What Happened
On June 24, 2026, Europol and law enforcement agencies from Canada, the United States, Germany, and the Netherlands announced the disruption of the infrastructure supporting two of the most widely deployed malware-as-a-service operations in active use: the Amadey botnet and the StealC infostealer. The action, a follow-on to earlier Operation Endgame phases, seized 326 servers and 142 domains used to operate the two platforms. Investigators recovered approximately 27 million stolen credentials from more than 385,000 compromised systems and identified over €41 million ($47 million USD) in cryptocurrency linked to criminal activity.
Amadey and StealC work in tandem. Amadey functions as a loader and botnet, gaining initial access to victim devices and establishing persistence. StealC then harvests passwords, browser session cookies, cryptocurrency wallet credentials, and other sensitive data. In the first two weeks of May 2026 alone, the pair were linked to more than 140,000 infected computers worldwide. StealC, available as a subscription service at roughly $200 per month, was used extensively in campaigns targeting corporate networks, financial services, and government systems. The same Operation Endgame that cleaned nearly 15,000 SocGholish-infected WordPress sites earlier in June also produced the intelligence that enabled this latest action.
Why This Matters for Canadian Organizations
Canada was a named partner nation in this operation, with the Royal Canadian Mounted Police National Cybercrime Coordination Centre participating alongside US, German, and Dutch counterparts. That direct involvement reflects how seriously Canadian law enforcement has treated the Amadey and StealC ecosystem, both of which feed credentials into ransomware deployment chains. The groups purchasing access from KongTuke-affiliated brokers who relied on StealC-harvested credentials include Qilin, Rhysida, Akira, and Black Basta — threat actors with confirmed Canadian victims in 2025 and 2026.
The 27 million recovered credentials are now being reviewed by investigators. Canadian organizations whose employees’ credentials appear in this dataset face potential follow-on risks, including account takeover and phishing. The FINTRAC reporting threshold for credential theft with fraud potential remains unchanged, and affected organizations with obligations under PIPEDA or provincial privacy legislation should assess whether notification duties apply if employee or client credentials were included in the data set.
StealC specifically targeted session cookies capable of bypassing multi-factor authentication — a direct threat to Canadian enterprises relying on MFA as a primary access control. The disruption of this infrastructure removes active attack tooling, but copycat variants and rebuilt infrastructure are common outcomes after takedowns of this scale.
What to Do
Review your security event logs for StealC indicators of compromise. Europol and Europol’s EC3 are expected to publish victim notification data through national CERTs — watch for advisories from the Canadian Centre for Cyber Security (CCCS) and report suspected credential exposure through cyber.gc.ca. Rotate credentials for any accounts exposed to session-hijacking risk, particularly for systems accessed via browsers on unmanaged endpoints. Verify that endpoint detection tools on managed devices have current signatures for both Amadey and StealC, and check for persistence mechanisms consistent with Amadey’s loader behaviour — scheduled tasks, registry run keys, and startup folder entries — on any device flagged by your EDR since April 2026.
Source: BleepingComputer, Europol
