A global crackdown on "cybercrime-as-a-service" malware that quietly drains crypto wallets has frozen tens of millions of dollars in stolen funds.
Law enforcement identified, flagged, and froze more than €41 million (about $47 million) in criminal crypto assets in the latest phase of Operation Endgame, Europol said on Wednesday. The two-week, multi-country strike dismantled the infrastructure behind three malware families: SocGholish, Amadey, and StealC.
All three target crypto users. StealC, an infostealer sold as a service since 2023, scrapes passwords, browser cookies, and crypto wallet data from infected machines. Its control panel even included a plugin that tried to decrypt the seed phrases of victims' MetaMask wallets, researchers at Proofpoint found.
Amadey gains the initial foothold and drops further malware, while SocGholish, linked to the Russian group Evil Corp, infects people through fake browser-update prompts on hacked websites. Together they form the front end of attacks that end in drained wallets, account takeovers, and ransomware.
Police took down 326 servers and 142 domains, recovered almost 27 million stolen credentials from more than 385,000 compromised systems, and cleaned nearly 15,000 infected websites, many of them small businesses. Microsoft, a partner in the operation, tied Amadey and StealC to over 140,000 infected computers worldwide in the first two weeks of May alone.
What are infostealers?
Infostealers have become a primary route to stolen crypto, quietly lifting wallet files, private keys, and seed phrases from victims' devices. They use a variety of vectors to target crypto users, including fake AI tools, Steam wallpapers and pirated game mods.
The scale of exposure is vast. An earlier Operation Endgame action late last year uncovered login data for more than 100,000 crypto wallets, stolen from victims but not yet emptied.
Microsoft's Digital Crimes Unit separately filed a U.S. racketeering lawsuit that, for the first time, treated two malware families as a single criminal conspiracy. Using AI tools including Copilot to analyze the malware, investigators found that Amadey and StealC, though built by different criminals, ran on shared infrastructure, letting Microsoft charge enablers across both operations under the RICO Act and disrupt more than 200 command-and-control servers. It has since identified over 18,000 victim computers and begun severing the attackers' control.
Such takedowns rarely kill malware outright, and operators tend to regroup, with StealC shipping a fresh build as recently as this month. For now, Europol and its partners are routing victim alerts through services like Have I Been Pwned, so users can check whether their credentials, and the keys to their wallets, are already in criminal hands.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
