Operation Endgame Took Down SocGholish Last Week. Today It Took Down StealC and Amadey. 27 Million Credentials Seized. $47M Frozen.
- Patrick Duggan
- 4 minutes ago
- 3 min read
We covered the SocGholish takedown on June 24. Phase 1 of Operation Endgame's latest push disrupted TA569's infrastructure: 106 C2 servers seized, 14,971 compromised WordPress sites cleaned, the fake browser update distribution network taken offline.
One week later, Phase 2 hit the rest of the assembly line.
What Went Down Today
Europol announced Wednesday the dismantling of criminal infrastructure behind three malware families: Amadey, StealC, and SocGholish (the Phase 1 component confirming the takedown is complete).
326 servers seized or actioned. 142 domains taken down. Six countries coordinated. Agencies involved: Europol, Eurojust, Microsoft, and national law enforcement from Germany, the Netherlands, Denmark, the United Kingdom, Canada, and the United States.
27 million stolen login credentials recovered — the raw number of harvested credentials from infostealer logs seized during the operation.
$47 million in criminal cryptocurrency frozen — €41M equivalent. This is the financial seizure component that targets the operation's revenue, not just its infrastructure.
The Assembly Line That Got Dismantled
Amadey and StealC are not standalone tools. They are components of a coordinated credential-theft-to-ransomware pipeline.
Amadey is a loader and dropper. Its job is initial access and persistence — getting onto a machine, establishing foothold, and loading the next stage. Amadey is sold as a malware-as-a-service product and has been active since 2018. It has been the delivery mechanism for a wide range of secondary payloads.
StealC is the credential harvesting stage. It extracts browser-stored passwords, cookies, autofill data, cryptocurrency wallets, and authentication tokens. The stolen data flows to operator infrastructure and gets processed into logs sold on criminal markets or used directly for account takeover.
SocGholish is the distribution layer — the fake browser update campaigns on compromised WordPress sites that deliver the initial infection. Phase 1 of this Endgame push took out the distribution. Phase 2 took out the harvesting and loading infrastructure.
Three components, three weeks, one coordinated operation. The criminals who built campaigns on top of this stack lost their loader, their stealer, and their distribution network simultaneously.
The Credentials Problem
27 million stolen credentials is the number from this seizure. It represents what was recoverable from the seized infrastructure. The actual number of credentials that flowed through Amadey and StealC over their operational lifetimes is orders of magnitude larger.
Credentials stolen by infostealers do not expire when the infostealer gets taken down. They are already in criminal markets, already in combo lists, already being used for account takeover, credential stuffing, and session hijacking. The operation stops the bleeding — it does not heal the wound.
Organizations whose employees were infected by Amadey or StealC should treat any credential touched by those devices as compromised regardless of whether the infection was detected and remediated. Password reset for affected accounts is the minimum action.
Our Coverage
Our corpus had Amadey and StealC IOCs from feed ingestion. The seized infrastructure is now attributable to Operation Endgame. We will update those IOC entries to reflect the takedown context — infrastructure that was live C2 as of June 14 is now seized.
The SocGholish cron we have been running detected TA569 activity during the active phase. The operation and our detection ran concurrently. The receipts are in the compliance evidence folder.
Sources: Europol/Eurojust — Operation Endgame continues — TechRepublic — 27M credentials — Bitdefender — StealC/Amadey — DugganUSA — SocGholish receipt
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.