Europol Seizes $47M in Crypto in Global Malware Crackdown

Europol seized $47 million in crypto assets and took down 326 servers in a coordinated international operation targeting cybercrime-as-a-service malware, the agency said Wednesday.

The operation, called Endgame, involved law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, along with Microsoft. Authorities also disabled 142 domains and recovered more than 27 million stolen credentials.

The takedown focused on three malware platforms that criminals rented out to infect systems. SocGholish distributed fake browser updates through compromised WordPress sites and was used as a ransomware delivery channel. StealC extracted passwords and digital identities from victims' devices. Amadey spread through phishing campaigns and let attackers install additional malware or steal data.

Microsoft found that Amadey and StealC were linked to over 140,000 infections in the first two weeks of May alone. SocGholish infected 14,971 sites over the same period.

Europol said Endgame marked a strategic shift. Instead of chasing individual malware strains, investigators went after the infrastructure that lets these campaigns scale. The agency worked with Coinbase on the crypto asset seizure.

The operation follows the takedown of Tycoon 2FA, a phishing platform used to bypass multi-factor authentication, which Europol coordinated with Coinbase, Microsoft, and law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom.

Europol, working with the European Union Intellectual Property Office and Spain's National Police, said on Nov. 19 that investigators had disrupted a separate network selling counterfeit goods and laundering proceeds through crypto.