'27 million stolen login credentials have been recovered': Global coordinated takedown hits SocGholish, Amadey and StealC malware networks where it hurts

EUROPOL Operation Endgame froze $47 million in cryptocurrency and dismantled infrastructure for SocGholish, Amadey and StealC malware
326 servers, 142 domains and 14,971 infected websites were removed, disrupting distribution networks and recovering 27 million credentials.
No arrests were made; Experts warn that such disruptions often only temporarily halt criminal operations before infrastructure is rebuilt.

Millions of dollars in cryptocurrency were frozen and hundreds of servers shut down, in a radical operation by EUROPOL and multiple national law enforcement agencies against cybercriminals.

Over the past few weeks, EUROPOL has led Operation Endgame, alongside law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States. Several private companies, including Microsoft, also participated.

The goal was to dismantle the digital infrastructure used by three different hacking operations: SocGholish, Amadey and StealC. These are known malware variants, which grant attackers backdoor access and steal valuable secrets from compromised devices.

Shut down servers and clean websites

SocGholish, for example, is a sophisticated JavaScript downloader and loader, linked to a Russian malware-as-a-service (MaaS) operation called Evil Corp.

During the operation, the police managed to identify and freeze $47 million in cryptocurrencies. You cannot access or recover these funds, but by freezing them, you have effectively removed them from circulation. As part of this operation, around 27 million login credentials were also recovered.

Additionally, authorities shut down 326 servers and 142 domains that were used to host and distribute the malware. This, EUROPOL says, “seriously crippled” the malware distribution network: “By removing these tools simultaneously, collaboration between law enforcement and private parties has increased friction for cybercriminals, making it more difficult for attacks to succeed, spread or recover.”

EUROPOL also said that by removing SocGholish, 14,971 infected websites were “remediated.” These are legitimate sites, belonging to different businesses such as restaurants, auto repair shops and others, but they were compromised and used as launch pads for malware delivery.

Unfortunately, no arrests have been made and EUROPOL did not say whether key players in these groups have been identified. Typically, outages like this only momentarily stop malicious activities, which resume within a few weeks once the infrastructure is rebuilt.