StealC and Amadey Takedown: 27M Credentials Recovered

by Emma Davis
1 minute ago

Operation Endgame disrupted StealC and Amadey malware infrastructure, with officials reporting 326 servers neutralized and 27 million compromised data sets recovered.

Operation Endgame has moved from the SocGholish cleanup phase into a broader strike against StealC and Amadey, two malware families that sit close to the beginning of many credential-theft and ransomware chains. Eurojust said the international action week ran from June 15 to June 19, 2026, and neutralized 326 servers and 142 domains while recovering 27 million compromised data sets.[1]

The June 24 announcement is worth attention because StealC and Amadey are not niche tools. StealC is an infostealer built to pull passwords, browser data, and digital identities from infected computers. Amadey is a loader and dropper often spread through phishing campaigns, and it can bring additional malware onto a compromised system.[1] In practical terms, a machine touched by either family should be treated as an identity incident, not only as a malware-removal problem.

The official Operation Endgame site, carrying the Europol release, said partners also identified and restricted more than EUR 41 million in criminal crypto assets and recovered as many as 27 million stolen login credentials.[2] Proofpoint and IBM X-Force added a narrower technical view of the StealC disruption, saying their support helped seize more than 25.6 million unique credentials from more than 385,000 compromised systems.[3]

What affected users should do now

For ordinary users and small businesses, the important lesson is simple: a takedown does not automatically make stolen passwords safe again. If a computer was infected before the disruption, credentials may already have been copied, sold, or tested against email, banking, hosting, SaaS, and social accounts. Microsoft said Amadey and StealC were linked to more than 140,000 infected computers worldwide in just the first two weeks of May 2026.[4]

Start with the accounts that unlock other accounts: email, password manager, Apple/Google/Microsoft identity, hosting control panel, WordPress admin, VPN, remote desktop, bank, crypto exchange, and payroll or accounting services. Change passwords from a clean device, revoke active sessions where the service supports it, rotate API keys and app passwords, and enable phishing-resistant MFA where possible. If the same password was reused anywhere, assume every reuse is exposed.

On the infected endpoint, a quick cleanup should not stop at deleting one visible file. Stealers commonly harvest browser profiles, cookies, wallets, saved passwords, FTP clients, Telegram sessions, Discord tokens, and other local secrets. HowToFix already has practical removal guides for StealC detections and Amadey detections; use them as cleanup context, but pair removal with account recovery and log review.

Administrators should also look for follow-on abuse. Search identity logs for impossible travel, new OAuth grants, suspicious mailbox rules, added MFA devices, new SSH keys, unusual browser sessions, and unexpected admin accounts. For WordPress operators, the earlier SocGholish Operation Endgame phase is relevant because fake-update delivery often starts from compromised legitimate sites. A cleaned endpoint can be reinfected if the same stolen site credentials are still valid.

The takedown raises friction for criminals, but it does not remove every copy of stolen data from underground markets. Treat this as a useful window to close exposed accounts before another crew uses the same logs for fraud, spam, extortion, or ransomware access.

References

  1. Eurojust. “Operation Endgame continues: international coalition takes malware offline.” June 24, 2026. https://www.eurojust.europa.eu/news/operation-endgame-continues-international-coalition-takes-malware-offline
  2. Europol / Operation Endgame. “Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks.” June 24, 2026. https://www.operation-endgame.com/
  3. Proofpoint and IBM X-Force. “StealC you later: Proofpoint and IBM X-Force support Operation Endgame disruptions.” June 24, 2026. https://www.ibm.com/think/x-force/stealc-you-later-proofpoint-x-force-support-operation-endgame-disruptions
  4. Microsoft. “Scaling cybercrime disruption through innovation and AI.” June 24, 2026. https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
  5. The Hacker News. “Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered.” June 24, 2026. https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment