What happened in Operation Endgame in June 2026?
Europol and Microsoft took down 326 servers and 142 domains on June 24, 2026, seizing over €41 million ($47 million) in criminal crypto assets and recovering 27 million stolen login credentials. The operation targeted three malware networks — SocGholish, Amadey, and StealC — as part of a coordinated public-private effort called Operation Endgame.
Law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States participated. Europol and Eurojust coordinated the international activity. Microsoft joined as a private-sector partner alongside other industry players.
What malware did Operation Endgame target?
The operation dismantled three distinct but interconnected malware tools, each sold as a service on criminal markets.
- SocGholish is a dropper/loader that spreads by replacing legitimate browser updates on compromised WordPress websites. Visitors who click the fake update unknowingly install the malware, which then opens a backdoor for attackers. SocGholish is linked to the Russian cybercriminal group Evil Corp, which was previously responsible for the Zeus and Dridex malware families.
- Amadey is a dropper/loader spread mainly through phishing campaigns. It gains initial access to a device and can introduce additional malware into compromised systems. It also carries stealer capabilities, allowing it to retrieve sensitive data.
- StealC is an infostealer with dropper functionality. It is designed to extract passwords, stored credentials, and digital identities from infected machines for use in data trading and fraud.
Together, Amadey and StealC form a two-stage attack chain. Amadey breaks in; StealC strips the data. According to Europol's Operation Endgame announcement, in just the first two weeks of May 2026, this pair was linked to over 140,000 infected computers worldwide.
How did Microsoft use AI to support the takedown?
Microsoft's Digital Crimes Unit used Copilot AI to analyze the shared infrastructure behind Amadey and StealC. Microsoft processes 100 trillion security signals daily — a volume no human team can manually correlate. Copilot synthesized that data and identified that both malware families routed operations through the same backend infrastructure.
You might also like
That finding was critical. It gave Microsoft's legal team the technical evidence needed to treat the two tools as a single criminal conspiracy, justifying one unified court-authorized strike rather than two separate actions. As news.az reports citing Microsoft, since the start of the operation Microsoft identified more than 18,000 victim computers, severed criminal control of those devices, and began working with telecommunications providers to protect affected customers globally.
Here's what we know so far: the AI-assisted approach marks a deliberate shift from targeting individual malware strains one at a time toward disrupting the shared infrastructure that connects them.
What was the scale of the SocGholish takedown?
The SocGholish action was the largest single component of Operation Endgame by site count. Law enforcement remediated 14,971 infected websites — including those belonging to restaurants, auto repair shops, and other everyday businesses. Most of those sites ran on WordPress.
The Dutch Police removed vulnerabilities from infected sites and notified owners directly. Victim notifications also went out through platforms including HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and NL-NCSC.
The SocGholish botnet was disabled by taking over its domain names and pulling its servers offline.
What should WordPress site owners do now?
The Dutch Police issued direct guidance for WordPress administrators whose sites may have been compromised. The steps are:
- Change login credentials immediately
- Enable multi-factor authentication
- Delete any unknown additional WordPress accounts
- Keep the WordPress installation up to date
For regular users, the advice is simpler: never trust browser pop-ups demanding an update, and always apply updates only through official system settings or an app store.
Key numbers from Operation Endgame
| Metric | Figure |
|---|---|
| Servers actioned | 326 |
| Domains actioned | 142 |
| Criminal crypto seized | €41M+ ($47M+) |
| Stolen credentials recovered | 27 million |
| Infected websites remediated (SocGholish) | 14,971 |
| Infected computers linked to Amadey/StealC (first 2 weeks of May 2026) | 140,000+ |
| Victim computers identified by Microsoft | 18,000+ |
Why did law enforcement target the "assembly line" instead of individual tools?
Operation Endgame marked a deliberate strategy shift. Rather than going after one malware strain at a time, Europol and its partners disrupted the full chain that allows cyberattacks to scale. When criminals lose only one tool, they adapt quickly — abandoning burned servers and rerouting through backups. When multiple parts of the operation are hit at once, attacks become harder to launch, scale, and rebuild.
This approach is directly relevant to builders working with AI-driven security tools and anyone thinking about how AI agents interact with shared infrastructure. The same co-dependency that made Amadey and StealC vulnerable — shared backend systems — is a structural risk in any tightly coupled system.
The operation also has implications for how AI coding tools and development platforms think about supply-chain security, since SocGholish specifically targeted compromised websites to deliver its payload.
The confirmed next step: Microsoft is actively working with telecommunications providers to notify and protect customers whose computers were identified as victims during the operation.
0 Comments
Log in to comment
Not a member yet? Join the community
Pick a meme
KlipyHave a great take?
Drop your email — we'll send a magic link so you can post it. No password.
Not a member of the community? Join today.
Join the community →