On June 24, 2026, Europol announced the culmination of the latest phase of Operation Endgame: a six-country coordinated action that seized 326 servers and 142 domains, froze over €41 million in criminal cryptocurrency, and recovered approximately 27 million stolen login credentials. The targets were three malware-as-a-service (MaaS) networks — Amadey, StealC, and SocGholish — that together formed the intake layer of the cybercrime supply chain: the infrastructure that delivers ransomware gangs their victim pool, not the ransomware itself.
The scale is significant. More significant is the strategy.
The Assembly Line That Was Hit
Modern cybercrime infrastructure is industrial and layered. Amadey, active since at least October 2018, operates as a dropper: delivered via phishing, it installs covertly on victim machines and then either harvests credentials directly or rents access to other criminal actors as a paid service. StealC, which emerged in January 2023, sits one step further downstream — once planted by a loader like Amadey, it harvests passwords, stored credentials, and cryptocurrency wallet data for resale on criminal marketplaces. SocGholish operates earlier in the chain: it injects fake browser-update prompts into compromised websites to lure visitors into installing malware, then hands off to ransomware affiliates. A Dutch-led action dismantled SocGholish's infrastructure on June 18, six days before the broader announcement, remediating nearly 15,000 compromised WordPress sites; SocGholish had been widely exploited by Evil Corp, the sanctioned Russian cybercriminal group.
Together, these three tools formed an end-to-end production line: compromise a site, trap a visitor, plant a loader, harvest credentials, sell access, deploy ransomware. Operation Endgame cut that assembly line before the ransomware stage — targeting the supply chain rather than the end product.
Public-Private at Scale
What distinguishes this phase of Operation Endgame from earlier takedowns is the depth of private-sector integration. Fourteen companies participated alongside law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Partners included Microsoft, ESET, IBM X-Force, Proofpoint, BitSight, Shadowserver Foundation, Infoblox, and Have I Been Pwned.
Microsoft's Digital Crimes Unit went beyond sharing threat intelligence: it filed civil lawsuits against five named defendants under the Racketeer Influenced and Corrupt Organizations (RICO) Act — a legal theory that treated Amadey and StealC, developed by separate criminal crews, as a single conspiracy because AI analysis revealed shared infrastructure. Copilot was used to analyze malware code and map infrastructure relationships, compressing what would previously have taken investigators days into minutes. That speed matters: cybercriminal networks spin up successor infrastructure within days of seizures; law enforcement that cannot analyze and act within that window loses the race.
Have I Been Pwned is processing the recovered 27 million credentials to notify affected individuals — closing a loop that typically stays open after takedowns end with seized servers but no victim follow-through.
The Case for Thinking Bigger
Proponents of broader regulatory mandates have a legitimate point worth taking seriously. The 27 million credentials recovered in a single operation represent roughly 27 million individual harms — account takeovers, financial fraud, and data exposures that victims may not discover for months or years. At that scale, the argument for baseline security obligations on platforms and hosting providers is not frivolous. EU legislators who passed the NIS2 Directive in 2022, requiring member states to maintain national CERTs capable of coordinating victim outreach, were responding to exactly this systemic harm, and this operation is a real-world test of whether those mechanisms scale.
The persistent reconstitution problem also deserves fair treatment. Operation Endgame's first phase in May 2024 was already the largest botnet disruption in history at the time — seizing over 100 servers, more than 2,000 domains, and five major malware families including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee, and identifying €69 million in criminal cryptocurrency. Yet successor infrastructure had partially reconstituted within months. Without personal accountability for operators, takedowns function as temporary displacement, not deterrence.
What the Evidence Actually Supports
The answer is not to replace supply chain disruption with blanket compliance mandates, but to target the actual enforcement gaps precisely. Three conclusions follow from this operation:
Jurisdictional speed is the real bottleneck. If Microsoft can reduce malware analysis from days to minutes using AI, the constraint in future operations is not technical capacity — it is legal authorization. Mutual Legal Assistance Treaty requests still take months. That mismatch between operational intelligence speed and legal process is where policy attention belongs, not on mandatory vulnerability disclosure frameworks that would not have affected servers in non-signatory jurisdictions.
Secondary liability at the infrastructure layer is underused. SocGholish's Evil Corp connection illustrates that entities under US Treasury SDN sanctions continue operating through proxy networks. Hosting providers, domain registrars, and payment processors that knowingly serve sanctioned networks should face secondary liability — a principle already embedded in US sanctions law but inconsistently applied at the technical infrastructure layer.
Victim notification is ad hoc and should be formalized. Routing 27 million recovered credentials through a single non-governmental service is better than nothing, but it is not a system. If NIS2 mandates national CERT victim-notification capacity, the results of this operation — how many affected individuals were notified, through what channels, within what timeframe — should be published as a benchmark.
The public-private model Operation Endgame has built — fourteen companies, six governments, sustained across three operational seasons — is the right architecture for cybercrime enforcement. The bottleneck is jurisdictional and political, not technical.
The Multi-Season Model
The official Operation Endgame campaign site frames this explicitly as "Season 3," signaling that law enforcement has abandoned the single-strike model in favor of persistent, sustained campaigns. That framing is correct. Cybercriminal networks build redundancy precisely because they expect disruptions; a credible counter requires the same sustained resourcing and the same willingness to let private actors take independent legal action when government tools lag.
The 140,000 computers that Amadey and StealC infected in just the first two weeks of May 2026 alone measure the scale of the ongoing threat. Operation Endgame did not solve cybercrime. But it demonstrated that supply chain disruption, paired with civil litigation tools, AI-accelerated analysis, and victim notification infrastructure, can match the adversary's tempo — and that combination is the right foundation to build on.