Europol announced that, in the final phase of Operation Endgame, more than €41 million worth of crime-related crypto assets—equivalent to approximately $47 million—were frozen. The international operation, which lasted two weeks and involved several countries, dealt a significant blow to a cybercriminal infrastructure focused on targeting crypto wallets and account information through malware.
Major takedown of malware networks
The operation dismantled the infrastructure behind three notorious malware families: SocGholish, Amadey, and StealC. According to Europol, these tools had been used to steal passwords and crypto wallet data, fueling fraud, account takeovers, and ransomware campaigns across the globe.
Europol stated that in the operation’s last stage, criminally sourced crypto assets valued at over €41 million were identified, flagged, and frozen.
Amadey was reported to provide initial access to target systems, enabling installation of additional malware. SocGholish—linked to the Russian cybercriminal group Evil Corp—spread via fake browser update alerts embedded on compromised websites. Authorities noted that these two malware tools typically started attack chains, leading to emptied wallets or ransomware incidents as the attacks unfolded.
Glossary: An infostealer is a type of malware that covertly collects saved passwords, wallet files, private keys, and recovery phrases from infected devices. CaaS refers to “Cybercrime-as-a-Service,” where criminal tools and infrastructure are made available for rent.
Servers and domains dismantled
Law enforcement agencies deactivated 326 servers and 142 domain names as part of the coordinated effort. Approximately 27 million stolen credentials, from over 385,000 compromised systems, were recovered. Nearly 15,000 infected websites—mostly belonging to small businesses—were also cleaned during the operation.
| Item | Data |
|---|---|
| Frozen crypto assets | Over €41 million |
| Servers taken down | 326 |
| Domains deactivated | 142 |
| Credentials recovered | Around 27 million |
| Compromised systems | More than 385,000 |
Microsoft, which supported the operation, reported that over 140,000 computers were found to be infected with Amadey and StealC malware in just the first two weeks of May. The company’s Digital Crimes Unit revealed that, over the past nine months, five separate organizations backing the Cybercrime-as-a-Service model have been dismantled.
Crypto wallets a primary target
Experts warn that infostealer malware has become a leading method for crypto theft. Attackers can covertly siphon wallet files, private keys, and recovery phrases directly from victims’ devices, often without any signs of attack. In addition to classic phishing, criminals employed tactics like fake AI tools, gaming platform themes, and pirated game plugins to distribute malware.
Microsoft pointed out that, although Amadey and StealC were developed by different groups, they operated on shared infrastructure, which allowed the company to target both within a single criminal network.
An earlier phase of Operation Endgame revealed that login credentials for more than 100,000 crypto wallets had been compromised but had yet to be exploited. With this latest phase, authorities continue efforts to disrupt attackers’ control and have identified more than 18,000 victimized computers so far.
Authorities issue warnings for users
Officials emphasized that while such operations can significantly disrupt malware networks, eliminating malicious software entirely remains challenging, as cybercriminal operators often regroup and adapt. Notably, a new version of StealC was reported to have emerged this month.
Europol and its partners are directing victims to services like Have I Been Pwned, enabling individuals to check whether their login credentials or crypto wallet data may have fallen into attackers’ hands and to take protective measures if necessary.
