Twenty-seven million stolen passwords, recovered in a single sweep. Alongside them, 326 servers seized, 142 domains taken down and €41 million in cryptocurrency frozen. These are the figures from an international operation announced on June 24, Operation Endgame, led by Europol and Microsoft's Digital Crimes Unit. But the number that matters isn't any of these. It's the target. This time, the police didn't go after a ransomware gang. They went after the factory that supplies them.
Almost every cybercrime story you read is about the end customer: the group that encrypted a hospital's data, the scam that emptied an account. Endgame hit a link further upstream, which few operations do. Amadey and StealC, the two targets, aren't ransomware. StealC is an infostealer, a program that installs itself quietly and copies everything you have saved: the passwords stored in your browser, the cookies that keep you logged in, your card details. Amadey is a loader, a delivery program that opens the door and installs the rest. Together, they are the assembly line. Europol said almost exactly that: the goal was to shut down the "assembly lines" that feed ransomware, fraud and attacks on critical infrastructure. Those 27 million credentials are that factory's inventory.
To grasp the scale: in just two weeks of May, these two programs alone were linked to more than 140,000 infected computers worldwide. Microsoft identified over 18,000 of those machines, cut off the criminals' control over them, and began working with telecom providers to warn those affected.
AI switched sides, for once
There is one detail in this operation worth more than the numbers. To build its court case, Microsoft used its own artificial intelligence, Copilot, to analyze the two programs. What would normally take days of manual work was done in minutes: the AI realized that, although Amadey and StealC were built by different people, they ran on the same infrastructure. That allowed the lawyers to treat both as a single conspiracy and apply RICO, the US law created to pursue organized crime as a whole structure rather than piece by piece. Month after month, we have been reading about AI in the service of the attacker. Here, for the first time so visibly, it sits in the court filing and not in the attack code. What it did was forensic work: following the shared infrastructure until it tied two names to the same network.
And in Portugal?
This isn't a problem of distant companies. Portugal's National Cybersecurity Centre has warned that in 2025 close to 80% of the malware detected in the country was exactly this type, the infostealer, and that in 2026 it is the fastest-growing one and the leading cause of hijacked social-media and bank accounts. The mechanics are mundane, which is precisely why they work: you save your passwords in the browser for convenience, you open a pirated installer or click the wrong link, and the thief copies everything in seconds and vanishes. There is no ransom screen, no warning. The first time you notice is when the account is no longer yours. Some of those 27 million credentials almost certainly belong to people living here.
How not to feed the factory
The operation shuts down the infrastructure, it doesn't erase what was already stolen. The defense is still yours:
- Take your passwords out of the browser and move them to a dedicated password manager with a strong master key. The browser is the first place an infostealer looks.
- Turn on two-step verification on everything that matters. A stolen password is no longer enough to get in.
- Be wary of "free" installers, cracks and software from outside the official stores. They are these thieves' favorite vehicle.
- If you suspect an infection, changing the password isn't enough: while the program is on the machine, the new one gets copied too. Clean the device first, change the credentials after.
An operation like this is a raid on the factory, not the end of the industry. The infrastructure rises again somewhere else, and the 27 million keys already copied keep circulating. The good news is that most locks are easy to change. The bad news is that the lock you haven't changed yet is still theirs.
Sources: Europol, The Register, Portugal's National Cybersecurity Centre.
#StaySafe
🙏🖖
