Europol announced on Wednesday the completion of Operation Endgame, an international law enforcement action that disabled 326 servers and took down 142 domains to dismantle global cybercrime-as-a-service malware networks. The operation resulted in the seizure of $47 million in crypto assets and the recovery of over 27 million stolen credentials. The coordinated effort involved law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, and private sector partner Microsoft, targeting infrastructure that enabled cybercriminals to scale attacks through malware distribution platforms.
Europol Seizes $47M in Crypto Through Operation Endgame
Europol disclosed that Operation Endgame took action against 326 servers and 142 domains, crippling networks that served as infrastructure for global cybercrime campaigns. Law enforcement groups seized $47 million in crypto assets of "criminal origin" and recovered over 27 million stolen credentials as a result of the operation.
The joint international effort, dubbed "Endgame," involved collaboration between Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, and Microsoft. The operation targeted infrastructure supporting malware campaigns that operated on a "cybercrime-as-a-service" model.
Three Malware Platforms Targeted in Infrastructure Takedown
The operation focused on three key malware platforms that provided services to other cybercriminals. SocGholish distributed fake browser updates through WordPress-infected sites and served as a channel for ransomware distribution.
StealC extracted passwords, accessed data, and stole digital identities from victims' devices, then made the stolen information available for illicit criminal use. Amadey, the third malware platform, spread through phishing campaigns and served a dual purpose: introducing other malware into compromised systems and retrieving sensitive data.
Microsoft tracked over 140,000 infections linked to Amadey and StealC during the first two weeks of May. SocGholish infected 14,971 sites according to the tracking data.
Operation Marks Strategic Shift in Cybercrime Enforcement
Europol stated that Operation Endgame represented a shift in strategy for fighting cybercriminals. "Instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners, disrupted the entire chain that allows cyberattacks to scale," the agency noted.
The operation followed the teardown of Tycoon 2FA, a major phishing platform used by criminals to bypass multi-factor authentication. Europol coordinated that prior effort with Coinbase, Microsoft, and law enforcement groups in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.
FAQ
What did Europol seize in Operation Endgame?
Europol seized $47 million in crypto assets of criminal origin and recovered over 27 million stolen credentials. Law enforcement disabled 326 servers and took down 142 domains used by cybercrime-as-a-service malware networks.
Which malware platforms did Operation Endgame target?
The operation targeted three malware platforms: SocGholish, which distributed fake browser updates through infected WordPress sites; StealC, which extracted passwords and digital identities; and Amadey, which spread through phishing campaigns to introduce other malware and retrieve sensitive data.
How many infections did Microsoft track from these malware platforms in May?
Microsoft found that Amadey and StealC were linked to over 140,000 infections during the first two weeks of May, while SocGholish infected 14,971 sites.
