capture, clipboard theft, and RDP activation.
How does StealC differ from Amadey in its affiliate model and capabilities?
StealC, active since January 2023, is a C++ infostealer sold for $300/month or $1,000 for six months. Unlike Amadey’s pay-per-rebuild model, StealC offers unlimited build generation, lowering costs for affiliates. It steals credentials, cookies, credit card data, and targets apps like Discord, Outlook, and Telegram, while avoiding execution on systems with Russian, Ukrainian, or Belarusian locales.
What was the scope and outcome of Operation Endgame in June 2026?
Operation Endgame, conducted from June 15–19, 2026, involved law enforcement from Belgium, Canada, Denmark, France, Germany, the Netherlands, the UK, and the US. It disrupted Amadey and StealC infrastructure, recovered 27 million credentials, identified and restricted $47 million in cryptocurrency assets, dismantled 326 servers and 142 domains, and severed control over 18,000+ infected computers identified by Microsoft.