threat-wire

Police Dismantle Amadey and StealC Malware in Operation Endgame

An international police operation knocked out the servers behind Amadey and StealC, two malware families that infect computers and steal passwords for a living. Investigators recovered 27 million stolen credentials and froze more than 41 million euros in criminal cryptocurrency. If your saved browser passwords were taken, changing them now is the practical response.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-25 · 5 min read

Between 15 and 19 June 2026, police across eight countries shut down the infrastructure behind two of the most widely used pieces of criminal malware: the Amadey loader and the StealC information stealer. The action was the latest chapter of Operation Endgame, the Europol-coordinated campaign against the tools that feed ransomware and data theft.

How the two work together

Amadey is the door opener. It has been sold since October 2018 as a loader, a small program that gets onto a machine and then pulls down whatever the customer wants to run next. Over the years it has delivered a long list of payloads, including Lumma, Vidar, RedLine, and StealC itself.

StealC is the thief. Sold as a subscription since early 2023, it copies saved passwords, browser cookies, and session tokens, then reaches into desktop apps like Outlook, Telegram, Discord, and FileZilla. The two together form a tidy supply chain: Amadey gets in, StealC empties the drawers.

Both families quietly skip machines whose system language is set to Russian, Ukrainian, or Belarusian, a common tell that the operators are working from that region. That detail also tells you where they are not afraid of prosecution, which is part of why takedowns lean on seizing servers and money rather than making arrests.

The five-day takedown

Over the operation, investigators dismantled 326 servers and 142 domains, the backbone the malware used to receive commands and send stolen data home. They recovered around 27 million stolen login credentials and identified more than 41 million euros, roughly 47 million dollars, in cryptocurrency tied to the operators. Agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US took part, alongside companies including Microsoft, Bitdefender, and ESET.

Europol put the reach in plain terms: in the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers. The malware ran on a malware-as-a-service model, rented out for a few hundred dollars a month, which is how a single family ends up on so many machines.

What this means for you

• Assume any password saved in a browser on an infected machine is compromised. Change the important ones now, starting with email, banking, and anything reused elsewhere.
• Sign out of all sessions where you can, such as Google, Microsoft 365, and social accounts, to kill stolen session tokens, then sign back in.
• Turn on multi-factor authentication on every account that offers it, so a stolen password alone is not enough.
• Check Have I Been Pwned or your provider's breach tool to see whether your address appears in the recovered credential sets.
• Run a reputable malware scan on any device where you suspect an infostealer, since the takedown removes the servers, not the malware already on your machine.

Takedowns like this buy time, not a cure. The servers are gone and the recovered credentials have been handed to breach-notification services, but the people who rented these tools will move to the next loader. The credentials already stolen are still out there, which is why the password changes matter more than the headline.

• The Hacker News: Amadey and StealC network disrupted
• Europol: Global cyber strike disrupts Amadey and StealC
• Bitdefender: Operation Endgame hits StealC and Amadey