Europol announced the disruption of three major infostealer malware families in a coordinated international operation. SocGholish, Amadey, and StealC were the targets. The action froze €41 million (approximately $47 million USD) in cryptocurrency tied to the campaigns.

Infostealers are malware designed to extract passwords, authentication credentials, and wallet keys from infected machines. SocGholish and Amadey operate as botnets that propagate through compromised websites and malvertising networks. StealC follows a similar distribution model. Once installed, each family logs keystrokes, captures screenshots, and harvests browser-stored credentials and cryptocurrency private keys.

The operation involved law enforcement agencies across multiple jurisdictions working with Europol to identify and seize cryptocurrency wallets connected to the malware operators. The frozen assets represent proceeds from victim theft and fraud rather than operational infrastructure alone.

Europol did not disclose the total number of infected machines or the geographic distribution of victims in the public announcement. The malware families have been active for years. SocGholish and Amadey have targeted enterprise and consumer systems across Europe and North America. StealC emerged as a malware-as-a-service offering in recent years and has been tracked stealing cryptocurrency and financial credentials from thousands of victims.

The coordination marks a significant enforcement action against commodity infostealers, which remain among the most prevalent attack vectors for stealing cryptocurrency. Unlike targeted ransomware operations or advanced persistent threats, infostealers rely on volume and automation. A single compromised ad network or vulnerable website can distribute malware to tens of thousands of machines in hours. Each infection is low-value individually but scales to significant aggregate theft when applied at botnet scale.

Law enforcement did not announce arrests or charges related to the operation. Europol's statement did not specify how long the investigation spanned or which agencies took the lead on specific jurisdictions. The publication of the takedown may prompt malware operators to relocate infrastructure, rotate command-and-control servers, or migrate to alternative hosting providers. Cryptocurrency exchanges and blockchain monitoring firms often receive law enforcement notices to flag seized wallet addresses, preventing the operators from converting frozen assets back to fiat currency or other tokens without detection.

The frozen funds represent a rare instance of asset recovery in infostealer cases. Most victims of credential theft recover nothing. Whether restitution will flow to victims or be retained by law enforcement depends on each jurisdiction's procedures for criminal asset forfeiture. No timeline for potential victim compensation has been announced.