When Europol and its partners announced on June 24, 2026 the latest phase of Operation Endgame, the headline numbers were striking: 326 servers neutralized, 142 domains seized, €41 million in cryptocurrency frozen, and 27 million stolen credentials recovered in a two-week action executed between June 15–19. But the statistics undersell the strategic novelty. This was not another bust of a single criminal gang — it was a coordinated attack on the shared logistics infrastructure that makes modern cybercrime possible.
The targets — SocGholish, Amadey, and StealC — are not ransomware gangs in the traditional sense. They are "cybercrime as a service" operations: back-office machinery that other criminals rent to deploy ransomware, harvest credentials, and breach corporate networks. SocGholish, also known as FakeUpdates, infects victims through fake browser update prompts on compromised websites and has been linked to Evil Corp, a Russian cybercrime group. Amadey is a dropper — it installs first and then opens the door for additional malicious payloads. StealC is an infostealer-as-a-service platform that emerged in January 2023; it silently harvests passwords, session cookies, and digital identities at scale. Together, these three families function as an assembly line for downstream crime.
AI Closes an Investigation Gap
Perhaps the most significant development in this operation was how artificial intelligence changed the investigation timeline. Microsoft's Digital Crimes Unit used AI tools, including Microsoft Copilot, to analyze malware code across both Amadey and StealC. What previously required hours of manual reverse engineering — combing through obfuscated code, correlating infrastructure across separate investigation threads — could be queried in plain English within minutes. That analysis revealed that despite being marketed as separate operations, Amadey and StealC shared identical command-and-control infrastructure.
The discovery unlocked an unusual legal strategy. Rather than treating the two malware families as separate cases, Microsoft filed a civil racketeering suit under the Racketeer Influenced and Corrupt Organizations Act (RICO), a law most associated with prosecuting organized crime. "What's new is how we're combining AI analysis with an expanded use of that law," said Steven Masada, assistant general counsel of Microsoft's Digital Crimes Unit. Microsoft named five defendants and targeted over 200 command-and-control servers through the consolidated action. RICO suits allow plaintiffs to pursue the entire enterprise, not just individual actors — a meaningful escalation that could set precedent for future public-private enforcement actions.
Why Supply-Chain Targeting Changes the Math
The conventional approach to cybercrime enforcement targets individual attackers: arrest the operator, seize their machines, attempt extradition where treaties permit. That model has a structural flaw — the underlying tools and infrastructure remain available. A new operator can acquire an off-the-shelf infostealer kit within days of a takedown.
Operation Endgame's approach is different. By dismantling shared command-and-control infrastructure, the action simultaneously degraded the capabilities of every criminal who depended on those networks. According to Proofpoint and IBM X-Force, who provided technical support, more than 25.6 million unique credentials had been stolen through StealC from over 385,000 compromised systems before the action. Bitsight tracked 34 Amadey core servers, 69 Amadey task servers, and 79 StealC IPs. The coordinated simultaneous disruption — striking multiple malware families at the same moment — means criminals cannot simply pivot to a backup network operated by an untouched partner.
Europol framed this explicitly: the goal was to disrupt "the 'assembly lines' cybercriminals use to launch ransomware, financial fraud and attacks on critical infrastructure." Microsoft's framing was equally clear: "When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from."
The participating coalition underscored why this kind of action requires private-sector involvement. Alongside law enforcement from Canada, Denmark, Germany, Belgium, France, the Netherlands, the UK, and the United States, Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, and Lumen all contributed infrastructure mapping, technical analysis, and legal groundwork. No national police force could have compiled that picture alone.
The Honest Case for Skepticism
Critics of infrastructure-only takedowns make a legitimate point. Without arrests and prosecutions — and Operation Endgame's June 2026 phase did not announce any — threat actors typically rebuild within weeks to months. Bitsight publicly acknowledged it anticipated operators would reconstruct infrastructure "within weeks." Disruption is real but temporary unless paired with criminal prosecution that removes key personnel from the field permanently.
There is also a civil liberties dimension worth acknowledging. Using AI to assert shared infrastructure across separately operated tools — and then applying RICO's expansive reach to link defendants who may never have directly coordinated — establishes a precedent with implications beyond cybercrime. Courts will need to scrutinize whether AI-derived infrastructure correlations meet evidentiary standards rigorous enough to justify treating distinct operations as a single criminal enterprise. Expansive use of civil RICO in cybercrime, especially against alleged enablers rather than direct operators, risks net-widening effects that due process norms are designed to prevent.
The Proportionate Path Forward
None of this is an argument against Operation Endgame. Disrupting 326 servers, recovering 27 million stolen credentials, and freezing €41 million in criminal cryptocurrency is unambiguously good for the internet's users and for the businesses and individuals whose data was at stake. The public-private model has produced results no national government could have achieved unilaterally.
The right conclusion is to build on it, not to treat the action week as the endpoint. Arrests and prosecutions need to follow infrastructure takedowns. International extradition mechanisms — particularly for operators shielded by non-cooperative jurisdictions — remain the structural weak link. And the emerging legal toolbox, including AI-assisted RICO applications, needs transparent judicial oversight to remain credible and proportionate.
Operation Endgame has shown that attacking the cybercrime supply chain is smarter than chasing individual criminals downstream. The test of whether this template actually works is whether states can sustain the coalition long enough, and close the prosecution gap fast enough, to make rebuilding the assembly line not worth the effort.