Published: · Region: Global · Category: cyber

Operation Endgame squeezes cybercriminals’ toolkit with 326 servers dismantled

An international crackdown dubbed Operation Endgame has disrupted infrastructure behind Amadey and StealC, two widely used pieces of malware for stealing data and deploying further attacks. With 326 servers and 142 domains taken down, 27 million stolen credentials recovered and over $47 million in crypto assets restricted, companies and governments gain breathing room—but not a permanent reprieve.

Law‑enforcement agencies have dealt a rare visible blow to the criminal infrastructure that powers much of today’s cybercrime economy, tearing down hundreds of servers and seizing millions in illicit funds in a coordinated campaign that shows both what is possible and what remains out of reach. Authorities involved in Operation Endgame say they have dismantled 326 servers and taken down 142 domains used to distribute and control the Amadey and StealC malware families, tools that have quietly helped criminals steal data and compromise networks worldwide.

The operation, revealed on 24 June, also recovered some 27 million stolen credentials and restricted access to more than $47 million in cryptocurrency tied to criminal activity. Amadey is known as a loader—a program used to gain an initial foothold on a victim machine and then download additional malicious payloads, from ransomware to banking trojans. StealC is a stealer, designed to harvest passwords, browser data and other sensitive information that can be sold on dark‑web markets or used for further intrusions. By targeting the servers and domains underpinning these tools, investigators have temporarily cut off a supply line that many different criminal groups rely on.

For businesses, governments and ordinary users whose machines have unknowingly hosted such malware, the immediate impact is a quieter threat landscape. Fewer active command‑and‑control servers means fewer successful connections from infected devices, fewer new infections, and more time for defenders to detect and clean up existing compromises. Some victims whose credentials were among the millions recovered may receive notifications that allow them to reset passwords before criminals can monetise the data.

Yet the disruption is far from a knockout blow. Cybercriminal ecosystems are built for resilience: operators often maintain backup infrastructure, can quickly register new domains, and have learned to move funds through obfuscation layers that complicate tracing. Amadey and StealC themselves are just two pieces in a larger arsenal of loaders and stealers, and their developers or copycats may already be working to rebuild services on fresh servers, using lessons from this takedown to hide better. In that sense, Operation Endgame buys time and raises costs, but does not end the underlying demand for such tools.

Strategically, the campaign demonstrates that coordinated international action can reach into the heart of the malware supply chain, not just arrest low‑level actors or seize prominent dark‑web markets. Targeting infrastructure rather than only individuals creates a multiplier effect: dozens or hundreds of criminal crews may rely on the same back‑end systems, so disabling those systems can disrupt many operations at once. It also sends a signal to hosting providers, domain registrars and other intermediaries that their services will be scrutinised if they become safe havens for persistent criminal infrastructure.

For security teams, the operation provides both a case study and a warning. A case study, because it shows which types of infrastructure law enforcement can hit—centralised command‑and‑control servers, obvious domains—and how sharing information with authorities can lead to concrete takedowns. A warning, because it illustrates how widely used commodity malware has become: if two toolsets alone can generate 27 million stolen credentials, the total scale of data floating in criminal markets from all such tools is far larger.

A simple truth emerges from the numbers: when one loader and one stealer can help criminals harvest tens of millions of logins, password hygiene and multi‑factor authentication are not just best practices but a line of defence against an industrialised theft machine.

Key developments to watch in the wake of Operation Endgame include the appearance of successor tools or rebranded versions of Amadey and StealC in underground forums, signs that criminal crews are shifting tactics to more decentralised infrastructure, and whether courts ultimately convert the seized or frozen crypto assets into restitution for victims. Future joint operations of similar scale—or a lack of them—will show whether this takedown marks the start of a more sustained campaign against the malware supply chain or remains an ambitious one‑off.

Sources

Related Coverage

GLOBAL

EU Chat Control push exposes surveillance risk and rule‑of‑law clash

The European Parliament’s president has moved a controversial online surveillance bill forward to EU governments despite a pending plenary vote, raising questions over digital rights and internal checks in Brussels. For tech firms, privacy advocates and security agencies, the decision could reset how encrypted communications are policed across the bloc.
GLOBAL

China’s New ‘Ethnic Unity’ Law Fuels Fears of Global Reach and National Vulnerability

Beijing says a new ethnic unity law gives it the right to target people beyond its borders, extending domestic political controls into the international arena. The move raises immediate concerns for dissidents and diaspora communities while putting host governments on notice that China’s internal security agenda does not stop at its shoreline. Readers will learn how one law could shift the balance between state sovereignty, human rights, and transnational repression.
GLOBAL

China’s Yuan Network Lets Russia and Iran Evade Sanctions, Squeezing U.S. Financial Power

China has built a yuan-based financial architecture that allows Russia, Iran and other sanctioned states to trade outside the dollar-dominated system, weakening Washington’s ability to use sanctions as a primary tool of pressure. The shift gives energy exporters and importers new options while complicating Western efforts to isolate adversaries. Readers will learn how Beijing’s payments networks work, who is using them, and why they matter for the future of economic statecraft.
WARNING

Ukraine Escalates Preemptive Strikes as Russia Strips Air Defenses, Fuel Crisis Deepens

Zelensky has ordered Ukrainian forces to hit Russian facilities used to ‘expand the war’ just as Moscow pulls advanced air defenses back to shield the capital and the Kerch bridge, leaving other regions more exposed. Belarus has reportedly shut down relay stations aiding Russian strikes, while spreading fuel shortages are forcing Russia to seek gasoline from Kazakhstan. A senior US diplomat now says Ukraine is ‘winning the war,’ and Denmark is dispatching long‑range artillery rounds—signals that both the battlefield balance and Russia’s war economy are under new pressure.
WARNING

Zelensky Orders Preemptive Strikes as Russia Pulls Air Defenses to Protect Moscow, Kerch

Around 19:00 UTC, Zelensky said he has ordered Ukrainian intelligence and the army to hit preemptively at facilities Russia uses to expand the war, citing major Russian redeployments of air defenses toward Moscow, Valdai and the Kerch Bridge. The shift points to deeper Ukrainian strikes on Russian territory just as U.S. officials publicly claim Ukraine is now 'winning the war' and Belarus reportedly shuts relay stations supporting Russian attacks, raising both escalation risk and the odds of further disruption to Russian fuel and logistics.
WARNING

Russian Gasoline Output Falls 25% Amid Worsening Fuel Crisis

Reuters reports Russia is seeking 50,000 tons of gasoline imports from Kazakhstan as refinery disruptions cut national gasoline production by about a quarter versus last year. Widening domestic fuel shortages and import needs tighten regional product balances and raise risk premia on refined products and Russian crude exports.