Europol, together with international law enforcement agencies and private sector partners, has announced a major global operation targeting the cybercriminal infrastructure behind the SocGholish, Amadey and StealC malware networks. The operation, carried out under Operation Endgame, disrupted key components of the malware ecosystem, seized more than EUR 41 million in criminal cryptocurrency assets and dismantled hundreds of servers and domains used to support ransomware, financial fraud and other cyberattacks.
International Operation Targets Malware Supply Chain
The coordinated operation brought together authorities from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, Europol, Eurojust, Microsoft and several cybersecurity companies. According to Europol, the objective was to disrupt the “assembly lines” used by cybercriminals to launch ransomware, financial fraud and attacks on critical infrastructure.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Investigators identified, flagged and restricted access to more than EUR 41 million in criminal crypto assets. Authorities also recovered as many as 27 million stolen login credentials. During the operation, 326 servers and 142 domains linked to the malware infrastructure were taken down, significantly disrupting its ability to operate.
SocGholish, Amadey and StealC Networks Dismantled
Europol said the targeted malware families played different roles within the cybercrime ecosystem. SocGholish, also known as FakeUpdates, spread through fake browser updates hosted on compromised websites, allowing attackers to gain unauthorised access to computers before deploying ransomware or other malicious software.
StealC was designed to extract passwords, digital identities and stored access data from infected systems for criminal use. Amadey, distributed largely through phishing campaigns, functioned as an initial access malware capable of introducing additional malicious software while also stealing sensitive information.
Authorities remediated nearly 14,971 infected websites linked to the SocGholish network, disabled its botnet infrastructure and worked with multiple notification platforms to alert affected website owners and victims.
Operation Endgame Marks New Strategy
Europol said the operation represents a shift in cybercrime enforcement by targeting the entire infrastructure that enables cyberattacks rather than focusing only on individual malware strains. Microsoft intelligence linked Amadey and StealC to more than 140,000 infected computers worldwide during the first two weeks of May 2026.
The agency said its European Cybercrime Centre provided analytical, operational and financial investigation support, while Europol coordinated intelligence sharing through SIENA and the Joint Cybercrime Action Taskforce. Operation Endgame was described as the largest international operation undertaken against ransomware enablers, involving law enforcement authorities from multiple countries and more than 30 public and private sector partners.
