Europol, in collaboration with global law enforcement agencies and private sector partners, has successfully disrupted a significant cybercrime-as-a-service (CaaS) infrastructure used for ransomware deployment and financial fraud.
This effort, part of Operation Endgame, was announced on June 24, 2026, and marked a considerable milestone in the fight against cybercrime.
Europol Disrupts Cybercrime-as-a-Service Networks
The coordinated crackdown targeted widely used malware families, including SocGholish, Amadey, and StealC, which serve as initial access and data theft tools within the cybercrime supply chain.
The multinational operation involved agencies from the United States, the United Kingdom, Germany, the Netherlands, Denmark, and Canada, as well as industry partners such as Microsoft, IBM X-Force, and Bitdefender. Europol and Eurojust oversaw the operational coordination.
Authorities identified and restricted over EUR 41 million (approximately USD 47 million) in illicit cryptocurrency assets while recovering approximately 27 million stolen credentials.
Law enforcement actions led to the takedown of 326 servers and 142 domains, significantly disrupting malware distribution channels and diminishing attacker infrastructure. Additionally, 14,971 compromised websites were remediated, many of which were built on WordPress.
These websites had been weaponized to deliver SocGholish malware through fake browser update prompts. SocGholish, also known as “FakeUpdates,” operates as a loader that tricks users into installing malicious payloads disguised as legitimate updates. Once executed, it establishes remote access, enabling follow-on attacks that can include ransomware deployment.
StealC and Amadey play complementary roles in the attack chain. Amadey, primarily distributed via phishing campaigns, acts as a loader that can deploy additional malware and harvest system information.
StealC, an information-stealing malware with dropper functionality, extracts sensitive data, including credentials, browser-stored passwords, and digital identities, for resale or reuse in fraudulent activities.
Microsoft telemetry indicated that these two malware families were linked to over 140,000 infections globally within the first two weeks of May 2026 alone, highlighting their scale and operational synergy within cybercriminal networks.
According to Europal, this operation specifically targeted the “assembly line” model of cybercrime, whereby modular tools are rented or sold to affiliates who conduct attacks without developing their own malware.
SocGholish has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex banking malware and various ransomware campaigns. By dismantling shared infrastructure and disrupting access points, authorities aim to increase operational costs and reduce the scalability of such attacks.
Europol’s European Cybercrime Center (EC3) provided intelligence correlation, attribution analysis, and crypto-tracing capabilities, while enabling real-time cross-border coordination through the SIENA platform.
Victim notification efforts were conducted through services like HaveIBeenPwned and Shadowserver, alerting affected users and organizations.
Security officials urged WordPress site owners to adopt mitigation measures, including enabling multi-factor authentication, updating software, removing unauthorized accounts, and avoiding unverified update prompts.
This operation reflects a strategic shift toward dismantling enabling infrastructure rather than addressing isolated threats, signaling a more proactive and systemic approach to combating ransomware and cyber-enabled financial crime.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
