Microsoft - Data Breach
Executive Summary
Microsoft and Europol disrupted three major "cybercrime as a service" operations by seizing 326 servers and 142 domains used to distribute malware that steals passwords and enables ransomware attacks. The two-week operation recovered 27 million stolen login credentials and €41 million in cryptocurrency, while identifying over 18,000 infected victim computers and nearly 15,000 compromised retailer websites. The action targeted infrastructure shared by multiple criminal tools, making it harder ...
What Happened
Microsoft and Europol conducted a two-week international operation in June 2026 that dismantled cybercrime infrastructure used to distribute SocGholish, Amadey, and StealC malware. Law enforcement seized 326 servers and 142 domains, recovered approximately 27 million stolen login credentials and €41 million in cryptocurrency, and identified over 18,000 infected victim computers along with nearly 15,000 compromised retailer websites. The operation targeted 'cybercrime as a service' platforms where criminals pay to use malware tools that steal passwords, enable ransomware attacks, and facilitate fraud.
Who Is Affected
Over 18,000 computer users worldwide were identified as victims whose devices were infected by these malware strains. Nearly 15,000 retailer websites were compromised with SocGholish malware, affecting both the retailers and their customers. The 27 million recovered login credentials indicate a massive pool of individuals whose passwords and authentication data were stolen, potentially enabling unauthorized access to their accounts across various services.
Why It Matters
This operation represents a shift in law enforcement strategy from targeting individual cybercriminals to dismantling shared infrastructure that multiple criminal groups depend on, potentially making it harder for attackers to rebuild their operations. The scale of credential theft - 27 million login credentials from just these three malware families - demonstrates how industrialized cybercrime has become through 'as a service' models. Infostealers like StealC quietly capture passwords and session tokens that serve as entry points for subsequent attacks including ransomware and financial fraud.
What You Should Do
Change passwords immediately on all accounts, especially if you reuse passwords across multiple sites, and enable two-factor authentication wherever possible to protect against stolen credentials being used for unauthorized access. If you manage or own a website, check for signs of compromise and ensure all software is updated, as nearly 15,000 retailer sites were found to be infected. Monitor financial accounts and credit reports for suspicious activity, since stolen credentials are often used for fraud.
Summary generated from verified sources and reviewed before publication. How we summarize.