Operation Endgame: A Major Crackdown on Cybercrime
A significant operation targeting the insidious world of cybercrime has resulted in the freezing of approximately €41 million (around $47 million) in illicitly obtained cryptocurrency funds. This crackdown, part of a coordinated initiative called Operation Endgame, has been orchestrated by law enforcement agencies worldwide, according to a recent statement from Europol.
Malware Families Targeted
Over a span of two weeks, authorities successfully dismantled the underlying networks associated with three notorious malware families: SocGholish, Amadey, and StealC, all notorious for wreaking havoc on cryptocurrency users.
The StealC malware, which has been available on the dark web since 2023, is particularly concerning as it functions as an information thief (infostealer) that collects sensitive data, such as passwords, browser cookies, and cryptocurrency wallet details from infected computers. A concerning feature of StealC’s toolkit includes a plugin designed to decode seed phrases from victims’ MetaMask wallets, as revealed by researchers at Proofpoint.
Amadey acts as an entry point to plant additional malware, while the SocGholish malware, linked to the infamous hacking group Evil Corp based in Russia, spreads via deceptive prompts for browser updates on compromised sites. Together, these malware families are instrumental in executing a series of attacks that lead to drained cryptocurrency wallets and unauthorized account access, often culminating in ransomware incidents.
Law Enforcement Successes
In this latest offensive, law enforcement agencies successfully shut down 326 servers and 142 domains, unearthing nearly 27 million stolen login credentials from over 385,000 affected systems. Additionally, they managed to clean up close to 15,000 infected websites, many catering to small businesses. Microsoft collaborated closely on this operation, during which it identified more than 140,000 computers infected with Amadey and StealC within just the first two weeks of May.
The Rise of Infostealers
Infostealers like those involved in this operation have emerged as the primary vectors for cryptocurrency theft, stealthily extracting wallet files, private keys, and seed phrases from users’ devices. These malicious tools often infiltrate systems through deceptive channels, including counterfeit AI tools, malicious Steam wallpapers, and pirated gaming mods.
Ongoing Challenges and Future Efforts
The scope of this criminal activity is alarming; a previous phase of Operation Endgame revealed the login information for over 100,000 cryptocurrency wallets that had been pilfered but had not yet been emptied. Furthermore, Microsoft’s Digital Crimes Unit has lodged a racketeering lawsuit in the U.S., marking the first instance of categorizing the two malware families—Amadey and StealC—as part of a collaborative criminal syndicate.
By employing AI technologies like Copilot to analyze malware patterns, investigators discovered that, although these malware types originated from different developers, they operated on interconnected infrastructures. This has enabled Microsoft to legally pursue facilitators across both networks under the applicable racketeering laws, leading to the disruption of more than 200 command-and-control servers. Currently, authorities have identified upwards of 18,000 victimized computers and are actively working to dismantle the attackers’ operations.
Despite these significant efforts, complete eradication of such malware is notoriously difficult. StealC, for example, has recently launched a new version. As part of ongoing efforts, Europol and its partners are directing victim notifications through platforms like Have I Been Pwned, allowing users to ascertain whether their login details and wallet keys have fallen into malicious hands.
