$47 Million in Illicit Crypto Seized as Europol Cracks Down on Global Cybercrime Networks

The seizures come after a collaboration of law enforcement groups from Canada, Denmark, Germany, the Netherlands, and the U.S. attacked infrastructure that served criminals using SocGholish, Amadey, and StealC, three key “cybercrime-as-a-service” malware used to collect victims’ info and sensitive data.

• Key Takeaways:
• • Europol led Operation Endgame on Wednesday, disabling 326 servers to cripple global malware markets.
• • Law enforcement seized $47M in crypto, and also recovered 27M leaked credentials.
• • Microsoft tracked 140,000 May infections linked to the Amadey and StealC malware.

Europol Cracks Down on Malware-Powered Criminal Infrastructure Networks

On Wednesday, Europol announced the completion of an international action that terminated a network dedicated to serving infrastructure supporting global “cybercrime-as-a-service” malware campaigns.

In a joint international operation dubbed “Endgame” with the collaboration of Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, and companies like Microsoft, law enforcement groups took action against 326 servers and 142 domains, crippling these networks.

Europol disclosed that, as a result, it also seized $47 million in crypto assets of “criminal origin,” and recovered over 27 million stolen credentials.

The operation targeted three key malware that served as “cybercrime-as-a-service” tools, lending their services to other cybercriminals seeking to infect specific systems. SocGholish distributed fake browser updates through a WordPress-infected site. It was used as a channel for ransomware.

StealC, another malicious software platform, was focused on extracting passwords, accessing data, and digital identities from victims’ devices, and then making them available for illicit criminal use.

Finally, Amadey, the third malware, spread through phishing campaigns and had a dual purpose: allowing the introduction of other malware in compromised systems and retrieving sensitive data.

Microsoft found that Amadey and StealC were linked to over 140,000 infections during the first two weeks of May, while SocGholish infected 14,971 sites.

Europol noted that Operation Endgame marked a shift in strategy in the fight against cybercriminals. “Instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners, disrupted the entire chain that allows cyberattacks to scale,” it stressed.

The operation follows the teardown of Tycoon 2FA, a major phishing platform used by criminals to bypass multi-factor authentication. Europool coordinated efforts with Coinbase, Microsoft, and law enforcement groups in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.