Europol Freezes $47M in Crypto in Major Malware Takedown
Operation Endgame dismantled infostealer malware targeting crypto users, freezing $47M in stolen funds. Police seized 326 servers, 142 domains, and recovered 27 million credentials. The takedown highlighted the scale of crypto theft via malware, with Microsoft disrupting over 200 servers.
Quick Take
Global law enforcement freezes $47M in criminal crypto from infostealer operations.
Three malware families targeted crypto wallet data and passwords.
27 million stolen credentials recovered from 385,000 compromised systems.
Microsoft used RICO Act to disrupt shared infrastructure, aiding the takedown.
Market Impact Analysis
BullishLaw enforcement success against crypto-specific malware reduces theft risk, potentially improving market confidence.
Speculation Analysis
Key Takeaways
- Global law enforcement froze $47 million in criminal crypto from infostealer networks.
- Three malware families — SocGholish, Amadey, StealC — siphoned passwords and wallet data.
- 27 million stolen credentials recovered from 385,000 compromised machines.
- Microsoft invoked the RICO Act to disrupt shared infrastructure behind the attacks.
What Happened
Europol led a multinational takedown freezing €41 million ($47 million) in crypto tied to infostealer malware. Operation Endgame dismantled the backend of SocGholish, Amadey, and StealC — malware sold as a service that drains crypto wallets. Police seized 326 servers and 142 domains, scrubbed 15,000 infected websites, and recovered 27 million stolen credentials. Victims are being alerted through Have I Been Pwned. The strike hits at the infrastructure enabling crypto theft at scale.
The Numbers
The operation’s scale is staggering: $47 million frozen across criminal wallets. 326 servers and 142 domains were taken offline. Investigators found 27 million login credentials on 385,000 compromised systems. 15,000 hacked websites were cleaned. Microsoft tracked 140,000 infections from Amadey and StealC in just two weeks of May. An earlier phase uncovered 100,000 crypto wallet logins that hadn’t yet been drained. These figures underline the massive reach of infostealer networks.
Why It Happened
Infostealers have become the go-to tool for crypto theft, sold as a service to cybercriminals. This low-barrier access fueled widespread infections. Law enforcement traced the infrastructure, and Microsoft used a novel RICO lawsuit to prove Amadey and StealC ran on shared resources, enabling a broader disruption. The move reflects a shift toward aggressive legal and technical tactics to dismantle malware supply chains. As crypto adoption grows, so does the incentive for such attacks.
Broader Impact
The takedown sets a precedent for using racketeering laws against crypto malware. It temporarily raises the cost for criminals and may restore some market confidence. But infostealers adapt quickly — past takedowns rarely kill operations outright. The real win is victim notification, potentially preventing future thefts. Sustained pressure through public-private partnerships will be critical to keep the ecosystem secure.
What to Watch Next
- Whether Amadey and StealC operators regroup with modified malware to evade detection.
- The ripple effect on other infostealer markets and potential copycat operations.
- How many victims reclaim lost funds after the credential recovery effort.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
