A major global cybercrime operation has frozen more than €41 million, or about $47 million, in criminal crypto assets after law enforcement disrupted malware networks used to steal passwords, credentials, and crypto wallet data.
The operation was part of Operation Endgame, an international crackdown coordinated by Europol against cybercrime-as-a-service infrastructure. The latest phase targeted three major malware families: SocGholish, Amadey, and StealC.
Together, these tools are used to infect devices, collect sensitive information, steal crypto wallet data, and support wider fraud and ransomware attacks.
A Global Strike Against Crypto-Stealing Malware
Europol said the two-week operation identified, flagged, and froze more than €41 million in criminal crypto assets. The crackdown also dismantled key infrastructure used by malware operators and cybercriminal networks.
Authorities took down 326 servers and 142 domains connected to SocGholish, Amadey, and StealC. They also recovered nearly 27 million stolen credentials from more than 385,000 compromised systems.
The operation shows how deeply infostealer malware has become connected to crypto crime. Instead of attacking blockchains directly, cybercriminals often target users’ devices, browsers, wallets, and passwords.
Once attackers gain access to this information, they can take over accounts, drain wallets, sell stolen credentials, or pass access to ransomware groups.
How the Malware Worked
Each malware family played a different role in the cybercrime chain.
StealC is an infostealer sold as malware-as-a-service. It is designed to steal saved passwords, browser cookies, login data, and crypto wallet information from infected devices. Researchers have also found that StealC included tools linked to cryptocurrency theft, including a plugin that attempted to seed phrases from victims’ MetaMask wallets.
Amadey is a malware loader. Its main role is to gain access to a victim’s device and then install additional malware. This makes it useful for attackers who want to deliver more dangerous tools after the first infection.
SocGholish spreads through compromised websites and fake browser update prompts. Victims are tricked into downloading what appears to be a normal update, but the file actually installs malware. SocGholish has been linked to major cybercrime activity and ransomware operations.
Together, these malware tools created a system that helped criminals move from infection to data theft, account takeover, crypto wallet theft, and ransomware.
Thousands of Websites and Devices Were Compromised
As part of the takedown, authorities also helped clean nearly 15,000 infected websites, many of them small business websites that had been abused to spread malware.
Microsoft, one of the private-sector partners in the operation, said Amadey and StealC were linked to more than 140,000 infected computers worldwide in the first two weeks of May alone.
That scale highlights how quickly malware networks can grow when criminals use automated tools, hacked websites, and cybercrime-as-a-service platforms.
The recovered stolen credentials also show the wider risk for users. Even if stolen crypto has not yet been moved, exposed passwords and wallet data can still be used later if victims do not secure their accounts.
What Are Infostealers?
Infostealers are malware programs designed to quietly collect sensitive data from a victim’s device.
For crypto users, they are especially dangerous because they can search for wallet files, private keys, seed phrases, saved passwords, browser cookies, and active login sessions.
This means attackers may be able to access crypto exchanges, DeFi platforms, email accounts, social media profiles, and self-custody wallets without needing to break blockchain security.
Infostealers are often spread through fake software downloads, pirated games, malicious browser extensions, fake AI tools, gaming mods, and compromised websites.
They have become one of the biggest threats to crypto wallet security because they attack the user’s device directly.
A Major Warning for Crypto Users
The latest Operation Endgame action is another reminder that crypto security is not only about protecting a wallet address or choosing a strong exchange password.
Device security matters just as much.
If a computer or phone is infected with infostealer malware, attackers may be able to steal the information needed to access accounts and wallets. In some cases, they can bypass normal login protections by stealing cookies or active sessions.
An earlier Operation Endgame action uncovered login data connected to more than 100,000 crypto wallets. That data had already been stolen, even if the wallets had not yet been emptied.
This means some victims may not notice the danger until much later.
Microsoft Targets Shared Malware Infrastructure
Microsoft’s Digital Crimes Unit also took legal action connected to the operation. The company filed a U.S. racketeering lawsuit after finding that Amadey and StealC, although created by different criminals, used shared infrastructure.
Using AI tools, including Microsoft Copilot, investigators analyzed malware activity and identified links between the two operations. Microsoft said this helped treat the malware networks as part of a wider criminal conspiracy under the U.S. RICO Act.
The company also moved to disrupt more than 200 command-and-control servers used by Amadey and StealC. These servers allow criminals to manage infected devices, receive stolen data, and push new malware payloads.
Microsoft said it had identified more than 18,000 victim computers and started cutting off attackers’ control over those systems.
Takedowns Help, but the Threat Remains
Operations like this can seriously disrupt cybercrime networks, but they rarely remove the threat completely.
Malware operators often rebuild infrastructure, release new versions, or shift to different tools. Reports show that StealC has continued to evolve, with new builds appearing around the time of the crackdown.
For now, Europol and its partners are helping notify victims through services such as Have I Been Pwned, where users can check whether their credentials have appeared in known data leaks.
Crypto users should take exposed credentials seriously. If a password, wallet file, or seed phrase has been stolen, changing one password may not be enough.
How Crypto Users Can Stay Safer
Crypto holders should avoid downloading pirated software, fake tools, suspicious browser extensions, or files promoted through unknown links. These are common ways infostealers reach victims.
Users should also keep their devices updated, use strong and unique passwords, enable two-factor authentication, and store significant crypto holdings in hardware wallets.
Seed phrases should never be saved in screenshots, cloud notes, browser storage, plain text files, or messaging apps.
If a device may be infected, users should clean or reset the device before changing passwords or moving funds. Changing passwords from an infected device can expose the new passwords to attackers as well.
Operation Endgame Puts Pressure on Cybercrime-as-a-Service
The latest phase of Operation Endgame shows that law enforcement agencies are increasingly targeting the infrastructure behind cybercrime, not just individual hackers.
By freezing $47 million in crypto, taking down hundreds of servers and domains, and recovering millions of stolen credentials, Europol and its partners have delivered a major blow to infostealer malware networks.
Still, the wider risk remains. As long as stolen credentials and crypto wallet data can be sold online, infostealers will continue to be a serious threat to digital asset users.
For crypto holders, the message is clear: protecting funds starts with protecting the device, the browser, and the credentials that give access to the wallet.
