27 million passwords seized as Microsoft and EU authorities knock down malware infrastructure

Authorities have knocked out 3 of the cybercrime world's favorite malware tools used to launch ransomware attacks, seizing 27 million stolen passwords in the process.

An international law enforcement operation has disrupted 3 of the world's most widely used malware families, targeting a critical part of the cybercrime ecosystem that enables ransomware attacks.

According to Germany's Federal Criminal Police Office (BKA), investigators have disabled approximately 15,000 malicious websites, more than 320 servers, and 140 domains linked to cybercriminal infrastructure.

Authorities have seized approximately 27 million login credentials belonging to more than 385,000 victims worldwide. As part of the operation, investigators also identified cryptocurrency valued at $47 million. The funds are believed to be linked to criminal activity and are now part of ongoing investigations.

The operation involved authorities from Germany, the Netherlands, Denmark, the United Kingdom, the United States, and Canada, with the support of Europol, Eurojust, Microsoft, and several private cybersecurity companies.

The authorities are notifying the victims.

Three malware families dismantled

The recent crackdown is part of long-running Operation Endgame – an international effort targeting malware used during the initial stage of attacks before deploying ransomware or stealing sensitive information.

During the operation coordinated between June 15th and June 19th, 2026, authorities dismantled the infrastructure behind 3 malware families that, according to investigators, play a key role in the cybercrime economy – SocGholish, StealC, and Amadey.

Security agencies describe the current operation as attacking the cybercriminal "kill chain" at its source. By removing the tools that grant initial access, investigators hope to disrupt a large portion of downstream cybercrime activity.

Carsten Meywirth, head of the Cybercrime Division at Germany's Federal Criminal Police Office, said the operation prevented countless future infections.

"With the continuation of Operation Endgame, we have once again targeted the technical infrastructures on which numerous cybercriminals worldwide have relied," Meywirth said.

"This also prevented the initial infection of a large number of victim systems globally."

Dr. Benjamin Krause, senior public prosecutor at Germany's Central Office for Combating Cybercrime, described the operation as a model for international cooperation.

"Like the criminals, we also work collaboratively and in an international network to be effective," Krause said.

"The difference is: we are on the good side."

What is SocGholish, StealC, and Amadey malware?

The seized malware variants were offered as a cybercrime-as-a-service, allowing criminals with less technical capacity to buy access to sophisticated tools used in cyberattacks.

SocGholish is JavaScript-based malware that operates through compromised websites that display fake browser update notifications to trick users into clicking and downloading malicious files.

StealC is a malware designed to steal passwords, authentication tokens, and other sensitive information. The malware can also function as a loader, allowing attackers to deploy additional malicious payloads after an initial compromise.

Stolen credentials are frequently sold on underground markets or used in further attacks.

Amadey malware is commonly distributed through phishing campaigns. Once a victim opens a malicious attachment or link, Amadey could install additional malware while simultaneously exfiltrating passwords and other sensitive information. The malware functions as both a malware downloader and an information stealer.

---

Unlock more exclusive Cybernews content on YouTube.