Operation Endgame disrupts the Amadey, StealC and SocGholish malware networks
At the end of June 2026, a new phase of Operation Endgame was announced; this is an international initiative aimed at dismantling infrastructure used by cybercrime groups to distribute malware. The operation focused on networks associated with the Amadey, StealC and SocGholish malware families, which are widely used to steal credentials, distribute other threats and gain initial access to compromised systems. The operation was coordinated by Europol in conjunction with law enforcement and judicial authorities from several countries, including Germany, the Netherlands, Denmark, the United Kingdom, the United States and Canada, with the collaboration of various companies in the cybersecurity sector. The main objective was to disrupt the technical infrastructure that enabled the operation and spread of these malicious campaigns.
During the operation, the authorities carried out coordinated actions to dismantle the infrastructure used by the operators of Amadey and StealC, which included the seizure of hundreds of servers and domains used as command and control centres. According to information provided by Europol, approximately 27 million stolen credentials were also recovered and cryptocurrency assets linked to the criminal activity were frozen. Those most affected by these campaigns were users and organisations whose credentials or systems had been compromised by the malware, as well as the criminal infrastructure used by those responsible for the operation. International law enforcement agencies, in collaboration with specialist cybersecurity firms, coordinated the identification, seizure and deactivation of the resources used to keep these threats active.
According to data from Europol and the other law enforcement agencies involved, the strike against the infrastructure of Amadey, StealC and SocGholish – involving the seizure of their servers and domains – has temporarily halted the activity of these malware networks. In addition to this disruption, the operation succeeded in recovering a significant number of stolen credentials and freezing funds linked to the illicit activities. Despite the success of these initial actions as part of Operation Endgame, the authorities made it clear in their statements that the international crackdown on cybercrime is still ongoing; the investigation remains fully open and cooperation between countries will continue in order to locate new servers and identify those responsible.
Those affected include nearly 9,000 compromised devices located in Spain, from which more than 535,000 credentials were obtained, as well as 70,000 credentials belonging to users of 3,000 Spanish websites.
INCIBE-CERT, in its role as Spain’s National CERT for private organisations, is actively collaborating by reporting these cases within its remit so that those affected can clean their devices and change all their credentials.
-
19/06/2026thehackernews.com
-
24/06/2026www.operation-endgame.com
-
24/06/2026www.europol.europa.eu
-
24/06/2026arstechnica.com
-
24/06/2026www.microsoft.com
-
24/06/2026therecord.media
-
24/06/2026www.theregister.com
-
24/06/2026www.bleepingcomputer.com



