# Operation Endgame guts the StealC, Amadey and SocGholish ransomware on-ramps > Europol, Microsoft and partners take 326 servers and 142 domains, freezing €41m in crypto **Meta:** type: event · date: 2026-06-24 · heads: 什么崩了, 谁的钱 · 13 takes · 3 lenses · 9 regions ## Summary On 24 June 2026 [Europol](/zh/entity/european-union) announced the latest chapter of Operation Endgame, a 15-19 June takedown of the SocGholish, Amadey and StealC malware families, the infostealer and loader "on-ramps" that seed [Ransomware](/zh/entity/ransomware) and fraud. Police from Canada, Denmark, [Germany](/zh/entity/germany), the Netherlands, the UK and the [US](/zh/entity/united-states), with Microsoft, Bitdefender, ESET, IBM X-Force, Proofpoint and others, took down 326 servers and seized 142 domains, recovered ~27m stolen credentials and identified and froze over EUR 41m ($47m) in criminal [crypto](/zh/entity/crypto-laundering). Microsoft's Digital Crimes Unit ran a parallel court-authorised disruption; the firm linked the malware to 140,000+ infected machines in the first two weeks of May 2026 alone. ## By the numbers - 326, servers taken down; 142 domains seized. - €41m ($47m), criminal crypto identified and frozen. - 27m, stolen login credentials recovered. - 140,000+, computers infected by Amadey/StealC in early May 2026 (Microsoft). - 6, countries' police agencies in the operation, plus several private firms. ## Why it matters Infostealers and loaders are the wholesale layer beneath ransomware: cheap initial access that gangs buy to launch extortion. Degrading the assembly line raises costs across the [ecosystem](/zh/n/ransomware-surge-fragmentation-2026), but elastic crime-as-a-service infrastructure tends to rebuild, so the win is measured in months. ## What to watch - Whether the operators rebuild or rebrand within weeks. - Arrests or indictments following the infrastructure seizures. - Crypto-tracing of the frozen €41m back to ransomware affiliates. ## Regional takes (batched by bias / lens) ### unlabelled - **Europol** (European Union, en) — Europol's 24 June 2026 press release on the global cyber strike disrupting SocGholish, Amadey and StealC: 326 servers and 142 domains taken, 27m credentials recovered, and over EUR 41m in criminal crypto identified and frozen. Source: https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks - **Eurojust** (European Union, en) — Eurojust's account of the judicial coordination behind the Operation Endgame chapter, detailing cross-border legal cooperation among the participating states. Source: https://www.eurojust.europa.eu/news/authorities-continue-protect-citizens-cybercriminals-during-major-malware-operation - **Infosecurity Magazine** (United Kingdom, en) — Source: https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/ - **Help Net Security** (Croatia, en) — Source: https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/ - **Security Affairs** (Italy, en) — Source: https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html - **Hackread** (Global, en) — Source: https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/ - **Cybernews** (Lithuania, en) — Source: https://cybernews.com/security/europol-operation-endgame-disrupts-three-malware-strains/ - **Industrial Cyber** (Global, en) — Source: https://industrialcyber.co/threat-landscape/europols-operation-endgame-dismantles-1025-servers-tied-to-global-malware-networks-targeting-critical-infrastructure/ - **Cybersecurity Dive** (United States, en) — Source: https://www.cybersecuritydive.com/news/information-stealer-malware-law-enforcement-takedown-asia/750447/ - **GlobeNewswire (ESET)** (Slovakia, en) — Source: https://www.globenewswire.com/news-release/2026/06/24/3316918/0/en/eset-takes-part-in-global-operation-endgame-to-disrupt-amadey-botnet-and-stealc-infostealer.html - **The Manila Times** (Philippines, en) — Source: https://www.manilatimes.net/2026/06/24/tmt-newswire/globenewswire/eset-takes-part-in-global-operation-endgame-to-disrupt-amadey-botnet-and-stealc-infostealer/2372087 ### threat-intelligence - **The Record (Recorded Future)** (United States, en) — Frames the three malware families as 'cybercrime-as-a-service' on-ramps that seed ransomware and fraud, and reports Microsoft's parallel civil takedown of command-and-control infrastructure alongside the police action. > "Three cybercrime-as-a-service operations were undercut by Microsoft and law enforcement." Source: https://therecord.media/stealc-amadey-socgholish-malware-takedown-europol-microsoft ### technical / SOC - **BleepingComputer** (United States, en) — Details the malware mechanics, Amadey as initial-access loader, StealC as credential and wallet stealer, and the 15-19 June operational window, stressing that takedowns degrade but rarely kill these elastic services. > "Amadey gains access; StealC steals passwords and data, the opening stages of the attack chain." Source: https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/ ## Across the graph - Related: [[garantex-grinex-crypto-sanctions-2026]], [[ransomware-surge-fragmentation-2026]], [[apt28-signal-phishing-advisory]], [[north-korea-crypto-theft-it-workers-2026]] - Entities: Ransomware, Crypto Laundering, European Union, Germany, United States --- Canonical: https://rbtfl.xyz/zh/n/operation-endgame-stealc-amadey-2026