Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Three 'Cybercrime-as-a-Service' Operations Undercut by Microsoft and Law Enforcement
Three 'Cybercrime-as-a-Service' Operations Undercut by Microsoft and Law Enforcement
NEWS

Three 'Cybercrime-as-a-Service' Operations Undercut by Microsoft and Law Enforcement

A two-week joint operation by Microsoft and Europol dismantled three major malware-as-a-service platforms — StealC, Amadey, and SocGholish — seizing 326...

Dylan H.

News Desk

June 25, 2026
2 min read

A coordinated two-week operation involving Microsoft's Digital Crimes Unit and Europol has dealt a significant blow to three interconnected malware-as-a-service ecosystems, targeting the shared infrastructure underpinning StealC, Amadey, and SocGholish — tools responsible for hundreds of thousands of infections across the globe.

Operation Overview

Announced on June 24, 2026, the joint law enforcement action resulted in:

  • 326 servers dismantled
  • 142 domains taken offline
  • 14,971 compromised websites (primarily retailers, used to distribute SocGholish)
  • 18,000 victim computers identified and notified during the operation
  • 27 million stolen login credentials recovered
  • €41 million (~$47M USD) in cryptocurrency seized

The Malware Triad

StealC is an infostealer designed to harvest passwords, browser cookies, and session tokens from infected machines, enabling follow-on account takeover and fraud.

Amadey functions as a dropper — a malware loader used to establish initial access on a victim machine and stage further payloads, including ransomware and remote access tools.

SocGholish (also attributed to Evil Corp, a Russian cybercrime group) is a JavaScript-based malware framework delivered through compromised legitimate websites using fake browser update lures. In May 2026 alone, it infected over 140,000 computers worldwide.

Microsoft's AI-Driven Approach

What made this operation notable was Microsoft's use of artificial intelligence to identify a critical tactical insight: Amadey and StealC shared identical backend command-and-control infrastructure. By targeting both simultaneously — rather than sequentially — the operation achieved compounding disruption, collapsing what Microsoft described as a full criminal "supply chain" that fueled ransomware deployment, financial fraud, and attacks on critical infrastructure.

This approach marks a shift in how tech companies partner with law enforcement: moving from reactive response to proactive supply-chain-level disruption.

No Arrests Reported

Despite the scale of the seizures, no arrests were announced as part of this operation. The perpetrators behind Evil Corp and affiliated SocGholish infrastructure remain at large, highlighting the ongoing challenge of achieving accountability for cybercriminals operating from jurisdictions that are uncooperative with Western law enforcement.

Takeaway

Operations like this demonstrate that the most effective disruptions target shared criminal infrastructure — the servers, domains, and tooling that multiple threat actors depend on — rather than chasing individual malware samples. For defenders, it underscores the importance of monitoring for SocGholish-style fake update lures on corporate endpoints and auditing for StealC/Amadey indicators of compromise across email and credential stores.

#Malware#Supply Chain#Microsoft#Europol#Takedown

Related Articles

In a First, a Court Takedown Goes After Two Cybercrime Tools at Once

Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...

4 min read

Microsoft and Europol Dismantle Three Cybercrime-as-a-Service Operations

Microsoft and Europol jointly targeted the full CaaS supply chain, seizing 300+ servers and disrupting SocGholish, Amadey, and StealC malware infrastructure.

4 min read

Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered

A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...

4 min read
Back to all News