Global operation disrupts cybercrime assembly line with one-two punch

International law enforcement agencies, alongside a coalition of private tech firms, have announced the takedown of a cybercriminal “assembly line” responsible for amassing millions of stolen login credentials and extracting over $47 million through ransom payments and other fraudulent schemes.

The coordinated effort centered on a dual strike against two unrelated but frequently paired tools. The first, Amadey, is a malware-as-a-service platform that has been active since at least 2018. It enables attackers to compromise devices and deploy malicious payloads, including ransomware. Last year, it was observed abusing GitHub to harvest system data from infected machines and install tailored malware. The second tool, StealC, operates as an infostealer-as-a-service, designed to swipe passwords, authentication cookies, cryptocurrency wallets, browser extensions, and files matching specific patterns defined by its customers.

Disrupting a critical link in the cybercrime supply chain

Although Amadey and StealC are independent services run by separate operators, their widespread adoption means many cybercriminals use them in tandem. Investigators discovered that both tools relied on overlapping backend infrastructure. Microsoft, after analyzing the tools with AI-driven techniques, identified this shared reliance, enabling its legal team to secure a court order that disrupted both platforms simultaneously.

“This operation targets the cybercrime assembly line, where coordinated tools drive ransomware, financial fraud, and disruptions to public services,” Microsoft stated on Wednesday. “Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain.”