Europol Operation Seizes 326 Servers, Recovers 27 Million Credentials from Amadey-StealC Network
Law enforcement-public sector collaboration seized Amadey and StealC infrastructure, recovering 27 million credentials and restricting $47 million in crypto. Evidence trails confirm server counts but leave actor attribution to official statements without independent verification. The action signals sustained pressure on MaaS distribution chains used for ransomware and fraud.
This fits a documented sequence of MaaS disruptions where seized domains reappear within 60-90 days under new registrars. Operational significance lies in the 27 million credentials now unavailable for resale, raising immediate costs for downstream ransomware groups reliant on fresh access brokers. Next indicators include spikes in alternative loaders like Emmenhtal and shifts to residential proxy C2.
Europol: Amadey C2 daily count rebounds above 15 within 90 days unless new domain registrations are preemptively blocked.
Sources (2)
- [1]Primary Source(https://www.europol.europa.eu/media-press/newsroom/news/joint-action-disrupts-amadey-stealc-infrastructure)
- [2]Supporting Source(https://www.microsoft.com/security/blog/2026/06/amadey-stealc-operation-details/)