Law Enforcement Just Seized 27 Million Stolen Passwords — Some May Be Yours

This morning, Europol and Microsoft announced something worth pausing for: a coordinated global operation took down the criminal infrastructure behind two tools — Amadey and StealC — that were quietly stealing your employees' passwords and handing them to ransomware gangs. The numbers attached to this takedown are not abstractions. They describe a real, operating assembly line that may have already processed credentials belonging to someone at your company.

What Actually Happened

Operation Endgame — an ongoing international law enforcement effort — announced its latest action on June 24, 2026. Europol, Microsoft's Digital Crimes Unit (DCU), and partners from the United States, Germany, the Netherlands, Canada, and others dismantled the infrastructure behind two pieces of malware sold to criminals as subscription services.

• Amadey is a loader — a break-in tool. It gets onto a victim's device first and then quietly installs whatever the attacker wants next.
• StealC is an infostealer — a harvesting tool. Once installed, it vacuums up saved browser passwords, session cookies, email credentials, and even cryptocurrency wallet data, then ships that loot back to the attacker.

"Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information," noted Steven Masada, Assistant General Counsel with Microsoft's Digital Crimes Unit. The two tools were sold separately by different criminal developers, but they were often used together — and AI-powered analysis revealed they shared the same command-and-control infrastructure, making it easier for law enforcement and partners to conduct takedown activities.

The scale of this operation is striking. The operation resulted in the disruption of 326 servers and 142 domains, investigators identified more than €41 million (approximately $47 million) in cryptocurrency linked to criminal activity, and recovered approximately 27 million credentials stolen from over 385,000 compromised systems.

That is not a lifetime tally. The two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.

Why a Small Business Should Care

The honest answer is that stolen credentials are the front door to ransomware. According to Microsoft's legal complaint, stolen credentials harvested through StealC are commonly sold on underground marketplaces and through initial-access brokers (IABs) — and those credentials are then used by other threat actors to breach networks, steal data, and deploy ransomware.

Think of it as a supply chain for crime. Amadey functions as the loader — the initial access point — while StealC operates as the stealer, the monetization engine that harvests credentials and data. A criminal buys a monthly subscription to these tools (StealC was reportedly sold for $300 a month), infects devices through phishing links or fake software downloads, harvests your team's passwords, and then sells that access on a dark-web marketplace. A ransomware gang buys it, walks through your front door, and encrypts your files.

Experts called infostealers one of the most important gateways to ransomware. "Many ransomware attacks begin with stolen credentials and session cookies that infostealers harvest and sell to affiliates through access brokers," said Roye Bass, a ransomware threat intelligence analyst at Halcyon.

The infection vector for these tools is not exotic. StealC has been widely used in a variety of ClickFix attacks, such as fake instructional videos on TikTok and FileFix attacks — the kind of thing a well-meaning employee might click on a personal device that also has access to your business email.

And personal devices are a meaningful exposure point. According to the 2025 Verizon Data Breach Investigations Report (DBIR), 46% of systems compromised by infostealer malware were unmanaged devices — personal phones and tablets that mixed business and personal credentials.

Good News, Honest Caveats

Taking down 326 servers and 142 domains genuinely hurts these operations. Law enforcement disruptions like this one raise costs for criminals, fracture trust between criminal operators and their paying affiliates, and buy defenders time. Based on the efficacy of Operation Endgame's previous efforts, this disruption will likely have a notable impact on StealC, including a disruption to services, malware delivery, reputational and financial damage, and loss of customers.

The honest caveat: the 27 million credentials that were seized were recovered, not erased from every criminal's hard drive. Some portion of those logins were already sold and may already be in use. The disruption of the infrastructure does not retroactively revoke access to credentials that were stolen months ago and resold. That is why the action taken this week is a prompt, not a conclusion.

Nearly 27 million stolen login credentials have been tracked down as part of this operation. Following the SocGholish infrastructure disruption announced last week, compromised credentials have been added to the Have I Been Pwned database, allowing users to check whether theirs are among those. It is currently unclear whether the credentials from the StealC and Amadey operation will be added as well, but that database is worth checking regardless.

What This Means for Your Business, and What to Ask

You do not need to understand how an infostealer works to act on this. You need to ask your managed service provider (MSP) or IT support team a short, direct set of questions — and expect direct answers.

1. Check Have I Been Pwned. Go to haveibeenpwned.com and enter your business email domain. This service is free and will tell you whether any accounts associated with your domain appear in known credential dumps. Do the same with your personal email if it touches any business systems.
2. Ask your IT provider: "Are any of our employee credentials showing up in dark-web monitoring alerts right now?" A competent managed security provider should have this telemetry. If they do not, that is a gap worth discussing.
3. Ask about multi-factor authentication (MFA) coverage. Stolen passwords are far less useful to an attacker when logging in also requires a second factor — a code from an authenticator app, for example. Ask: "Is MFA enforced on every application our team logs into, including email, file storage, and any remote access tool?" Push-notification-based MFA (the kind where you just tap 'Approve') is better than nothing, but app-generated codes are harder to defeat.
4. Ask about unmanaged devices. If employees access business email or shared files from personal phones or home computers, ask what security controls — if any — apply to those devices. This is one of the most common gaps in small-business security.
5. Prompt a password reset on high-value accounts. At minimum, accounts with administrative access, payroll access, or the ability to initiate wire transfers should have their passwords rotated now, regardless of whether you know they were compromised. The cost of a reset is an afternoon of mild inconvenience. The cost of a ransomware event starts at weeks of downtime.

Operation Endgame is a genuine win for defenders. The people who built and sold Amadey and StealC are having a very bad week. But the stolen credentials already in circulation do not disappear because the servers do. A password that was harvested in April is still a valid key unless someone changes the lock.

This is the moment to change the lock.