A coordinated international operation has disrupted malware networks linked to SocGholish, Amadey and StealC, with criminal cryptocurrency worth more than €41 million restricted and 27 million stolen login credentials recovered.
Law enforcement agencies in Canada, Denmark, Germany, the Netherlands, the UK and the US took part alongside Microsoft and other private-sector partners, with the activity coordinated by Europol and Eurojust, Europol announced on Wednesday.
Actions carried out over the past two weeks targeted the online infrastructure used to distribute the malicious software, including 326 servers and 142 internet domains.
The operation focused on tools used as “cybercrime-as-a-service”, meaning malware is sold or rented to other criminals who then use it to break into systems and carry out further offences such as ransomware attacks, digital extortion and fraud.
SocGholish — also known as “FakeUpdates” — spread by posing as fake browser updates on compromised websites, leading victims to install malware instead of a real update.
Europol said SocGholish was often distributed through hacked WordPress sites, a widely used website-building platform.
Thousands of infected websites ‘remediated’
Authorities remediated 14,971 infected websites during action against SocGholish, including sites belonging to restaurants and vehicle repair shops, according to Europol.
SocGholish is linked to the Russian cyber-criminal group Evil Corp, which Europol said has previously been responsible for Zeus and Dridex malware and is associated with ransomware and money-laundering operations.
Amadey, another tool targeted in the operation, was mainly spread through phishing campaigns and could introduce additional malware into compromised systems.
StealC was designed to extract sensitive information such as passwords and stored access data from infected computers for later illicit use, including data trading and fraud.
Microsoft linked Amadey and StealC to more than 140,000 infected computers worldwide in the first two weeks of May 2026, based on the company’s own insight cited by Europol.
The Dutch police removed vulnerabilities from infected WordPress sites and notified owners, while WordPress users were urged to change passwords, enable multi-factor authentication and delete unknown additional accounts.
