Europol, Microsoft, and international partners have disrupted a global malware network after investigators recovered 27 million stolen login credentials and linked the operation to more than 140,000 infected computers.
The takedown targeted cybercrime tools used to break into devices, steal access, and support large-scale criminal campaigns. Authorities also restricted millions of dollars in suspected criminal crypto assets.
Stolen logins can turn one infected machine into a much larger security problem. In this case, investigators say the operation reached across countries, websites, and everyday victims before law enforcement and private-sector partners moved in.
Operation Endgame cut into the criminal infrastructure
The disruption was part of Operation Endgame, an international law enforcement effort focused on malware services that help ransomware crews and other cybercriminals launch attacks at scale.
Law enforcement and private-sector partners actioned 326 servers and 142 domains used in the malware distribution network, according to Europol. Authorities also identified, flagged, and restricted more than €41 million, or about $47 million, in criminal crypto assets.
The agency coordinated with Eurojust, Microsoft, and national agencies from Germany, the Netherlands, Denmark, the UK, Canada, and the US.
Cybercrime infrastructure rarely lives in one place. Servers may be rented in one country, domains registered through another, and crypto funds moved through services designed to blur the trail. Moving on several fronts at once gave operators fewer easy ways to keep the operation running.
Malware tools worked in sequence to steal access
Tools named in the operation handled different parts of the same cybercrime workflow: trick users, infect devices, steal access, then look for ways to profit from it.
- SocGholish/FakeUpdates: Spread through fake browser or software updates on compromised websites.
- Amadey: Gave attackers initial access to targeted systems and allowed additional malware to be installed.
- StealC: Extracted passwords, stored access data, digital identities, and other sensitive information from affected devices.
A single fake update prompt or phishing lure can hand attackers a password that opens access far beyond the original device. Europol said 14,971 infected websites were remediated, including sites for restaurants, auto repair shops, and other everyday services.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Microsoft used AI to connect separate malware operations
Microsoft’s Digital Crimes Unit used AI to analyze Amadey and StealC, which investigators found had been built by separate criminal actors but ran on shared infrastructure.
The link allowed Microsoft to use RICO, the US organized crime law, to pursue multiple operators and enablers as part of one alleged conspiracy.
The company said it disrupted more than 200 command-and-control servers and severed criminal control over more than 18,000 victim computers.
What EU residents should know
The Europol-coordinated takedown may have cut off parts of the malware network, but stolen credentials can continue to pose a risk long after they leave the first infected machine.
EU residents may be affected if their credentials were stolen from an infected device or a compromised website used in the malware campaign. Europol said the operation involved infected websites across everyday services, which means the risk is not limited to large companies or obvious targets.
Anyone concerned should change reused passwords, enable MFA, review account login activity, and be cautious with browser or software update prompts that appear unexpectedly on websites.
Xsolis has confirmed a healthcare data breach affecting nearly 1.4 million people after a phishing attack.