24.06.2026
2 min
17
Operation Endgame, an international law enforcement operation, dealt a major blow to cybercriminal infrastructure by dismantling the three most widespread malware families: SocGholish, StealC, and Amadey. These tools were commonly used to gain initial access to victims’ systems before deploying ransomware or stealing sensitive data.
The operation, carried out between June 15 and 19, 2026, resulted in the takedown of around 15,000 malicious websites, more than 320 servers, and 140 domains that supported cybercriminal infrastructure.
According to Germany’s Federal Criminal Police Office (BKA), investigators also seized approximately 27 million stolen login credentials belonging to more than 385,000 victims worldwide.
Authorities additionally uncovered cryptocurrency assets worth about $47 million. Investigators believe the funds are linked to cybercriminal activity and remain under investigation.
The international effort involved law enforcement agencies from Germany, the Netherlands, Denmark, the United Kingdom, the United States, and Canada, with support from Europol, Eurojust, Microsoft, and several private cybersecurity companies. Authorities are also notifying victims whose credentials were recovered during the operation.
Operation Endgame targets malware used to gain initial access to victims’ systems before ransomware attacks or data theft. This phase focused on three malware families: SocGholish, StealC, and Amadey, which investigators say play a central role in today’s cybercrime ecosystem.
Officials described the operation as an effort to disrupt cybercriminals at the very beginning of the attack chain. By eliminating the tools used for initial compromise, investigators hope to significantly reduce follow-on cyberattacks.
Carsten Meywirth, Head of Cybercrime at Germany’s Federal Criminal Police Office, said:
“With the continuation of Operation Endgame, we have once again targeted the technical infrastructure relied upon by numerous cybercriminals around the world. This has also prevented the initial infection of a large number of victim systems worldwide.”
Dr. Benjamin Krause, Senior Public Prosecutor at Germany’s Central Office for Combating Cybercrime, described the operation as a model of international cooperation.
“Like the criminals, we work together as an international network to be effective. The difference is that we are on the side of good.”
All three malware families operated under the cybercrime-as-a-service model, allowing even less technically skilled criminals to rent or purchase sophisticated attack tools.
SocGholish spreads through compromised websites that display fake browser update prompts, tricking users into downloading malicious files. StealC is designed to steal passwords, authentication tokens, and other sensitive information. It also functions as a malware loader, enabling attackers to deploy additional malicious payloads after the initial compromise. Stolen credentials are often sold on underground marketplaces or used in follow-up attacks.
Amadey is typically distributed through phishing emails and malicious attachments. Once installed, it can deploy additional malware while simultaneously stealing passwords and other sensitive information from infected devices.
