In what prosecutors and cybersecurity researchers are calling a legal first, Microsoft's Digital Crimes Unit and Europol's European Cybercrime Centre jointly dismantled both StealC and Amadey through a single US District Court filing in Miami on June 24, 2026. The simultaneous takedown of two independent cybercrime tool families under one RICO conspiracy charge represents a novel prosecutorial approach to dismantling the full cyberattack supply chain in a single coordinated action.
The Two Tools
StealC is a Malware-as-a-Service (MaaS) infostealer that emerged in 2023 and quickly became one of the most widely-used credential theft tools available on criminal markets. It has been linked primarily to Russia-based threat groups and has been observed across hundreds of campaigns stealing banking credentials, cryptocurrency wallets, and enterprise authentication tokens.
Amadey is a loader and dropper dating to 2018 — one of the older durable malware families still in active operation. Used extensively by Russian-linked groups, including in operations targeting Ukrainian government and defence sector organizations, Amadey provides initial access by establishing a foothold on victim systems before delivering secondary payloads. In many campaigns, Amadey serves as the delivery mechanism for StealC itself.
What Made the Joint Action Possible
Despite being developed and operated by separate criminal groups, both malware families were discovered to share the same command-and-control infrastructure. This connection was uncovered through AI-assisted analysis — including Microsoft Copilot tooling used by the Microsoft DCU investigation team — which correlated C2 server fingerprints, certificate patterns, and hosting relationships across both ecosystems.
The shared infrastructure finding was legally significant: it allowed prosecutors to argue that both operations were effectively part of a single criminal conspiracy under the Racketeer Influenced and Corrupt Organizations (RICO) Act. This let the US District Court issue one unified set of seizure orders covering both tool networks, rather than requiring two separate legal proceedings — saving months of parallel prosecution and allowing both networks to be dismantled simultaneously before either group could react and rebuild.
Microsoft's Steven Masada, from the DCU, commented: "It's no longer enough to go after threats one by one."
Scale of the Operation
The action was part of a broader Operation Endgame coordinated by Europol:
- 200+ malicious C2 domains and IP addresses seized
- 140,000 infected computers linked to Amadey and StealC activity in just the first two weeks of May 2026 alone
- 326 servers and 142 domains taken down across the broader Endgame operation
- 25.6 million stolen credentials recovered
- 385,000 compromised systems identified and notified
- €41 million (~$47 million USD) in cryptocurrency seized
International Coalition
The operation involved law enforcement and private sector partners across multiple countries:
Law Enforcement: Europol EC3, Germany's Bundeskriminalamt (BKA), Dutch National Police, Danish National Police, US FBI
Private Sector: Microsoft DCU, ESET, BitSight, IBM X-Force, Proofpoint, Mitsui Bussan Secure Directions
Why This Signals a Shift
Traditional cybercrime enforcement has largely targeted individual malware families or infrastructure operators one case at a time. The StealC/Amadey action demonstrates a more systemic approach:
-
Supply chain prosecution: Rather than targeting only the actors deploying malware against victims, the action targets the MaaS infrastructure that supplies both the loader (Amadey) and the infostealer (StealC) to dozens of downstream criminal customers.
-
AI-accelerated investigation: The linkage between two ostensibly independent malware ecosystems was identified through automated correlation of infrastructure signals — a method that scales in ways traditional manual investigation cannot.
-
RICO as a cybercrime tool: Applying organized crime conspiracy statutes to malware-as-a-service ecosystems opens the door to broader prosecutorial strategies that treat the criminal supply chain — developers, operators, and infrastructure providers — as a single enterprise.
For Defenders
Organizations that experienced unexplained credential theft, unusual authentication events, or lateral movement in the May-June 2026 timeframe should check indicators of compromise associated with both Amadey and StealC. Microsoft and ESET have published updated detection signatures. Europol's victim notification program is active through national police portals for affected regions.