Europol freezes €41M as infostealers learn the hard way: not your keys, not your crypto — literally

Law enforcement identified, flagged and froze more than €41 million (about $47 million) in criminal crypto assets in the latest phase of Operation Endgame, Europol said on Wednesday. The two-week, multi-country strike dismantled the infrastructure behind three malware families — SocGholish, Amadey and StealC — all of which target crypto users.

StealC, an infostealer sold as a service since 2023, scrapes passwords, browser cookies and crypto wallet data from infected machines. Its control panel included a plugin that attempted to decrypt seed phrases from victims' MetaMask wallets, researchers at Proofpoint found. Amadey gains the initial foothold and drops further malware, while SocGholish, linked to the Russian group Evil Corp, infects people through fake browser-update prompts on hacked websites.

Police took down 326 servers and 142 domains, recovered almost 27 million stolen credentials from more than 385,000 compromised systems, and cleaned nearly 15,000 infected websites, many of them small businesses. Microsoft, a partner in the operation, tied Amadey and StealC to over 140,000 infected computers worldwide in the first two weeks of May alone.

Microsoft's Digital Crimes Unit separately filed a U.S. racketeering lawsuit that, for the first time, treated two malware families as a single criminal conspiracy. Using AI tools including Copilot to analyze the malware, investigators found that Amadey and StealC, though built by different criminals, ran on shared infrastructure, letting Microsoft charge enablers across both operations under the RICO Act and disrupt more than 200 command-and-control servers. It has since identified over 18,000 victim computers and begun severing the attackers' control.

Infostealers have become a primary route to stolen crypto, lifting wallet files, private keys and seed phrases from victims' devices through vectors including fake AI tools, Steam wallpapers and pirated game mods. An earlier Operation Endgame action late last year uncovered login data for more than 100,000 crypto wallets, stolen from victims but not yet emptied.

Such takedowns rarely kill malware outright, and operators tend to regroup, with StealC shipping a fresh build as recently as this month, leaving the long-term impact on criminal infrastructure uncertain as Europol and its partners continue their work.