Cyberattack. Photo: Shutterstock A large-scale international cyber operation has led to significant damage to one of the world's largest cybercrime infrastructures. As part of Operation Endgame, led by Europol and in cooperation with law enforcement authorities, intelligence agencies, and leading technology companies, the distribution networks of SocGholish, Amadey, and StealC malware, which were used as a basis for ransomware attacks, data theft, and financial fraud, were dismantled.
The operation, which involved law enforcement agencies from Germany, the Netherlands, the United Kingdom, the United States, Canada and Denmark, as well as private companies including Microsoft, resulted in the seizure and freezing of more than €41 million in criminally derived crypto assets, along with the recovery of approximately 27 million stolen login credentials from users worldwide.
The operation included the shutdown of 326 servers and 142 domains used to distribute malware, a move designed to disrupt the "production line" of the cybercrime industry. Law enforcement officials emphasized that this is a strategic shift in the approach to combating online crime, with the goal not only to arrest individual criminals but to dismantle the entire supply chain that enables attacks on a global scale.
One of the main malwares that was neutralized was SocGholish, also known as FakeUpdates. The malware was distributed via fake update notifications in browsers on compromised websites, primarily WordPress-based sites. Users who thought they were installing a legitimate update actually granted access to their computers, allowing ransomware and other viruses to be installed.
According to the operation, nearly 15,000 infected websites were cleaned of the virus, and website owners were instructed to strengthen security, change passwords, and enable multi-step verification.
At the same time, the authorities acted against StealC, a malware whose main function is to steal passwords, access details, and digital identities from infected computers, as well as against Amadey, a malware that is distributed mainly through phishing attacks and serves as the first step in a broader attack chain.
Europol noted that during the first two weeks of May 2026 alone, more than 140,000 computers affected by Amadey and StealC were identified worldwide. They said the operation was a significant blow to the infrastructure used by cybercriminals to carry out ransomware attacks, financial fraud, and damage critical infrastructure.