Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

A coordinated law enforcement operation, in partnership with private sector companies including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering the Amadey and StealC malware families. The operation, which involved Europol as the central coordinator, recovered 27 million stolen credentials and targeted what authorities described as the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.

Amadey is a malware loader that has been active since at least 2020, often used to deliver secondary payloads such as ransomware and information stealers. StealC is a newer information-stealing malware that emerged in early 2023, designed to harvest browser credentials, cryptocurrency wallets, and other sensitive data from infected systems. Both are available as malware-as-a-service offerings, allowing even low-skill attackers to purchase pre-built tools on underground forums.

The law enforcement action specifically targeted the command-and-control infrastructure and distribution networks that power these malware families, aiming to disrupt the supply chain that enables thousands of infections globally. According to Europol, the 'main common goal was to disrupt the assembly lines cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.' The operation underscores the growing trend of coordinated private-public partnerships to take down cybercrime ecosystems at the infrastructure level.

Beyond the infrastructure takedown, the recovery of 27 million stolen credentials represents a significant blow to the underground credential market. These credentials, harvested by StealC and other infostealers, are often used for initial access to corporate networks, which can then be leveraged for ransomware deployment, business email compromise, or data exfiltration. The scale of recovered credentials highlights the persistent threat posed by infostealer malware, which has become a primary vector for cybercriminal operations.

The companies involved provided critical telemetry, threat intelligence, and technical expertise. Bitdefender and ESET contributed malware analysis and detection capabilities, while Bitsight brought network visibility and risk assessment. Microsoft's Digital Crimes Unit provided cloud infrastructure insights and legal support. Europol's European Cybercrime Centre coordinated the operation across multiple jurisdictions.

This takedown comes amid a broader crackdown on infostealer and loader ecosystems. The recovery of 27 million credentials mirrors other recent credential dump discoveries, such as the 24 billion records found in an exposed Elasticsearch cluster earlier this year. However, this operation is notable for its proactive, law enforcement-led approach rather than passive discovery.

Disrupting the supply chain of malware-as-a-service operations is seen as a more effective long-term strategy than pursuing individual attackers, as it removes the tools that enable a wide range of cybercriminal activities. Authorities hope that this takedown will force threat actors to seek new, less reliable infrastructure, potentially disrupting ongoing ransomware and fraud campaigns.

The Amadey and StealC operation demonstrates the increasing effectiveness of coordinated public-private efforts in combating sophisticated cybercrime networks. As infostealers continue to be the backbone of the ransomware economy, more such takedowns are likely in the pipeline.

The operation also disrupted the SocGholish initial access service, seizing 76 domains and 30 servers operated by Evil Corp. Law enforcement exploited a vulnerability in the StealC C2 panel to search and seize servers, and Microsoft presented evidence that Amadey and StealC shared a common attack infrastructure, enabling charges under the RICO Act. Additionally, over 140,000 PCs were infected with these malware strains in the first two weeks of May alone.