Europol froze $47M in crypto and dismantled infrastructure behind SocGholish and Amadey malware. 27 million credentials recovered. What it means for crypto users.
Alpha Score of 52 reflects moderate overall profile with poor momentum, strong value, strong quality, weak sentiment.
Law enforcement just delivered one of the year’s most significant blows to cybercriminal infrastructure. Europol, coordinating with agencies across six countries, froze approximately $47 million worth of cryptocurrency tied to three prolific malware operations in a sweeping global crackdown.
The operation, executed on June 24 as part of the ongoing initiative known as Operation Endgame, targeted the malware families SocGholish and Amadey, along with a third tool called StealC. These applications power a “cybercrime-as-a-service” economy. One of them has direct ties to the Russian cybercrime syndicate Evil Corp.
Authorities took down 326 servers and 142 domains that served as the backbone for distributing and controlling the malware. They also cleaned up 14,971 infected websites, most of them WordPress sites that had been hijacked to spread SocGholish through fake software update prompts.
Investigators froze over EUR 41 million, roughly $47 million, in crypto assets linked to criminal proceeds from the malware campaigns. Separately, 27 million stolen login credentials were recovered and are being shared with victims through platforms like Have I Been Pwned.
The takedown brought together law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Eurojust provided judicial coordination. Microsoft contributed critical threat intelligence that helped map the infrastructure. Microsoft’s data linked Amadey and StealC to more than 140,000 infections in early May 2026 alone.
SocGholish operates by compromising legitimate websites and displaying fake browser update notifications. Amadey functions as a loader designed to install additional malware on compromised machines. StealC specializes in stealing sensitive data, including crypto wallet credentials and browser-stored passwords. All three operate under a model where developers build the tools and rent them out to other criminals. This model has lowered the barrier to entry, allowing technically unsophisticated actors to deploy sophisticated malware.
The 27 million recovered credentials represent 27 million potential vectors for account takeover attacks. If any of those credentials belong to crypto exchange accounts, the victims may have already lost funds. The recovery and notification process through Have I Been Pwned is damage control, not prevention.
Hardware wallets, unique passwords per service, and two-factor authentication that doesn’t rely on SMS remain the minimum viable defense against infostealer malware. When cybercrime operators are deploying tools capable of infecting 140,000 devices in a single month, assuming your credentials are safe because you haven’t noticed anything suspicious is optimism doing a lot of heavy lifting.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.