Two Actions, One Strategic Concept
Between June 15 and June 24, 2026, authorities from Canada, Denmark, Germany, France, Belgium, the Netherlands, the United Kingdom, and the United States completed two back-to-back disruption operations under the Operation Endgame banner. The first, announced June 18, dismantled the SocGholish network — linked to the sanctioned Russian cybercriminal group Evil Corp — and remotely cleaned infections from 14,971 compromised WordPress sites. The second, announced June 24, targeted StealC and Amadey: two of the most widely deployed malware families in circulation, seizing 326 servers, 142 domains, and recovering approximately 27 million stolen login credentials from over 385,000 compromised victim systems.
The sheer scale is striking. But more significant than the headline numbers is the theory of the case. Europol described the goal as disrupting "the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure." That framing reflects a strategic shift in how law enforcement now understands — and targets — the cybercrime ecosystem.
The Infostealer Layer That Makes Everything Else Possible
Ransomware groups don't generally break into networks from scratch. They buy access. Infostealers like StealC and loaders like Amadey are the upstream infrastructure that produces the commodity these groups purchase: validated credentials, session tokens, VPN logins, and corporate email access.
StealC, which first appeared in January 2023 and operated as a subscription service at roughly $300 per month, was designed to harvest passwords, cookies, autofill data, cryptocurrency wallet contents, and authentication tokens from infected machines. Amadey — active since 2018 — functioned primarily as a loader, capable of deploying additional malware payloads on systems it compromised. According to Microsoft's Digital Crimes Unit, in the first two weeks of May 2026 alone, these two malware families were linked to more than 140,000 infected computers worldwide.
SocGholish, targeted in the June 18 action, occupied a different but complementary niche. It spread through compromised WordPress sites via fake browser-update prompts and served as an initial-access tool delivering payloads from multiple threat actors. The Shadowserver Foundation documented SocGholish activity across 187 countries and more than 1.4 million compromised domain instances between May 2023 and May 2026 — an infrastructure footprint that made its remediation a significant undertaking requiring coordination across internet service providers and hosting companies in dozens of jurisdictions.
Why Infrastructure Disruption — Imperfect as It Is — Still Matters
Critics of these takedowns make a legitimate point: absent prosecution of the developers and high-tier operators, threat actors often rebuild. The original Operation Endgame, launched in May 2024 against IcedID, Pikabot, and other droppers, disrupted major infrastructure — but the market for initial access didn't disappear. Infrastructure disruption without accountability for operators is a palliative, not a cure. Experienced criminal developers can reconstitute in months.
What changes the calculus is sustained and cumulative pressure. Each successive action forces a rebuild, raises operational costs, erodes trust between buyers and vendors on criminal forums, and — critically — expands the law enforcement database linking online personas to real identities. The June 2026 actions identified more than $47 million in criminal cryptocurrency assets, flagged and restricted from use. That is capital removed from the ecosystem's reinvestment cycle. The 27 million recovered credential sets were channeled to notification platforms including Have I Been Pwned, giving defenders a meaningful head start on credential resets before those credentials could be weaponised.
Microsoft's Digital Crimes Unit, which disrupted more than 200 command-and-control servers during the June 24 action, captured the logic plainly: when multiple parts of an operation are dismantled together, attacks become harder to launch, scale, and recover from. Consecutive pressure compounds — it is qualitatively different from a single large seizure followed by inaction.
The Public-Private Architecture That Made This Possible
Neither action could have been executed by law enforcement alone. The June 24 operation included private partners Bitdefender, Bitsight, ESET, IBM X-Force, Infoblox, Lumen Technologies, Orange Cyberdefense, Proofpoint, and Shadowserver — each contributing threat intelligence, infrastructure mapping, and remediation capacity that government agencies don't possess internally.
This architecture is both the operation's greatest strength and an underappreciated policy achievement. Without formal frameworks for data sharing between private threat intelligence firms and law enforcement, the coordination that produced 326 seized servers and 27 million recovered credentials would be impossible. The EU's NIS2 Directive and CISA's information-sharing programs have created institutional channels that make these partnerships routine rather than exceptional.
Eurojust's press release emphasized that international judicial cooperation — not just operational coordination — was essential: prosecutors from nine countries had to align on legal authorities, evidence standards, and jurisdiction before a single server could be seized. That alignment is neither automatic nor cost-free, and the infrastructure of multilateral law enforcement cooperation deserves credit alongside the operational results.
The Right Response Is More Enforcement, Not More Mandates
The instinct in some regulatory circles after a disclosure of 27 million stolen credentials is to reach for new data-protection requirements. That instinct, while understandable, misses where the leverage actually lies. The victims of StealC and Amadey infections were not primarily harmed because companies failed to protect data — they were harmed because criminal infrastructure, sold as a subscription service at market prices, made credential theft industrially cheap and globally available.
The proportionate response is precisely what Operation Endgame represents: sustained multinational enforcement, institutional frameworks for public-private intelligence sharing, and cumulative pressure on criminal economics. Streamlining the mutual legal assistance treaties that govern cross-border server seizures would do more for user protection than another layer of breach-notification regulation on companies that are themselves victims of the same supply chain.
What Comes Next
The recovered credential sets are being processed for victim notification. Europol's Operation Endgame wanted list continues to name suspects whose identities have been tied to the infrastructure. The June 2026 actions were framed explicitly as part of an ongoing campaign, not a final chapter — Europol described the operation as continuing to target the "entire chain that allows cyberattacks to scale."
That continuity is the right signal. The infostealer market was built over years through accumulated criminal investment. Dismantling it requires the same sustained commitment — and the June 2026 phase demonstrates that the international coalition to do so is both willing and technically capable.