EU cybercrime enforcement

Operation Endgame's Third Strike Shows Cross-Border Coordination, Not New Laws, Is What's Disrupting the Malware Economy

Europol's June 2026 takedown of SocGholish, Amadey and StealC used existing judicial tools, not new surveillance mandates, to hit cybercrime at scale.

Operation Endgame: June 2026 Strike by the Numbers People of Internet Research · EU 326 Servers dismantled Command-and-control servers taken … 142 Domains seized Malicious domains seized or sinkho… 27M Credentials recovered Stolen login credential sets recov… €41M (~$47M) Criminal crypto frozen Cryptocurrency traced to criminal … peopleofinternet.com
Operation Endgame: June 2026 Strike by… People of Internet Research · EU 326 Servers dismantled 142 Domains seized 27M Credentials recovered €41M (~$47M) Criminal crypto frozen peopleofinternet.com

Key Takeaways

A Third Act, Not a One-Off

On June 24, 2026, Europol and Eurojust announced the results of a coordinated law enforcement action, executed between June 15 and 19, against three malware families that together form the front end of the modern cybercrime economy: SocGholish, Amadey, and StealC. Authorities from Canada, Denmark, Germany, the Netherlands, the UK, and the US — working with Europol, Eurojust, and private partners including Microsoft, ESET, IBM X-Force, and Proofpoint — dismantled 326 servers and 142 domains, recovered roughly 27 million stolen credential sets, and froze more than €41 million (~$47 million) in cryptocurrency traced to criminal proceeds (Europol; Eurojust).

This is not an isolated raid. It is the latest phase of Operation Endgame, the standing EU-coordinated campaign against malware infrastructure that has run in successive waves since May 2024, each targeting a different layer of the same criminal supply chain (Operation Endgame). That persistence matters more than any single seizure number. Malware operators are notoriously resilient — infrastructure taken down one month is often rebuilt the next under a new domain — and critics of takedown operations have long made a fair point: without arrests or prosecutions, disrupting servers is closer to eviction than to conviction. No arrests were announced in this action, and the operators behind Amadey and StealC remain, for now, unidentified or unindicted publicly.

The Case for Going Further

That critique deserves to be taken seriously before dismissing it. Cybersecurity officials and some prosecutors argue that infrastructure-only disruption is a treadmill: Europol itself has now run four distinct phases of Endgame against a rotating cast of loaders (DanaBot, Bumblebee, SmokeLoader, Rhadamanthys, and now SocGholish/Amadey/StealC) precisely because takedowns alone don't end the business model. On this view, durable disruption requires either faster cross-border data access for investigators — including expedited compulsion of hosting and infrastructure providers — or harmonized EU rules that make it easier to freeze and forfeit criminal crypto assets before they're laundered through mixers and cross-chain bridges. Those are not unreasonable asks, and the €41 million frozen this round shows the stakes are real money moving in real time.

What Actually Worked Here

But the more interesting fact about this operation is what it did not require: no new statute, no expanded lawful-access mandate, no weakened encryption standard. Eurojust's role was judicial coordination — synchronizing search warrants, mutual legal assistance requests, and evidence-sharing across eight jurisdictions' existing legal frameworks — while Europol supplied real-time operational intelligence (Eurojust). The private-sector layer was equally load-bearing: Microsoft's Digital Crimes Unit contributed the telemetry that identified over 140,000 Amadey- and StealC-infected devices in a single two-week window in May 2026, while ESET, IBM X-Force, and Shadowserver supplied sinkholing and domain-takedown capacity (Cybersecurity Dive).

That is the model worth defending: existing judicial cooperation tools (Joint Investigation Teams, mutual legal assistance treaties, Eurojust's coordination mandate under Regulation (EU) 2018/1727) plus voluntary intelligence-sharing with industry, rather than a new compliance regime imposed on every platform and encryption provider in Europe. Microsoft's public description of the legal theory — treating the malware supply chain as a single conspiracy rather than prosecuting each tool in isolation — is itself a prosecutorial innovation that required no legislative change (BleepingComputer).

Why This Should Shape the Brussels Debate

The timing matters. As the European Commission continues to weigh proposals touching lawful access to encrypted data and expanded data retention — debates that resurface annually under the banner of fighting exactly this kind of crime — Operation Endgame's fourth successful phase is a live counterexample to the claim that law enforcement is structurally blocked without new intercept powers. The credentials and crypto recovered here were not unlocked by breaking encryption; they were recovered by seizing infrastructure malware operators controlled directly, using investigative powers regulators already have.

"When multiple parts of an operation are disrupted together, attacks are harder to launch, scale and recover from." — Steven Masada, Microsoft Digital Crimes Unit

That is a case for funding Europol's cybercrime unit, expanding Joint Investigation Team capacity, and deepening the voluntary public-private telemetry-sharing that made this operation possible — not for weakening the encryption and data-minimization protections that make the rest of the internet economy trustworthy. The lesson of four Operation Endgame phases in two years is that cross-border enforcement coordination scales. Broad new surveillance mandates, by contrast, would burden millions of lawful users and businesses to chase a threat that existing tools are already catching.

Sources & Citations

  1. Europol: Global cyber strike disrupts SocGholish, Amadey, StealC
  2. Eurojust: Operation Endgame continues
  3. Operation Endgame official campaign site
  4. Cybersecurity Dive: Microsoft, Europol lead takedown
  5. BleepingComputer: Amadey, StealC operations disrupted