A major international law enforcement operation has dealt a significant blow to the cybercriminal ecosystem behind two of the most widely used malware families, Amadey and StealC. The coordinated action, conducted under the banner of Operation Endgame, brought together Europol, Microsoft, and several cybersecurity companies to dismantle infrastructure that had been enabling ransomware attacks, financial fraud, credential theft, and intrusions targeting critical infrastructure around the world.
Unlike traditional malware takedowns that focus on a single threat, this operation targeted what investigators describe as the cybercrime “assembly line.” Amadey and StealC are commonly deployed together as part of malware-as-a-service (MaaS) operations. Amadey typically acts as a loader, compromising systems and delivering additional malicious payloads, while StealC specializes in harvesting credentials, browser cookies, cryptocurrency wallets, and other sensitive information from infected devices. Together, they provide cybercriminals with an efficient platform for launching follow-on attacks, including ransomware deployments.
The scale of the operation was substantial. Authorities disrupted 326 command-and-control servers and 142 malicious domains used by the malware operators. Investigators also recovered approximately 27 million stolen login credentials and identified more than $47 million in cryptocurrency believed to be linked to criminal activity. These actions significantly degraded the infrastructure supporting both malware families and limited the attackers’ ability to continue infecting new victims.
Microsoft revealed that telemetry collected during the first two weeks of May 2026 linked Amadey and StealC to more than 140,000 infected computers worldwide. The company independently identified over 18,000 compromised devices and helped sever communications between those systems and the attackers’ command-and-control infrastructure. Through court-authorized actions, domain seizures, and cooperation with hosting providers, Microsoft and its partners shut down approximately 200 malicious command-and-control domains and IP addresses associated with the operation.
One of the most notable aspects of the investigation was the use of artificial intelligence to accelerate threat analysis. Microsoft’s researchers used AI-assisted techniques to analyze malware code and infrastructure, discovering that although Amadey and StealC were developed by separate criminal groups, both relied on much of the same backend infrastructure. This insight allowed investigators to view the malware operations as parts of a broader criminal ecosystem rather than isolated campaigns, enabling a more comprehensive disruption strategy.
The legal strategy also marked an evolution in cybercrime enforcement. Instead of pursuing individual malware operators separately, investigators reportedly relied on broader legal frameworks to target multiple participants involved in maintaining the shared criminal infrastructure. This approach reflects a growing emphasis on dismantling the services that enable cybercrime at scale rather than simply taking down individual malware families.
Operation Endgame has already become one of the largest international efforts aimed at disrupting cybercriminal infrastructure. Previous phases targeted botnet operators and malware delivery platforms, and this latest action demonstrates an increasing focus on the interconnected services that underpin the cybercrime economy. By disrupting malware loaders, infostealers, hosting infrastructure, domains, and financial assets simultaneously, law enforcement agencies hope to increase the operational cost for criminal groups attempting to rebuild their networks.
While the takedown represents a significant success, cybersecurity experts caution that malware-as-a-service operations are resilient by design. Criminal groups often maintain backup infrastructure and rapidly establish new command-and-control servers after enforcement actions. Nevertheless, coordinated operations involving governments, technology companies, and private security researchers can substantially slow these ecosystems, recover stolen data, and disrupt the supply chains that support ransomware and large-scale cybercrime.
The operation highlights a broader trend in cybersecurity: defenders are increasingly targeting the infrastructure that enables attacks rather than responding only after victims have been compromised. As cybercriminal operations become more organized and interconnected, international collaboration, legal innovation, and AI-assisted threat intelligence are emerging as critical tools in efforts to dismantle the ecosystems that power modern cybercrime.