Last week’s Operation Endgame malware takedown was genuinely significant. Europol and eight countries, working alongside Microsoft, ESET, and four other private partners, dismantled 326 servers and 142 domains. They also recovered 27 million stolen passwords and froze €41 million in criminal cryptocurrency. It is among the largest actions of its kind. It is also missing something critical: arrests.
Table of Contents
Infrastructure Seizures Hurt. Arrests End Operations.
Criminal groups running malware-as-a-service platforms have rebuilt infrastructure after previous enforcement actions, typically within weeks. The technical assets seized in Operation Endgame, the servers and domains, are commodities. They can also be replaced at relatively low cost. The expertise, the affiliate relationships, the code, and the criminal networks behind Amadey and StealC all remain intact. That, however, only changes if the operators are in custody.
Amadey has been running since October 2018. It has survived years of industry attention, multiple server burns, and at least one previous disruption. StealC emerged in early 2023. Within two years it had grown to 73 distinct affiliate clusters, generating subscriptions at up to £780 per month from criminal customers. The business model is resilient because it is distributed. Dozens of affiliates run the tool independently. Taking down one cluster does not stop the others.
This is not a criticism of Europol or the agencies involved in the malware takedown. Attributing criminal infrastructure to specific individuals in a way that supports arrest warrants across multiple jurisdictions is genuinely hard. The point is that businesses should read the outcome accurately rather than concluding that the threat has passed.
The Numbers Reveal an Uncomfortable Scale
Twenty-seven million credentials from 385,000 compromised systems is not a spike in criminal activity. It is, however, what two malware families harvested in roughly a fortnight of active operation in May 2026 alone. Amadey and StealC have been running for years. The total number of credentials they have collected is almost certainly far larger than what was recovered in this action.
Those credentials include VPN logins, corporate email accounts, cloud service passwords, and session cookies that bypass multi-factor authentication without the original password. For any UK business with employees using company systems without enforced endpoint controls, there is a real question about whether credentials are already in circulation on criminal markets.
The honest answer is: you probably don’t know. After all, most infostealers operate silently. Most organisations also lack the endpoint visibility to spot them. And the gap between infection and the first misuse of stolen credentials can run to months.
What This Means for How Businesses Think About Security
Operation Endgame is a reminder that law enforcement success is not the same as business protection. International operations at this scale take years to build and happen rarely. The Amadey botnet has been active for eight years. During that time, it delivered ransomware and credential theft tools to businesses worldwide, including in the UK. Last week’s malware takedown was the first coordinated response large enough to disrupt it.
Businesses cannot build their security posture around the assumption that law enforcement will act before they are affected. The criminal supply chain for malware-as-a-service tools is efficient, distributed, and cheap. Amadey licences cost roughly £470. StealC subscriptions ran from around £240 per month. These are accessible prices for anyone motivated to try.
The practical response is to make infection harder and to limit what attackers can do if they succeed. That means controlling what software reaches managed endpoints. Move sensitive systems to phishing-resistant MFA that cannot be bypassed by cookie replay. Maintain endpoint detection that can recognise infostealer behaviour patterns. It also means testing those controls. A penetration test that includes client-side scenarios, spear phishing and malicious file delivery will show you whether your setup works. If it does not stop an infostealer in testing, an actual attacker will find the same gap.
The Right Way to Read This Malware Takedown
The operation has disrupted a supply chain that was actively harming businesses. Some victim machines have been disconnected from criminal control. Twenty-seven million passwords have been removed from circulation and will eventually feed into breach notification databases. €41 million in criminal proceeds has been frozen. These are meaningful outcomes.
But the Amadey botnet is eight years old. StealC is three. Both survived to infect 140,000 machines in a single fortnight earlier this year. The disruption is welcome. The assumption that a malware takedown without arrests ends the threat is not warranted. Organisations that relax their defences on the strength of last week’s headlines will find that out, because the operators are still at large and the affiliate subscription model means new customers can pick up where the old ones left off.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
