1 hour ago
18
Law enforcement just delivered one of the year’s most significant blows to cybercriminal infrastructure. Europol, coordinating with agencies across six countries, froze approximately $47 million worth of cryptocurrency tied to three prolific malware operations in a sweeping global crackdown.
The operation, executed on June 24 as part of the ongoing initiative known as Operation Endgame, targeted the malware families SocGholish, Amadey, and StealC. These tools power a “cybercrime-as-a-service” economy, and one of them has direct ties to the Russian cybercrime syndicate Evil Corp.
What Europol actually seized
Authorities took down 326 servers and 142 domains that served as the backbone for distributing and controlling the malware. They also cleaned up 14,971 infected websites, most of them WordPress sites that had been hijacked to spread SocGholish through fake software update prompts.
Investigators froze over EUR 41 million, roughly $47 million, in crypto assets linked to criminal proceeds from the malware campaigns.
27 million stolen login credentials were recovered and are being shared with victims through platforms like Have I Been Pwned.
The takedown brought together law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Eurojust provided judicial coordination, while Microsoft contributed critical threat intelligence that helped map the infrastructure.
Microsoft’s data linked Amadey and StealC to more than 140,000 infections in early May 2026 alone.
The malware ecosystem behind the freeze
SocGholish operates by compromising legitimate websites and displaying fake browser update notifications. It has been linked to Evil Corp, one of Russia’s most notorious cybercrime groups.
Amadey functions as a loader designed to install additional malware on compromised machines. StealC specializes in stealing sensitive data, including crypto wallet credentials and browser-stored passwords.
All three operate under a cybercrime-as-a-service model, where developers build the tools and rent them out to other criminals. This model has lowered the barrier to entry for cybercrime, allowing technically unsophisticated actors to deploy sophisticated malware.
What this means for crypto investors
The 27 million recovered credentials represent 27 million potential vectors for account takeover attacks. If any of those credentials belong to crypto exchange accounts, the victims may have already lost funds. The recovery and notification process through Have I Been Pwned is damage control, not prevention.
Hardware wallets, unique passwords per service, and two-factor authentication that doesn’t rely on SMS remain the minimum viable defense against infostealer malware. When cybercrime operators are deploying tools capable of infecting 140,000 devices in a single month, assuming your credentials are safe because you haven’t noticed anything suspicious is optimism doing a lot of heavy lifting.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) ·