One-two Punch Delivered in Global Operation Disrupts Cybercrime Assembly Line
One-two Punch Delivered in Global Operation Disrupts Cybercrime Assembly Line
International authorities and a raft of private technology companies have successfully disrupted a cybercrime “assembly line” that enabled criminals to collect millions of login credentials and steal over $47 million through ransom payments and other fraudulent means. 🚨
The operation targeted two unrelated tools widely used in various online scams. The first tool, Amadey, is a malware-as-a-service platform that compromises devices and delivers malicious payloads for ransomware. Amadey has been active since at least 2018. The second tool, StealC, is an infostealer-as-a-service platform that collects credentials, authentication cookies, cryptocurrency wallets, and browser extensions.
These tools relied on similar underlying infrastructure. Microsoft analyzed the tools using AI, which allowed its attorneys to seek an order disrupting both simultaneously. Microsoft stated: “This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services.” They added, “Amadey and StealC are often used together: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain.” 🔗
As a result, Microsoft disrupted over 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. Europol, which coordinated the law enforcement aspect of the operation, reported recovering as many as 27 million stolen login credentials and uncovering $47 million worth of crypto assets of criminal origin. They noted that 326 servers and 142 domains were actioned by law enforcement and private sector partners, significantly crippling the malware’s distribution network. This simultaneous takedown increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover. ⚖️
Europol also noted that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp, which spreads through compromised websites. Europol has responded by cleaning infected WordPress sites and urging administrators to change credentials and tighten security. They have also worked to notify parties whose data and credentials were exposed through SocGholish activities.
Countries involved in this enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US.