27 Million Stolen Credentials and Two Malware Families Taken Down
In a major coordinated law enforcement operation, authorities have disrupted the criminal infrastructure behind Amadey and StealC — two of the most widely used malware families in the cybercrime ecosystem — and recovered a staggering 27 million stolen credentials in the process. The operation was conducted in partnership with cybersecurity firms Bitdefender, Bitsight, ESET, and Microsoft, reflecting the growing role of the private sector in major cybercrime takedowns.
Europol framed the operation as targeting the "assembly lines" that criminal groups use to industrialize attacks — a supply chain disruption approach increasingly favored by international law enforcement.
What Are Amadey and StealC?
Amadey
Amadey is a modular malware loader that has been sold on cybercriminal forums since approximately 2018. It is primarily used to:
- Establish persistence on infected Windows systems
- Download and execute secondary payloads (ransomware, RATs, additional stealers)
- Exfiltrate basic system and browser data
- Serve as an initial access broker tool
Despite its relatively simple architecture, Amadey's low cost and reliability made it a staple for both entry-level cybercriminals and sophisticated threat actors. It has been observed loading ransomware families including LockBit, BlackCat, and several smaller operations.
StealC
StealC emerged in 2023 as a Malware-as-a-Service (MaaS) infostealer targeting:
- Browser-saved credentials and cookies
- Cryptocurrency wallets (50+ wallet types)
- Email and FTP clients
- Application-specific data (VPN configs, Discord tokens, etc.)
StealC distinguished itself with a lightweight architecture and a polished criminal backend panel that allowed buyers to manage infection campaigns and download stolen data with ease. It quickly grew to compete with established infostealers like RedLine and Raccoon Stealer.
Scale of the Operation
| Metric | Detail |
|---|---|
| Credentials Recovered | 27 million |
| Malware Families Targeted | Amadey, StealC (part of broader CaaS action) |
| Private Sector Partners | Bitdefender, Bitsight, ESET, Microsoft |
| Coordinating Authority | Europol |
| Infrastructure Type | C2 servers, distribution panels, dropper infrastructure |
The 27 million credentials recovered represent the data that was still accessible in seized infrastructure — actual total victim counts across the lifetime of these operations are likely far higher.
The Private-Public Partnership Model
This takedown exemplifies the modern approach to cybercrime disruption: law enforcement agencies alone lack the technical visibility to map and seize complex criminal infrastructure across jurisdictions. Private cybersecurity firms fill this gap:
- Bitdefender and ESET contributed malware analysis and C2 tracking telemetry built from years of endpoint telemetry across millions of customers.
- Bitsight provided internet-wide scanning data to map the full infrastructure footprint.
- Microsoft's Digital Crimes Unit contributed legal mechanisms (domain seizures) and threat intelligence from Microsoft Defender.
This combination of legal authority (law enforcement) + technical reach (private sector telemetry) + legal infrastructure (Microsoft's established court order processes for domain seizures) is the model that has driven major recent takedowns including Emotet (2021), Qakbot (2023), and LockBit (2024).
What This Means for Defenders
Credential Exposure
If 27 million credentials were recovered from seized infrastructure, a similar or larger number may have already been distributed to Amadey/StealC customers before the takedown. Organizations should:
- Force password resets for any users whose credentials may have been exposed to infostealer campaigns over the past 12-18 months.
- Check breach notification services (HaveIBeenPwned, Flare, SpyCloud) for organizational credential exposure tied to recent infostealer activity.
- Implement phishing-resistant MFA to limit the impact of stolen credentials.
Endpoint Hygiene
Amadey and StealC infections often leave behind persistence mechanisms even after the payload has run. Security teams should:
- Scan endpoints for known Amadey and StealC IOCs (check Bitdefender and ESET's published threat intelligence).
- Review scheduled tasks, registry run keys, and startup entries for anomalies.
- Correlate endpoint logs against known Amadey C2 domains from the period before the takedown.
Durability of the Disruption
Past experience with similar takedowns suggests the disruption may be significant but temporary. The Raccoon Stealer takedown in 2022 was followed by a v2 relaunch within months. Emotet, despite a more thorough takedown, re-emerged in late 2021.
StealC in particular operates as MaaS, which means its customer base may simply migrate to competitor infostealers (Lumma Stealer, Vidar, Meduza) in the short term. However, the seizure of backend panels and the disruption to the developer-customer relationship does create real operational friction and may put some criminal buyers out of business entirely.
The recovery of 27 million credentials — and Europol's public commitment to this supply chain approach — signals sustained pressure on the infrastructure layer of the cybercrime economy.