Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered
Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered
NEWS

Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered

A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...

Dylan H.

News Desk

June 24, 2026
4 min read

27 Million Stolen Credentials and Two Malware Families Taken Down

In a major coordinated law enforcement operation, authorities have disrupted the criminal infrastructure behind Amadey and StealC — two of the most widely used malware families in the cybercrime ecosystem — and recovered a staggering 27 million stolen credentials in the process. The operation was conducted in partnership with cybersecurity firms Bitdefender, Bitsight, ESET, and Microsoft, reflecting the growing role of the private sector in major cybercrime takedowns.

Europol framed the operation as targeting the "assembly lines" that criminal groups use to industrialize attacks — a supply chain disruption approach increasingly favored by international law enforcement.


What Are Amadey and StealC?

Amadey

Amadey is a modular malware loader that has been sold on cybercriminal forums since approximately 2018. It is primarily used to:

  • Establish persistence on infected Windows systems
  • Download and execute secondary payloads (ransomware, RATs, additional stealers)
  • Exfiltrate basic system and browser data
  • Serve as an initial access broker tool

Despite its relatively simple architecture, Amadey's low cost and reliability made it a staple for both entry-level cybercriminals and sophisticated threat actors. It has been observed loading ransomware families including LockBit, BlackCat, and several smaller operations.

StealC

StealC emerged in 2023 as a Malware-as-a-Service (MaaS) infostealer targeting:

  • Browser-saved credentials and cookies
  • Cryptocurrency wallets (50+ wallet types)
  • Email and FTP clients
  • Application-specific data (VPN configs, Discord tokens, etc.)

StealC distinguished itself with a lightweight architecture and a polished criminal backend panel that allowed buyers to manage infection campaigns and download stolen data with ease. It quickly grew to compete with established infostealers like RedLine and Raccoon Stealer.


Scale of the Operation

MetricDetail
Credentials Recovered27 million
Malware Families TargetedAmadey, StealC (part of broader CaaS action)
Private Sector PartnersBitdefender, Bitsight, ESET, Microsoft
Coordinating AuthorityEuropol
Infrastructure TypeC2 servers, distribution panels, dropper infrastructure

The 27 million credentials recovered represent the data that was still accessible in seized infrastructure — actual total victim counts across the lifetime of these operations are likely far higher.


The Private-Public Partnership Model

This takedown exemplifies the modern approach to cybercrime disruption: law enforcement agencies alone lack the technical visibility to map and seize complex criminal infrastructure across jurisdictions. Private cybersecurity firms fill this gap:

  • Bitdefender and ESET contributed malware analysis and C2 tracking telemetry built from years of endpoint telemetry across millions of customers.
  • Bitsight provided internet-wide scanning data to map the full infrastructure footprint.
  • Microsoft's Digital Crimes Unit contributed legal mechanisms (domain seizures) and threat intelligence from Microsoft Defender.

This combination of legal authority (law enforcement) + technical reach (private sector telemetry) + legal infrastructure (Microsoft's established court order processes for domain seizures) is the model that has driven major recent takedowns including Emotet (2021), Qakbot (2023), and LockBit (2024).


What This Means for Defenders

Credential Exposure

If 27 million credentials were recovered from seized infrastructure, a similar or larger number may have already been distributed to Amadey/StealC customers before the takedown. Organizations should:

  1. Force password resets for any users whose credentials may have been exposed to infostealer campaigns over the past 12-18 months.
  2. Check breach notification services (HaveIBeenPwned, Flare, SpyCloud) for organizational credential exposure tied to recent infostealer activity.
  3. Implement phishing-resistant MFA to limit the impact of stolen credentials.

Endpoint Hygiene

Amadey and StealC infections often leave behind persistence mechanisms even after the payload has run. Security teams should:

  • Scan endpoints for known Amadey and StealC IOCs (check Bitdefender and ESET's published threat intelligence).
  • Review scheduled tasks, registry run keys, and startup entries for anomalies.
  • Correlate endpoint logs against known Amadey C2 domains from the period before the takedown.

Durability of the Disruption

Past experience with similar takedowns suggests the disruption may be significant but temporary. The Raccoon Stealer takedown in 2022 was followed by a v2 relaunch within months. Emotet, despite a more thorough takedown, re-emerged in late 2021.

StealC in particular operates as MaaS, which means its customer base may simply migrate to competitor infostealers (Lumma Stealer, Vidar, Meduza) in the short term. However, the seizure of backend panels and the disruption to the developer-customer relationship does create real operational friction and may put some criminal buyers out of business entirely.

The recovery of 27 million credentials — and Europol's public commitment to this supply chain approach — signals sustained pressure on the infrastructure layer of the cybercrime economy.

#Malware#Infostealer#Amadey#StealC#Law Enforcement#Europol#Credentials#Botnet Takedown#Microsoft

Related Articles

Microsoft and Europol Dismantle Three Cybercrime-as-a-Service Operations

Microsoft and Europol jointly targeted the full CaaS supply chain, seizing 300+ servers and disrupting SocGholish, Amadey, and StealC malware infrastructure.

4 min read

In a First, a Court Takedown Goes After Two Cybercrime Tools at Once

Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...

4 min read

Amadey and StealC Malware Operations Disrupted in Operation Endgame Action

Microsoft, Europol, and international law enforcement partners have dismantled infrastructure supporting the Amadey malware loader and StealC infostealer...

6 min read
Back to all News