A Coordinated Strike, Not a Single Raid
Between June 15 and 19, 2026, police and prosecutors from Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States — coordinated by Europol's European Cybercrime Centre and supported legally by Eurojust — dismantled the infrastructure behind three malware families: StealC, Amadey, and SocGholish. Europol announced the results on June 24: 326 servers taken offline, 142 domains seized, roughly 27 million stolen credential sets recovered, and about €41 million in crypto assets of criminal origin frozen. It is the third season of Operation Endgame, the EU-anchored campaign that previously took down DanaBot, Bumblebee and SmokeLoader, and its own site frames this round as a deliberate strategy shift — from chasing individual malware brands toward dismantling "the entire chain that allows cyberattacks to scale."
That chain matters because these three tools are not endpoints. Amadey gains initial device access; StealC then harvests browser passwords, session cookies and crypto-wallet data; SocGholish, delivered through fake browser-update prompts on compromised websites, has served as an initial-access broker for ransomware operators including Evil Corp, according to Infosecurity Magazine. Disrupting the supply layer, rather than any single ransomware brand, is the theory behind targeting infostealers first.
The Case for Going Harder
There is a serious argument, made by some cybersecurity policymakers, that operations like this don't go far enough. Infrastructure seizures without matching arrests or prosecutions let operators simply re-register domains and rent new servers from the same permissive hosting providers within weeks. Under that view, the real fix is structural: mandatory know-your-customer rules for hosting and VPS providers, faster cross-border data-preservation orders, and stricter AML enforcement on the crypto exchanges and mixers that launder stolen-credential proceeds. Notably, Europol's own materials for this action do not cite a single arrest — only infrastructure metrics — which is a legitimate point in favor of pairing takedowns with criminal liability that actually removes operators from the market, not just their tooling.
Why the Rebound Is the More Important Story
That critique has empirical support. StealC itself is a legacy of a prior disruption cycle: after 2024 law-enforcement actions against RedLine and Meta Stealer, market share consolidated around LummaC2, and when Lumma was disrupted in May 2025, StealC and Rhadamanthys absorbed the displaced volume — Rhadamanthys was only taken down, in turn, in November 2025. CSO Online reports that infostealers were still responsible for roughly 2.1 billion of the 3.2 billion credentials stolen in 2024 alone, and that stealer developers routinely patch around defensive changes — such as Chrome's cookie-security update — within 24 hours. Trend Micro's Richard Werner is quoted making the structural point directly: after RedLine fell, "smaller players step[ped] into the gap." BleepingComputer likewise notes that threat actors "commonly rebuild infrastructure" absent arrests — precisely the gap this operation leaves open.
Proportionality, Not Paralysis
Given that pattern, the case for sweeping new mandates — data-localization requirements for hosting, backdoor access to crypto rails, or blanket ISP-level domain blocking — is weaker than it looks at first glance. The malware-as-a-service market is defined by low barriers to entry: access to stealer tooling costs roughly $200 a month, per the same reporting, which means the binding constraint on cybercrime is never any single piece of infrastructure. Heavier regulatory mandates imposed on hosting providers or crypto platforms generally, in response to a problem concentrated among a small number of bad-faith operators, would burden the overwhelming majority of legitimate users and businesses while doing little to stop operators who already route around jurisdiction and compliance.
What Operation Endgame gets right is scope and speed: intelligence-led, industry-partnered (Microsoft, ESET, Proofpoint, IBM X-Force, BitSight, and others contributed technical takedown support), and targeted at the specific companies profiting from crime rather than the platforms they abuse. That model — narrow, evidence-driven, repeatable — is the proportionate response the underlying threat actually calls for. Its limitation is not overreach but under-resourcing on the prosecution side: EU and partner governments should be funding the slower, harder work of identifying operators (Operation Endgame's own "EU Most Wanted" list carries 18 names) and securing extraditions, not reaching for broader surveillance or platform-liability regimes that would outlast the malware families they were built to catch. Season four will likely target whatever fills StealC's vacancy. The metric that will actually indicate progress is not servers seized, but operators charged.