Operation Endgame has dealt another blow to cybercriminal operations after international law enforcement agencies and private sector partners dismantled infrastructure supporting the SocGholish, Amadey, and StealC malware families. The coordinated operation resulted in the seizure of more than EUR 41 million in criminal cryptocurrency assets, the recovery of 27 million stolen login credentials, and the disruption of hundreds of servers and domains used to distribute malware.
Led by Europol and Eurojust, the operation brought together authorities from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, Microsoft, and several cybersecurity organizations. Officials said the objective was to disrupt the infrastructure cybercriminals rely on to launch ransomware attacks, financial fraud, and attacks against critical infrastructure.
Operation Endgame Targets Cybercrime Infrastructure
During the coordinated action, authorities targeted the infrastructure supporting malware delivery rather than focusing on a single malware family.
Law enforcement and industry partners took action against 326 servers and 142 domains, significantly disrupting malware distribution channels. Investigators also identified and restricted criminal cryptocurrency assets currently valued at more than EUR 41 million (USD 47 million) while recovering approximately 27 million stolen login credentials.
According to Europol, the operation aimed to disrupt the “assembly line” used by cybercriminals to gain initial access to victim systems before deploying ransomware or stealing sensitive information.
SocGholish, Amadey and StealC Malware Played Different Roles
The operation focused on three malware families that are commonly offered under the cybercrime-as-a-service model.
- SocGholish functioned as a malware loader that distributed fake browser updates through compromised WordPress websites. Users who installed these fake updates unknowingly infected their systems, allowing attackers to gain initial access and later deploy ransomware or other malicious tools.
- StealC malware primarily targeted sensitive information stored on infected devices, including passwords, authentication data, and digital identities. The stolen information was later used for fraud or traded within cybercriminal marketplaces.
- Amadey was mainly distributed through phishing campaigns. It provided attackers with initial access to compromised systems while also offering information-stealing capabilities that enabled the theft of sensitive user data.
Microsoft reported that during the first two weeks of May 2026 alone, Amadey and StealC malware were linked to more than 140,000 infected computers worldwide.
Thousands of Infected WordPress Sites Cleaned
One of the largest actions under Operation Endgame targeted SocGholish, also known as FakeUpdates.
Authorities remediated 14,971 infected WordPress websites, including websites belonging to restaurants, automotive repair businesses, and other organizations. Investigators also disabled the SocGholish botnet by taking control of domains and shutting down supporting servers.
Website owners whose credentials had been exposed were notified through platforms including Have I Been Pwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and NL-NCSC.
The Dutch Police urged WordPress administrators to change passwords, enable multi-factor authentication, remove unknown administrator accounts, and keep their websites updated to reduce future compromise risks.
SocGholish Linked to Evil Corp
Authorities said SocGholish has been linked to Evil Corp, a Russian cybercriminal group previously associated with the Zeus and Dridex malware families, as well as multiple ransomware and money laundering operations.
Rather than targeting only malware operators, investigators focused on disrupting the broader infrastructure supporting cybercriminal activity. Europol said this strategy increases operational costs for threat actors and makes large-scale cyberattacks more difficult to execute.
Europol Coordinates Global Cyber Operation
Europol’s European Cybercrime Centre (EC3) coordinated operational intelligence sharing through SIENA while providing analytical, technical, and cryptocurrency tracing support throughout the investigation.
The operation forms part of Operation Endgame, described by Europol as the largest international initiative to disrupt ransomware enablers worldwide.
Officials said the latest disruption reflects a growing international strategy of targeting the infrastructure that enables cybercrime operations, rather than responding only after attacks have occurred.
