Regulations & Policies

How Europol Helped Freeze $47M in Crypto Tied to Cybercrime

Authorities from Europe and North America dismantled a major malware infrastructure, seized $47 million in crypto assets, and recovered 27 million stolen credentials.

Written By Isha Chavda - Crypto Jornalist Isha Chavda
Edited by Shubham Soni Shubham Soni
Make The Crypto Times preferred on Google
How Europol Helped Freeze $47M in Crypto Tied to Cybercrime

Key Highlights

  • Operation Endgame froze more than $47 million (€41 million) in criminal cryptocurrency assets.
  • Law enforcement agencies disrupted 326 servers and 142 domains tied to malware operations.
  • Over 27 million stolen credentials were recovered during the investigation.

A major international law enforcement operation has disrupted some of the world’s most widely used malware networks and frozen more than $47 million (€41 million) worth of cryptocurrency linked to cybercriminal activity.

According to the Europol report, the latest phase of Operation Endgame targeted the infrastructure behind malware strains, including SocGholish, Amadey, and StealC, which have been widely used to facilitate ransomware attacks, credential theft, financial fraud, and large-scale cyber intrusions.

The coordinated operation involved authorities from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside Europol, Eurojust, Microsoft, and several private cybersecurity partners.

What authorities found during the raid

As part of the operation, investigators identified and restricted access to cryptocurrency assets linked to criminal activity with an estimated value exceeding $47 million. Authorities also recovered approximately 27 million stolen login credentials that had been collected through malware infections and credential theft campaigns.

The operation focused on disrupting the infrastructure that cybercriminals use to launch attacks rather than targeting individual ransomware incidents. Investigators took action against 326 servers and 142 domains connected to the malware ecosystem, disrupting the distribution channels used by threat actors.

How cybercriminals used malware to steal data

Europol described the targeted malware as part of the growing “cybercrime-as-a-service” ecosystem, where malware developers provide attack tools to other criminals. 

SocGholish, also known as FakeUpdates, spread through compromised websites by displaying fraudulent browser update prompts. Victims who installed the fake updates unknowingly gave attackers access to their systems.

StealC was primarily designed to harvest passwords, authentication credentials, and sensitive user information from infected devices, while Amadey was commonly used as an initial access tool capable of delivering additional malware and stealing data.

According to Microsoft intelligence cited by Europol, Amadey and StealC alone were linked to more than 140,000 infected devices worldwide during the first two weeks of May 2026.

Why authorities targeted cybercrime supply chain

Rather than focusing on a single ransomware group, investigators aimed to disrupt the infrastructure that enables cyberattacks at scale. Europol said the operation was designed to dismantle the “assembly line” cybercriminals use to launch ransomware campaigns, steal credentials, conduct financial fraud, and attack critical infrastructure.

The agency’s European Cybercrime Centre (EC3) coordinated intelligence sharing, cryptocurrency tracing, operational support, and victim notification efforts throughout the investigation.

Europol expands crypto crime crackdown

The latest action continues Europol’s broader efforts to target cryptocurrency-related criminal networks.

Last year, Europol coordinated a separate operation that dismantled a large cryptocurrency investment fraud network and arrested multiple suspects accused of defrauding victims across several jurisdictions.

The agency says cybercriminal groups increasingly rely on cryptocurrency to move, conceal, and launder illicit proceeds, making blockchain tracing and international cooperation critical components of modern cybercrime investigations.

Europol confirmed that Operation Endgame remains ongoing and that additional enforcement actions may follow as investigators continue identifying criminal infrastructure and tracing illicit funds.

Authorities believe the disruption of key malware services, combined with the seizure of cryptocurrency assets and recovery of stolen credentials, will significantly increase operational costs for cybercriminal organizations and hinder future ransomware and fraud campaigns.

Also read: SecondFi Traces Dual Attackers, Freezes 129M ADA After Flaw

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Avatar photo
By Isha Chavda
Isha Chavda is a Junior Writer at The Crypto Times and a B.Com (Hons) graduate with a background in commerce. She reports on crypto news and focuses on creating content that is clear, simple, and engaging for readers. With a strong interest in content creation, she enjoys staying updated with the latest trends and turning them into easy-to-understand stories. Her work combines effective communication to make crypto more accessible and relatable.  
Shubham Soni
By Shubham Soni
Follow:
Shubham Soni is the Editor at The Crypto Times, based in Ujjain, Madhya Pradesh. He oversees the editorial desk, reviewing daily news coverage of cryptocurrency markets, US and Indian regulation, institutional adoption, the Solana ecosystem, AI agents, and Real World Assets (RWAs). All policy and markets coverage at The Crypto Times passes through his desk before publication. Before joining The Crypto Times in October 2025, Shubham managed news desks at Sportskeeda and Opoyi, covering global politics, sports, and entertainment for high-volume newsrooms serving the US and Indian markets. His four years in fast-paced newsrooms shaped his approach to fact-checking, source verification, and structural editing on complex stories. Shubham holds a Master's degree in Journalism from Makhanlal Chaturvedi National University of Journalism and Communication (Bhopal) and a Bachelor's degree in Journalism from Amity University Rajasthan. 

Latest News

Kraken, Maple Open USDC Credit Line Backed by Bitcoin, Ether
Kraken, Maple Open USDC Credit Line Backed by Bitcoin, Ether
Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds
Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds
Europe’s Wealth Advisers Are Flying Blind on Client Crypto CoinShares
Europe’s Wealth Advisers Are Flying Blind on Client Crypto: CoinShares
Cardano Targets Mass Blockchain Adoption Through Brazil Push
Cardano Targets Mass Blockchain Adoption Through Brazil Push
Strategy’s STRC Hits Record Low, Raising Bitcoin Funding Risks
Strategy’s STRC Hits Record Low, Raising Bitcoin Funding Risks

Find Us on Socials

You may also like