HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Law Enforcement Disrupts StealC & Amadey Malware Networks, Crippling Credential‑Stealing Operations

International law‑enforcement and private‑sector partners dismantled 326 servers and 142 domains used by the StealC and Amadey malware families, which together have infected over 140,000 computers and stolen passwords and sensitive data. The operation seized €41 million in crypto assets, highlighting the ongoing risk of credential‑theft threats. For organizations pursuing SOC 2 compliance, the incident underscores the need for robust access‑control policies and continuous monitoring.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

Law Enforcement Disrupts StealC & Amadey Malware Networks, Crippling Credential‑Stealing Operations

What Happened — International law‑enforcement agencies (Netherlands, Canada, United States, Germany) together with Europol, Eurojust, Microsoft’s Digital Crimes Unit and private‑sector partners dismantled the infrastructure behind the StealC and Amadey malware families. The operation took down 326 servers and 142 domains, seized €41 million in crypto assets, and disrupted a network that had infected more than 140,000 computers worldwide, stealing passwords and other sensitive data.

Why It Matters for Compliance & Audit Readiness

  • The incident exemplifies a credential‑compromise scenario that SOC 2’s Logical Access Security (CC6.1) controls are designed to prevent and document.
  • Continuous monitoring of access‑control logs and evidence of remediation become critical audit artifacts after a large‑scale theft.
  • Demonstrates the need for robust password‑management policies, MFA enforcement, and security‑awareness training to satisfy SOC 2 readiness.

Who Is Affected – Technology/SaaS providers, financial services firms, retail/e‑commerce operators, and professional services organizations that rely on password‑protected systems.

Recommended Actions

  • Review and tighten password‑management policies; enforce multi‑factor authentication across all privileged accounts.
  • Map the incident to SOC 2 CC6.1 (Logical Access Security) and begin collecting evidence of control effectiveness (e.g., MFA logs, privileged‑access reviews).
  • Deploy credential‑monitoring tools and conduct targeted security‑awareness training on phishing and credential‑theft tactics.

Source: Help Net Security – Operation Endgame disrupts StealC and Amadey

Technical Notes

  • Attack vector: Malware‑as‑a‑service delivering credential‑stealing payloads via compromised websites (SocGholish framework).
  • Data types stolen: Passwords, authentication tokens, and other sensitive personal or corporate information.
  • Scale: >140 k infected devices; >18 k victim computers remediated; €41 M crypto assets frozen.

Source: same as above

📰 Original Source
https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →