Proofpoint and IBM X-Force have played a key role in a global law enforcement operation that disrupted the StealC malware ecosystem, dealing a significant blow to one of the cybercriminal underground’s most active information-stealing platforms.
The operation, carried out in June 2026 as part of Operation Endgame, was coordinated by Europol with support from multiple international law enforcement agencies and private-sector partners. The joint effort targeted infrastructure associated with the StealC and Amadey malware families, resulting in the disruption of 66 domains and 296 servers. Authorities also seized more than 25.6 million unique credentials stolen from over 385,000 compromised systems.
As part of the investigation, Proofpoint and IBM X-Force researchers developed a StealC emulator that enabled them to identify, monitor, and analyze the malware’s infrastructure, operations, and payload delivery mechanisms. Researchers also discovered a vulnerability in the StealC command-and-control panel, which law enforcement leveraged to support the disruption effort.
StealC has operated as a malware-as-a-service (MaaS) platform since early 2023, allowing affiliates to distribute malware designed to steal browser credentials, payment card information, cryptocurrency wallets, messaging accounts, VPN credentials, and other sensitive data. The stolen information is often sold on underground marketplaces or used to launch follow-on attacks, including ransomware campaigns.
During their investigation, Proofpoint and IBM X-Force observed StealC distributing a wide range of secondary malware. In several cases, infected systems received additional loaders that eventually deployed remote access trojans or ransomware, highlighting the malware’s role as an entry point for more sophisticated cyberattacks.
The disruption marks another milestone in the ongoing Operation Endgame initiative, which targets the cybercrime infrastructure supporting malware operations worldwide. Proofpoint said the collaboration demonstrates the value of intelligence sharing between private cybersecurity companies, law enforcement agencies, and organizations such as Microsoft’s Digital Crimes Unit in disrupting large-scale cybercriminal ecosystems and strengthening collective cyber resilience.