Europol announced that over 41 million euros, approximately $47 million worth of crypto assets linked to crime were frozen in the final stage of Operation Endgame. Within the scope of the operation, which lasted two weeks and involved more than one country, the malware infrastructure targeting crypto wallets and account information was dealt a blow.
An operation was carried out against malware networks
It was reported that the infrastructure behind three malware families named SocGholish, Amadey and StealC were distributed in the operation. According to Europol, these software were used in fraud, account takeover and ransomware attacks by capturing passwords and crypto wallet data.
Europol announced that at the last stage, crypto assets worth over 41 million euros worth of criminal proceeds were detected, marked and frozen.
It was reported that Amadey gained initial access to the systems and then installed additional malware. It was stated that SocGholish, which is associated with Russia-linked Evil Corp, was transmitted through fake browser update alerts on compromised websites. Authorities noted that these two tools constitute the first link of the attack chain and that the process can extend to emptied wallets and ransomware cases.
Mini dictionary: Infostealer is a type of malware that infiltrates devices and secretly collects saved passwords, wallet files, private keys and recovery phrases. CaaS, on the other hand, refers to the structure in which cybercrime tools and infrastructure are offered as a rentable service.
Servers and domains have been shut down
Police units disabled 326 servers and 142 domains. In addition, approximately 27 million stolen identity information was recovered from more than 385 thousand compromised systems. It was stated that approximately 15 thousand infected websites were cleaned, and a significant portion of them belonged to small businesses.
| Pen | Data |
|---|---|
| Frozen crypto asset | more than 41 million euros |
| Shut down server | 326 |
| Closed domain name | 142 |
| Retrieved identity information | About 27 million |
| Affected system | more than 385 thousand |
Supporting the operation, Microsoft announced that more than 140 thousand infected computers linked to Amadey and StealC alone were detected in the first two weeks of May. The company’s Digital Crimes Unit reported that five separate structures supporting the Cyber Crime Services model have been brought down in the last nine months.
Crypto wallet data targeted
According to experts, these software, known as infostealers, have become one of the main methods of crypto theft. Wallet files, private keys and recovery phrases can be retrieved from devices without the user noticing. Fake artificial intelligence tools, game platform themes and pirated game add-ons were also among the methods used in the attack.
Microsoft announced that although Amadey and StealC were developed by different people, they worked on a common infrastructure, thus evaluating the two operations within the scope of a single criminal network.
In the previous Operation Endgame step, carried out towards the end of last year, it was revealed that the login data of more than 100 thousand crypto wallets had been seized, but had not been used yet. In the last stage, it was noted that efforts to cut off the attackers’ control continued and more than 18 thousand victim computers were identified.
Authorities warned users
Authorities emphasized that it is not always possible for such operations to completely eliminate malware, and operators can often reorganize. As a matter of fact, it was shared that StealC released a new version this month.
Europol and its partners route victim reports through services such as Have I Been Pwned. Thus, users can check whether their login information and data that can access their wallets have been compromised by attackers.
