RSS

One-two punch delivered in global operation disrupts cybercrime "assembly line"

joozio1 pts0 comments

One-two punch delivered in global operation disrupts cybercrime "assembly line" - Ars Technica

Skip to content

AI

Biz & IT

Cars

Culture

Gaming

Health

Policy

Science

Security

Space

Tech

Forum

Subscribe

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Pin to story

Theme

Search

Sign In

Sign in dialog...

Text<br>settings

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Minimize to nav

International authorities and a raft of private technology companies say they have disrupted a cybercrime “assembly line” that allowed crooks to collect millions of login credentials and steal more than $47 million in ransom payments and by other fraudulent means.

The crux of the operation was the simultaneous targeting of two unrelated tools that are widely used in various online scams. The first is Amadey, a malware-as-a-service platform for compromising devices and delivering malicious payloads for ransomware and other scams. Amadey has been observed in the wild since at least 2018 and was seen last year abusing GitHub as it collected system information from infected devices and installed customized payloads. The second tool was StealC, an infostealer-as-a-service platform that collects credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files whose names match customer-defined patterns.

Severing a critical link in the cybercrime chain

Amadey and StealC are separate tools that are run independently of each other. Given their widespread use, however, many customers use both in their individual cybercrime activities. The tools also, it turns out, relied on some of the same underlying infrastructure to run. Microsoft said it made this determination after analyzing the tools using AI. This insight allowed Microsoft attorneys to seek an order disrupting both at the same time.

“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services,” Microsoft said Wednesday. “Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain.”

With evidence that the tools had overlapping infrastructure, company attorneys invoked RICO statutes that target organized crime; the legal action was then able to treat both tools as part of a single conspiracy. As a result, Microsoft said, it disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. Europol, which helped coordinate the law-enforcement part of the operation, said it recovered as many as 27 million stolen login credentials and uncovered $47 million worth of “crypto assets of criminal origin.”

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol said. “By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.”

Other companies assisting in “Operation Endgame” include ESET, Proofpoint and IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions.

Europol said that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. that spreads through compromised websites. Visitors to these sites are tricked into installing trojanized apps posing as browser extensions or other legitimate software. Europol said it has responded by cleaning infected WordPress sites and urging administrators of the sites to change credentials and tighten security. It has also worked to notify parties whose data and credentials were exposed through SocGholish activities. Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US.

Dan Goodin

Senior Security Editor

Dan Goodin

Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

6 Comments

Comments

Forum view

Loading comments...

Prev story

Next story

1.<br>White House app auto-downloads to government phones, can't be uninstalled

2.<br>How to burst the AI bubble: Strike at its roots

3.<br>Underpromise, overdeliver? Hands-on with the $24,950 Slate auto.

4.<br>Military branches restore flu shot requirement after virus swept through base

5.<br>13 years and...

tools cybercrime said operation standard security

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.