- Trending
- Comments
- Latest
Europol has shut down 326 servers, seized approximately $47 million in cryptocurrency, and recovered more than 27 million stolen credentials in a coordinated six-country operation targeting the malware infrastructure behind thousands of ransomware and phishing attacks.
The operation, known as Operation Endgame, brought together investigators and prosecutors from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside private-sector cybersecurity leaders including Microsoft. Their coordinated effort resulted in the shutdown of hundreds of servers, the seizure of tens of millions of dollars in cryptocurrency, and the recovery of millions of stolen online credentials used by cybercriminals.
Authorities confirmed that investigators seized approximately $47 million worth of cryptocurrency believed to be proceeds of criminal activity. They also disabled 326 servers, took down 142 internet domains, and recovered more than 27 million compromised credentials during the coordinated enforcement action.
The operation represents one of the most comprehensive attempts yet to dismantle the infrastructure supporting cybercrime as a service a rapidly growing criminal business model that enables hackers to rent sophisticated malware and digital tools without developing them independently. Instead of pursuing only the individuals behind cyberattacks, investigators targeted the ecosystem that allows thousands of cybercriminals to operate across borders with relative ease.
Officials believe disrupting these shared services will significantly reduce the ability of ransomware gangs, phishing operators, and credential thieves to launch attacks against businesses, governments, and individual users worldwide.
Unlike previous multinational cybercrime investigations that focused primarily on identifying individual hacking groups, Operation Endgame was designed to strike at the technical backbone that powers Global Cybercrime Networks.
Europol described the operation as a strategic shift in international law enforcement efforts.
“Instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners, disrupted the entire chain that allows cyberattacks to scale,” the agency said in its announcement.
That distinction is significant. Modern cybercrime increasingly depends on specialized service providers that develop malware, lease servers, register malicious domains, distribute phishing software, and process illicit payments. Criminal organizations often purchase these services from one another, creating an interconnected marketplace that functions much like a legitimate technology supply chain.
By removing those shared resources, investigators aim to make it considerably harder for cybercriminal groups to rebuild their operations quickly.
The seizure of cryptocurrency assets also illustrates how digital currencies continue to play a role in cybercrime investigations. Criminal organizations frequently rely on cryptocurrency to receive ransom payments, pay infrastructure providers, compensate malware developers, and transfer illicit proceeds across borders. While blockchain transactions leave permanent records, tracing and recovering those assets often requires extensive international cooperation among financial investigators, blockchain analysts, and prosecutors.
Law enforcement agencies have increasingly demonstrated that cryptocurrencies are not beyond the reach of investigators. Sophisticated blockchain analytics and closer cooperation with regulated cryptocurrency exchanges have enabled authorities to freeze, trace, and confiscate digital assets tied to criminal enterprises more effectively than in previous years.
At the center of the investigation were three malware families—SocGholish, StealC, and Amadey—all of which have become essential tools within today’s cybercrime-as-a-service marketplace.
SocGholish has earned a reputation for compromising legitimate WordPress websites and displaying fake browser update notifications to unsuspecting visitors. Victims who install the fraudulent updates unknowingly download malware capable of opening backdoors into their systems. Those compromised devices are frequently handed off to ransomware operators, making SocGholish an important entry point for larger cyberattacks.
StealC serves a different but equally dangerous role. The information-stealing malware is designed to harvest usernames, passwords, browser cookies, cryptocurrency wallet information, autofill data, and other sensitive digital credentials. Once collected, the stolen information is sold through underground marketplaces where other cybercriminals purchase access for identity theft, financial fraud, and corporate network intrusions.
Amadey complements those operations by acting as both a downloader and an information stealer. Commonly delivered through phishing emails and malicious downloads, it enables attackers to install additional malware while quietly collecting valuable information from infected systems.
Microsoft researchers recently reported that Amadey and StealC were linked to more than 140,000 infections during the first two weeks of May alone, illustrating the extraordinary scale at which these malware families continue to operate. The company also identified nearly 15,000 websites infected with SocGholish, demonstrating how compromised websites remain an effective distribution channel for malware.
According to Microsoft, cybercriminals continue to refine their tactics, making malware campaigns more automated, scalable, and difficult to detect. Security researchers say that disrupting the infrastructure behind these campaigns is often more effective than simply arresting individual operators, many of whom can quickly rebuild their operations using rented services provided by other members of Global Cybercrime Networks.
Copyright © 2025 - The Bit Gazette.
