Microsoft and Europol: Europol, Microsoft Hit Malware Network Behind 27M Stolen Logins, 140,000 Infected Computers

Microsoft and Europol: Europol, Microsoft Hit Malware Network Behind 27M Stolen Logins, 140,000 Infected Computers

Global Malware Network Disrupted in Operation Endgame

Europol, Microsoft, and international law enforcement partners have dismantled a vast malware network responsible for stealing 27 million login credentials and infecting over 140,000 computers worldwide. The operation, part of Operation Endgame, targeted cybercrime infrastructure used to deploy ransomware and other large-scale attacks.

Authorities seized 326 servers and 142 domains linked to the malware distribution network, while freezing €41 million ($47 million) in suspected criminal crypto assets. The effort involved coordination with Eurojust, Microsoft, and agencies from Germany, the Netherlands, Denmark, the UK, Canada, and the US.

The malware tools disrupted included:

  • SocGholish/FakeUpdates: Spread via fake browser or software updates on compromised websites.
  • Amadey: Provided initial access to systems, enabling further malware installation.
  • StealC: Extracted passwords, digital identities, and other sensitive data from infected devices.

Microsoft’s Digital Crimes Unit used AI to uncover connections between Amadey and StealC, which were operated by separate groups but shared infrastructure. This allowed the company to dismantle 200 command-and-control servers and free 18,000 victim computers from criminal control.

Europol also remediated 14,971 infected websites, including those of small businesses like restaurants and auto repair shops. While the takedown disrupted the network, stolen credentials may still pose risks, as they can be exploited long after the initial breach. The operation highlights the global reach of cybercrime, with infrastructure spanning multiple countries to evade detection.

Source: https://www.techrepublic.com/article/news-europol-microsoft-malware-takedown-emea-eu/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft

Europol TPRM report: https://www.rankiteo.com/company/europol

"id": "eurmic1782440638",
"linkid": "europol, microsoft",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['hospitality', 'automotive'],
                        'location': 'global',
                        'name': 'Small businesses (e.g., restaurants, auto '
                                'repair shops)',
                        'size': 'small',
                        'type': 'business'},
                       {'customers_affected': '18,000+ victim computers freed',
                        'location': 'global',
                        'name': 'General public',
                        'type': 'individuals'}],
 'attack_vector': ['compromised websites', 'fake browser/software updates'],
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '27 million',
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['login credentials',
                                              'digital identities',
                                              'passwords']},
 'description': 'Europol, Microsoft, and international law enforcement '
                'partners have dismantled a vast malware network responsible '
                'for stealing 27 million login credentials and infecting over '
                '140,000 computers worldwide. The operation targeted '
                'cybercrime infrastructure used to deploy ransomware and other '
                'large-scale attacks.',
 'impact': {'data_compromised': '27 million login credentials',
            'financial_loss': '€41 million ($47 million) in frozen crypto '
                              'assets',
            'identity_theft_risk': 'high',
            'systems_affected': '140,000+ computers'},
 'initial_access_broker': {'entry_point': ['fake browser/software updates',
                                           'compromised websites']},
 'investigation_status': 'disrupted',
 'lessons_learned': 'The operation highlights the global reach of cybercrime, '
                    'with infrastructure spanning multiple countries to evade '
                    'detection. Stolen credentials may still pose risks long '
                    'after the initial breach.',
 'motivation': ['financial gain', 'data theft'],
 'post_incident_analysis': {'corrective_actions': ['AI-driven detection of '
                                                   'malware connections',
                                                   'international law '
                                                   'enforcement coordination'],
                            'root_causes': ['malware distribution via fake '
                                            'updates',
                                            'shared cybercrime '
                                            'infrastructure']},
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'Europol'},
                {'source': 'Microsoft Digital Crimes Unit'}],
 'response': {'containment_measures': ['seizure of 326 servers and 142 domains',
                                       'freezing of €41 million in crypto '
                                       'assets'],
              'law_enforcement_notified': True,
              'recovery_measures': ['freeing 18,000 victim computers from '
                                    'criminal control'],
              'remediation_measures': ['remediation of 14,971 infected '
                                       'websites',
                                       'dismantling of 200 command-and-control '
                                       'servers'],
              'third_party_assistance': ['Europol',
                                         'Microsoft',
                                         'Eurojust',
                                         'agencies from Germany, the '
                                         'Netherlands, Denmark, the UK, '
                                         'Canada, and the US']},
 'title': 'Global Malware Network Disrupted in Operation Endgame',
 'type': ['malware', 'data breach', 'ransomware']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.