Global cybercrime enforcement

Operation Endgame's Third Season Shows Infrastructure Takedowns Beat Arrests, But Not the Infostealer Market

Europol's coordinated seizure of 326 servers and 142 domains recovered 27 million credentials — the malware-as-a-service model will likely regrow anyway.

Operation Endgame: Infrastructure Down, Market Intac… People of Internet Research · Global 326 Servers Seized Taken offline across the eight-cou… 142 Domains Disrupted Domains linked to StealC, Amadey a… 27M Credentials Recovered Stolen login sets recovered during… 2.1B Credentials Stolen in 2024 Prior-year infostealer output, for… peopleofinternet.com

Key Takeaways

A Coordinated Strike, Not a Single Raid

Between June 15 and 19, 2026, police and prosecutors from Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States — coordinated by Europol's European Cybercrime Centre and supported legally by Eurojust — dismantled the infrastructure behind three malware families: StealC, Amadey, and SocGholish. Europol announced the results on June 24: 326 servers taken offline, 142 domains seized, roughly 27 million stolen credential sets recovered, and about €41 million in crypto assets of criminal origin frozen. It is the third season of Operation Endgame, the EU-anchored campaign that previously took down DanaBot, Bumblebee and SmokeLoader, and its own site frames this round as a deliberate strategy shift — from chasing individual malware brands toward dismantling "the entire chain that allows cyberattacks to scale."

That chain matters because these three tools are not endpoints. Amadey gains initial device access; StealC then harvests browser passwords, session cookies and crypto-wallet data; SocGholish, delivered through fake browser-update prompts on compromised websites, has served as an initial-access broker for ransomware operators including Evil Corp, according to Infosecurity Magazine. Disrupting the supply layer, rather than any single ransomware brand, is the theory behind targeting infostealers first.

The Case for Going Harder

There is a serious argument, made by some cybersecurity policymakers, that operations like this don't go far enough. Infrastructure seizures without matching arrests or prosecutions let operators simply re-register domains and rent new servers from the same permissive hosting providers within weeks. Under that view, the real fix is structural: mandatory know-your-customer rules for hosting and VPS providers, faster cross-border data-preservation orders, and stricter AML enforcement on the crypto exchanges and mixers that launder stolen-credential proceeds. Notably, Europol's own materials for this action do not cite a single arrest — only infrastructure metrics — which is a legitimate point in favor of pairing takedowns with criminal liability that actually removes operators from the market, not just their tooling.

Why the Rebound Is the More Important Story

That critique has empirical support. StealC itself is a legacy of a prior disruption cycle: after 2024 law-enforcement actions against RedLine and Meta Stealer, market share consolidated around LummaC2, and when Lumma was disrupted in May 2025, StealC and Rhadamanthys absorbed the displaced volume — Rhadamanthys was only taken down, in turn, in November 2025. CSO Online reports that infostealers were still responsible for roughly 2.1 billion of the 3.2 billion credentials stolen in 2024 alone, and that stealer developers routinely patch around defensive changes — such as Chrome's cookie-security update — within 24 hours. Trend Micro's Richard Werner is quoted making the structural point directly: after RedLine fell, "smaller players step[ped] into the gap." BleepingComputer likewise notes that threat actors "commonly rebuild infrastructure" absent arrests — precisely the gap this operation leaves open.

Proportionality, Not Paralysis

Given that pattern, the case for sweeping new mandates — data-localization requirements for hosting, backdoor access to crypto rails, or blanket ISP-level domain blocking — is weaker than it looks at first glance. The malware-as-a-service market is defined by low barriers to entry: access to stealer tooling costs roughly $200 a month, per the same reporting, which means the binding constraint on cybercrime is never any single piece of infrastructure. Heavier regulatory mandates imposed on hosting providers or crypto platforms generally, in response to a problem concentrated among a small number of bad-faith operators, would burden the overwhelming majority of legitimate users and businesses while doing little to stop operators who already route around jurisdiction and compliance.

What Operation Endgame gets right is scope and speed: intelligence-led, industry-partnered (Microsoft, ESET, Proofpoint, IBM X-Force, BitSight, and others contributed technical takedown support), and targeted at the specific companies profiting from crime rather than the platforms they abuse. That model — narrow, evidence-driven, repeatable — is the proportionate response the underlying threat actually calls for. Its limitation is not overreach but under-resourcing on the prosecution side: EU and partner governments should be funding the slower, harder work of identifying operators (Operation Endgame's own "EU Most Wanted" list carries 18 names) and securing extraditions, not reaching for broader surveillance or platform-liability regimes that would outlast the malware families they were built to catch. Season four will likely target whatever fills StealC's vacancy. The metric that will actually indicate progress is not servers seized, but operators charged.

Sources & Citations

  1. Europol press release
  2. Operation Endgame official site
  3. Infosecurity Magazine
  4. BleepingComputer
  5. CSO Online