Home/ Blog/ Security news/ Article
Blog · Security news

Police seized the malware that stole 27 million passwords. The passwords still work.

Operation Endgame seized the servers behind the Amadey and StealC malware, but the 27 million credentials they already stole stay valid until you rotate them.

Severed factory conveyor with parcels drifting off the far broken edge
By Suriq's Jack · ·Security news · 5 min read Mitigate now

Law enforcement just pulled the plug on the servers behind two of the busiest credential-theft tools in circulation. That is worth applauding. It is also where your real work starts, because the takedown did nothing to the 27 million passwords those tools already stole.

Between June 15 and 19, 2026, a coalition led by Europol and Microsoft dismantled the back-end infrastructure for Amadey and StealC, two pieces of malware that have fed the ransomware supply chain for years. It is the latest round of Operation Endgame, the recurring international campaign that goes after the loaders and stealers attackers rent rather than the ransomware crews who buy from them. No one was arrested. That detail shapes everything about what happens next.

What the takedown actually hit

The numbers are large, and the framing matters. This wave of Operation Endgame took down 326 servers and 142 domains, with investigators recovering roughly 27 million stolen credentials lifted from more than 385,000 compromised systems. They also identified and froze more than 41 million euros (about 47 million dollars) in cryptocurrency tied to the operators. Authorities from eight countries took part, among them the United States, the United Kingdom, Germany, the Netherlands, Canada, and Denmark, alongside private partners Microsoft, ESET, Bitdefender, Bitsight, Proofpoint, and IBM X-Force.

One figure deserves a second look. The 326 servers and 142 domains belong to the whole Endgame wave, which ran more than one takedown at once. A parallel strand of the same operation scrubbed the SocGholish fake-update network off roughly 15,000 hacked websites, which we covered separately. Treat the headline server count as the campaign total, not an Amadey-only tally.

Why Amadey and StealC were worth a global operation

Neither tool is ransomware. That is the point. Amadey is a modular loader and botnet that has run since 2018; its job is to land on a machine and pull down whatever the customer paid to deliver next. StealC, newer and first seen in early 2023, is an information stealer that empties browsers and desktop apps of saved passwords, session cookies, autofill data, and cryptocurrency wallet material. Run them together and you get a two-stage assembly line: Amadey opens the door, StealC strips the house, and the output is packaged and sold.

The buyers are initial-access brokers and ransomware affiliates. Infostealer logs are the raw material of the modern extortion economy, and a single fresh log can carry the exact corporate password or live session token an affiliate needs to skip the hard part of an intrusion. Europol tied the two families to more than 140,000 infected devices in the first two weeks of May alone. Disrupting that pipeline is a genuine win. It is also a temporary one, and the same enablers keep showing up under the ransomware crews that buy access from them.

The servers are gone. The stolen passwords are not.

Here is the part the celebratory headlines skip. A takedown removes the operators' ability to collect new data and to command existing infections. It does nothing to the credentials already harvested and already sold. Those 27 million logins are not locked in an evidence room. Copies sit with every criminal who bought them before June, and they keep working until the owner rotates them.

It gets worse. StealC steals session cookies and authentication tokens, not just passwords. A stolen, still-valid session can walk straight past multi-factor authentication, so resetting a password is not enough on its own. You have to invalidate the active sessions too. That is the gap between "the malware is down" and "my organization is safe," and only you can close it.

There is a concrete upside the partner list hints at. Have I Been Pwned and Spamhaus were both part of this operation, which is how recovered credential sets usually reach defenders. Expect the harvested logins to surface in breach-notification feeds. Check them, and act on what shows up.

Endgame keeps winning battles, not the war

This is the seventh malware family Operation Endgame has knocked offline. Earlier rounds took down DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader. The strategy is deliberate. Instead of chasing individual operators, who often sit beyond reach in non-cooperating jurisdictions, the coalition demolishes the shared, reusable infrastructure that sits under dozens of ransomware crews at once. It is the right call. It also buys time rather than ending threats.

Because no one was arrested here, the people who built Amadey and StealC are free to rebuild. We have seen this film. The 2021 Emotet takedown was hailed as the end of the most dangerous botnet alive, and Emotet was back inside ten months. Malware-as-a-service is a business, not a person, and a business with paying customers and no jailed founders reopens. Plan for a successor, not a vacuum.

What to do this week

If your environment had any host that may have run an infostealer this year, the takedown changes nothing about your exposure. Work the list:

  • Rotate credentials for anyone who could have been hit. Start with privileged accounts, VPN and remote-access logins, and any password a user might have saved in a browser on a managed device.
  • Invalidate active sessions, do not just reset passwords. Force re-authentication so stolen session cookies die, and revoke and reissue OAuth tokens and API keys where you can.
  • Check the breach feeds. Watch Have I Been Pwned and your own credential monitoring for the recovered sets, and treat any hit as a confirmed compromise, not a maybe.
  • Hunt for residual implants. The takedown orphans existing Amadey and StealC infections, but the malware can fail over to new infrastructure. Look for the beaconing and exfiltration patterns now, while attention is high.
  • Assume the delivery routes stay open. Amadey arrives by phishing and malicious advertising. Those routes outlived the servers, so keep email and web filtering tight.

Operation Endgame is one of the few offensive plays defenders get to cheer, and this round genuinely hurt two tools that hurt a lot of people. Hold both thoughts at once. The infrastructure is down, and the 27 million credentials it stole are still moving. The honest measure of this win is not the server count in the press release. It is whether you rotate the passwords before someone else uses them.

Topics
RansomwareMalware & C2Takedowns & law enforcement

Frequently asked questions

What is Operation Endgame?

Operation Endgame is a recurring international law enforcement campaign, coordinated by Europol and Eurojust, that targets the malware loaders and infostealers attackers rent rather than the ransomware groups who buy from them. Its June 2026 round disrupted the Amadey and StealC operations.

Were the credentials stolen by Amadey and StealC recovered, or are they still dangerous?

They are still dangerous. Investigators recovered about 27 million stolen credentials, but copies sold to criminals before the takedown remain in circulation. Any password or session stolen by these tools stays usable until you rotate the credential and invalidate the session.

Does resetting my password fix a StealC infection?

Not by itself. StealC steals active session cookies and tokens alongside passwords, and a valid stolen session can bypass multi-factor authentication. You need to invalidate active sessions and reissue tokens, not only reset the password, to close the access.

Were any arrests made in the Amadey and StealC takedown?

No arrests were announced. The action removed 326 servers and 142 domains and froze more than 41 million euros in cryptocurrency, but it targeted infrastructure rather than operators. Because the people behind the tools remain free, a rebuilt or successor service is likely.

What should organizations do after the Operation Endgame takedown?

Rotate credentials for any account that could have been exposed, especially privileged and remote-access logins, and force re-authentication to kill stolen sessions. Watch breach-notification feeds such as Have I Been Pwned for the recovered credentials, and hunt for residual Amadey or StealC activity.

What is the difference between Amadey and StealC?

Amadey is a modular loader and botnet that gains initial access and installs further payloads, and it has operated since 2018. StealC, first seen in early 2023, is an information stealer that takes saved passwords, cookies, autofill data, and cryptocurrency wallets. Together they form an access-and-harvest pipeline.

Keep reading
Security news

A new flaw lets attackers take over Quest NetVault backup servers, login or not

CVE-2026-7570 is a SQL-injection-to-remote-code-execution flaw in Quest NetVault Backup, rated 8.8. The login can be bypassed. Quest fixed it in 14.0.2.

Noam Alum · Jun 24, 2026
Security news

The free plugin was clean. The paid update is what backdoored these WordPress sites.

Backdoored ShapedPlugin Pro updates stole admin logins and 2FA seeds from WordPress sites between April and June 2026. A password reset alone will not clear it.

Noam Alum · Jun 24, 2026
Security news

On 200,000 WordPress sites, a low-level user can quietly steal the admin's login

A contributor-level user can make Ultimate Member leak every user's password reset link, admins included. Affects versions through 2.11.4; fixed in 2.12.0

Suriq's Jack · Jun 24, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan