Law enforcement agencies from eight countries, coordinated by EUROPOL, have dismantled server infrastructure used by three prolific malware operations. The global coordinated takedown, known as Operation Endgame, froze $47 million in cryptocurrency and recovered 27 million stolen login credentials.

The operation targeted the networks behind SocGholish, Amadey and StealC malware families. These malware variants are known for stealing sensitive data and providing backdoor access to compromised systems. SocGholish, a JavaScript downloader, has been linked to a Russian Malware-as-a-Service operation.

Scope of the Operation

Authorities shut down 326 servers and 142 domains used to host and distribute the malware. They also remediated 14,971 infected websites belonging to legitimate businesses such as restaurants and auto repair shops. Private companies including Microsoft supported the effort alongside agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States.

EUROPOL stated the takedown severely crippled the distribution network. By freezing $47 million in cryptocurrencies, investigators effectively removed those funds from criminal circulation. Millions of credentials recovered now help prevent further account compromises.

Targeted Malware Families

  • SocGholish: A sophisticated JavaScript loader used to deliver ransomware and other payloads. It operates through fake browser update prompts on compromised websites.
  • Amadey: A malware dropper that installs additional malicious software, often used for credential theft and distributed denial-of-service attacks.
  • StealC: Information-stealing malware designed to harvest passwords, cookies and other data from infected machines. It commonly spreads via malicious email attachments.

Why This Matters

This operation directly affects millions of potential victims whose credentials were recovered before they could be weaponized. For businesses and individuals, it reduces the risk of account takeovers and ransomware attacks stemming from these malware families.

The takedown also demonstrates the growing ability of international law enforcement to disrupt cybercrime infrastructure. However, no arrests were made in this action. Security experts caution that criminal groups often rebuild their infrastructure within weeks. The recovery of 27 million login credentials and frozen cryptocurrency creates real friction for attackers, but the battle against such malware remains ongoing.

For organizations still running compromised websites, the remediation of 14,971 infected sites removes launchpads for future attacks. Continuous vigilance and patching remain essential as these networks attempt to recover.