Deutsch
English
Español
Français
Nederlands
Português
In a landmark international cybercrime operation, law enforcement agencies led by Europol and the Dutch National Police have successfully dismantled the infrastructure behind two prolific infostealer malware families: StealC and Amadey. Announced on June 24, 2026, as part of the ongoing Operation Endgame, the takedown resulted in the seizure of over 100 criminal servers and domains, the recovery of more than 24 million stolen login credentials, and the freezing of approximately €41 million ($46.5 million) in cryptocurrency assets. This operation marks one of the most significant blows against the malware-as-a-service (MaaS) ecosystem that fuels ransomware, identity theft, and corporate network breaches worldwide.
What Are Infostealers and Why Do They Matter?
Infostealers are a class of malware designed to silently extract sensitive data from infected computers, including usernames, passwords, browser cookies, cryptocurrency wallet keys, and system information. They often serve as the critical first link in a cyberattack chain, providing criminals with the credentials needed to breach corporate networks, deploy ransomware, or commit financial fraud. StealC and Amadey are particularly dangerous because they operate under a malware-as-a-service model, allowing even low-skilled cybercriminals to purchase access and launch attacks. The rise of ransomware attacks in recent years has been directly linked to the proliferation of such infostealers.
The Operation: A Coordinated Global Strike
Scope and Partners
Operation Endgame is the largest international law enforcement collaboration ever mounted against ransomware and cybercrime infrastructure. The latest phase, targeting StealC and Amadey, was led by the Dutch National High Tech Crime Unit (Team High Tech Crime) under the authority of the Dutch Public Prosecution Service (Landelijk Parket). Key international partners included law enforcement agencies from Germany (Federal Criminal Police Office), Denmark, the United Kingdom, and the United States, with operational support from Europol, Eurojust, and private sector partners including Microsoft and other cybersecurity firms.
What Was Seized
According to official statements, the operation neutralized over 100 criminal servers and domains that served as command-and-control (C2) infrastructure for StealC and Amadey. On these servers, investigators discovered more than 24 million stolen login credentials originating from at least 384,000 compromised computer systems, affecting over 1.5 million different online services and companies. Additionally, authorities flagged and froze approximately €41 million in cryptocurrency assets linked to the criminal network. The global cryptocurrency regulation landscape has made it increasingly difficult for cybercriminals to launder such proceeds.
StealC and Amadey: A Closer Look
StealC: The MaaS Information Stealer
First advertised on Russian-speaking underground forums in early 2023 by a developer known as Plymouth, StealC is a sophisticated information stealer sold as Malware-as-a-Service. It targets browser credentials (from Chrome, Firefox, Edge, Opera, and others), cookies, autofill data, cryptocurrency wallets, and messaging tokens from platforms like Discord and Telegram. StealC employs advanced anti-analysis techniques including RC4 encryption, Themida packing, and anti-VM checks. By December 2025, its V2 iteration was being sold for $300 per month, featuring enhanced capabilities such as Steam token decryption and support for the Perplexity Comet browser.
Amadey: The Modular Loader and Dropper
Active since October 2018, Amadey (also known as Amadey Bot) is a modular Windows-based backdoor loader that serves as a delivery mechanism for additional malware payloads. It is often used to deploy StealC, ransomware, cryptocurrency miners, and remote access trojans (RATs). Amadey is distributed through phishing campaigns, malicious URLs, and exploit kits. In May 2026 alone, StealC and Amadey were linked to over 140,000 infected computers worldwide, highlighting their widespread reach and the urgency of the takedown.
Impact on Cybercrime and Recommendations for Victims
The disruption of these infostealer networks is expected to have a significant short-term impact on the cybercrime supply chain, particularly for ransomware operators who rely on stolen credentials for initial access. However, experts warn that the MaaS ecosystem is resilient, and new variants may emerge. The 2025 crypto crash fallout has already reshaped how cybercriminals monetize stolen data, making credential theft even more valuable.
Individuals who suspect they may have been infected by an infostealer are urged to take immediate action. The Dutch police have set up a dedicated website, politie.nl/checkjehack, where users can check if their credentials appear in the recovered data. General recommendations include changing passwords for all accounts accessed from the infected device, enabling two-factor authentication wherever possible, and running a full antivirus scan.
FAQ
What is an infostealer?
An infostealer is a type of malware that secretly scans a victim's computer for sensitive data such as login credentials, financial information, and cryptocurrency wallet keys, then sends that data to a remote attacker.
How do StealC and Amadey infect computers?
They are typically distributed through phishing emails, malicious downloads (including pirated software and game mods), malvertising, and SEO-poisoned websites. Amadey acts as a loader that can deliver StealC or other malware onto the victim's system.
How many credentials were recovered in Operation Endgame?
Over 24 million stolen login credentials were recovered from the seized servers, along with 27 million according to some partner sources, affecting more than 384,000 computer systems and 1.5 million services.
What should I do if I think I'm a victim?
Change passwords for all accounts used on the potentially infected device, enable two-factor authentication, run a trusted antivirus scan, and check your credentials at politie.nl/checkjehack.
Is Operation Endgame still ongoing?
Yes, Operation Endgame began in 2024 and is an ongoing international effort to dismantle ransomware and cybercrime infrastructure. Previous phases have targeted SocGholish and other malware networks.
Follow Discussion