Verify a decision

{"actor":"system:backfill","investigation_id":"4ff5739b-91ad-4d18-ba47-33ab96f78d03","kind":"publish","page_slug":"crypto-clipper-worm-microsoft-dcu-takedown-june-2026","published_at":"2026-06-26T12:17:33.441Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Crypto Clipper Worm (Microsoft DCU Takedown June 2026)","sections":[{"content":"CryptoBandits is a Windows-based cryptocurrency clipper malware first identified by Microsoft Threat Intelligence and Microsoft Defender Experts in February 2026. Microsoft Defender detects it as Trojan:Win32/CryptoBandits and related variants. The campaign combines four distinct threat capabilities in a single lightweight package: clipboard interception and seed-phrase theft, wallet-address substitution, worm-like USB propagation, and Tor-routed command-and-control communications that also enable remote code execution. This multi-capability design elevates it beyond a simple financial stealer into a persistent backdoor, according to Microsoft's June 17, 2026 disclosure.","heading":"Malware Overview and Classification","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":2,"name":"The Hacker News: Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2","type":"news_article","url":"https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html"},{"credibility":2,"name":"SecurityWeek: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor","type":"news_article","url":"https://www.securityweek.com/cryptobandits-malware-doubles-as-a-backdoor-abuses-tor/"}]},{"content":"The malware spreads via malicious Windows Shortcut (.lnk) files distributed on USB storage devices. When an infected USB drive is connected, the malware scans for common document types including DOC, XLSX, and PDF files, hides the originals, and replaces them with identically named .lnk shortcut files. When an unsuspecting user opens what appears to be a legitimate document, the shortcut silently triggers the malware's execution chain. A worm component checks whether the machine is already infected before fetching a payload from a remote server, preventing duplicate installations. Persistence is established through Windows scheduled tasks. The worm then scans any newly connected USB devices and repeats the propagation cycle, enabling organic spread across air-gapped or minimally networked environments.","heading":"Propagation Mechanism: USB LNK Worm","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":2,"name":"CoinDesk: Microsoft identifies malware worm that hijacks crypto wallets, spreads through USB drives","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/19/microsoft-found-malware-that-hijacks-crypto-wallets-and-spreads-through-usb-sticks"},{"credibility":2,"name":"BleepingComputer: USB worm spreads crypto-stealing malware via Windows shortcut files","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/"}]},{"content":"The clipper component monitors the Windows clipboard approximately every 500 milliseconds using Windows Script Host (WScript) and ActiveXObject bindings. It targets 12-word and 24-word BIP-39 seed phrases, Ethereum private keys, Bitcoin wallet credentials, and cryptocurrency wallet addresses across multiple networks including Bitcoin, Tron, and Monero. When a matching pattern is detected, the malware performs two distinct attacks: it exfiltrates the captured data through Tor-based C2 infrastructure, and it silently replaces copied wallet addresses with attacker-controlled lookalike addresses to hijack outgoing transfers. The malware also captures five screenshots at ten-second intervals for additional intelligence gathering. An anti-analysis check exits the clipper if Task Manager is detected among running processes.","heading":"Clipboard Hijacking and Seed Phrase Theft","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":2,"name":"AMBCrypto: Microsoft warns new Crypto Clipper malware can steal seed phrases and hijack wallet transfers","type":"news_article","url":"https://ambcrypto.com/microsoft-warns-new-crypto-clipper-malware-can-steal-seed-phrases-and-hijack-wallet-transfers/"},{"credibility":2,"name":"TechRadar: New lightweight, self-propagating crypto stealing malware delivered by USB spotted by Microsoft researchers","type":"news_article","url":"https://www.techradar.com/pro/security/new-lightweight-self-propagating-crypto-stealing-malware-delivered-by-usb-spotted-by-microsoft-researchers-crypto-clipper-script-based-stealer-hunts-for-vulnerable-wallets"}]},{"content":"CryptoBandits deploys a portable Tor binary renamed ugate.exe in a hidden window. The malware waits approximately 60 seconds for the Tor client to bootstrap, then configures a SOCKS5 proxy on localhost port 9050. All C2 traffic routes through Tor's .onion hidden-service network, preventing corporate firewalls and network monitoring tools from intercepting or tracing communications by IP address. Each infected device is assigned a victim GUID and registered with the C2 server. The malware then enters a polling loop, checking for instructions every 500 milliseconds. The C2 can respond with EVAL commands enabling remote code execution, which transforms the clipper from a financial-theft tool into a persistent backdoor capable of arbitrary payload delivery. Screenshot exfiltration also travels through the Tor channel.","heading":"Command and Control Infrastructure (Tor-Based)","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":2,"name":"The Hacker News: Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2","type":"news_article","url":"https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html"},{"credibility":2,"name":"TechJack Solutions: USB-Delivered Crypto Clipper Combines Tor C2, Worm Propagation and Runtime Code Execution","type":"research","url":"https://techjacksolutions.com/scc-intel/usb-delivered-crypto-clipper-combines-tor-c2-worm-propagation-and-runtime-code-execution-in-active-campaign/"}]},{"content":"The CryptoBandits campaign intersects with broader supply-chain risk in cryptocurrency environments. Because the malware establishes a persistent backdoor with remote code execution capability, it poses particular danger in developer and CI/CD environments where the same workstation may be used for wallet management and code deployment. Security researchers have noted that the worm's ability to spread through USB drives creates a vector for infection of air-gapped or partially isolated developer systems. The CryptoBandits campaign coincides with a parallel threat identified in May 2026 in which more than 34 malicious packages across npm, PyPI, and Crates.io targeted SSH keys, GitHub tokens, cloud credentials, and wallet files, indicating a broader trend of threat actors targeting the developer-to-custody attack surface. The convergence of USB-based worm propagation with remote code execution capability means that a single infected developer machine could expose both wallet credentials and deployment pipeline access.","heading":"Supply Chain and Developer Credential Risk","severity":"high","sources":[{"credibility":2,"name":"CryptoDaily: USB Wallet Malware Warning — Why Offline Crypto Storage Still Has Supply-Chain Risk","type":"news_article","url":"https://cryptodaily.co.uk/2026/06/usb-wallet-malware-offline-storage-supply-chain-risk"},{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"}]},{"content":"Microsoft's June 24, 2026 blog post on StealC and Amadey provides context for the delivery infrastructure used in and around the CryptoBandits campaign. StealC and Amadey are distinct but complementary malware families: Amadey functions as a dropper/loader spread primarily through phishing, capable of introducing additional malware payloads and extracting sensitive data; StealC is an infostealer targeting 23 or more browsers, over 100 web extensions, and 15 or more desktop cryptocurrency wallets, including capabilities to defeat Chrome App-Bound Encryption for cookie theft. Both families used overlapping bulletproof hosting infrastructure across providers including ELITETEAM (AS56873), Chang Way (AS59425), and Femo IT Solutions (AS214351). The Amadey loader's on-demand clipboard hijacking module is a technical parallel to the CryptoBandits clipper. Amadey was linked to over 140,000 infected computers worldwide in May 2026 alone. BitSight TRACE, a partner in Operation Endgame, extracted configuration data from over 200,000 Amadey infections over a 90-day analysis window prior to the disruption.","heading":"StealC and Amadey Botnet Infrastructure","severity":"critical","sources":[{"credibility":1,"name":"Microsoft Security Blog: StealC and Amadey — Breaking down infostealers and the cybercrime services that deliver them","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/"},{"credibility":2,"name":"BitSight: BitSight Aids Disruption Efforts on Amadey and StealC Malware","type":"research","url":"https://www.bitsight.com/blog/bitsight-aids-disruption-efforts-on-amadey-malware-and-stealc-malware"},{"credibility":2,"name":"Help Net Security: Law enforcement hits StealC and Amadey malware networks","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/"}]},{"content":"On June 24, 2026, Microsoft's Digital Crimes Unit (DCU) and Europol announced coordinated disruption actions against StealC and Amadey infrastructure as the latest phase of Operation Endgame, described by Europol as the largest international operation ever undertaken to tackle ransomware enablers worldwide. Participating law enforcement agencies included Germany's Federal Criminal Police Office (BKA), the Netherlands National High Tech Crime Unit, the Royal Canadian Mounted Police, the Danish Police, the UK National Crime Agency, and US authorities, coordinated through Europol's European Cybercrime Centre (EC3) and Joint Cybercrime Action Taskforce (J-CAT), with Eurojust providing judicial support. Private sector partners included Microsoft, ESET, IBM X-Force, Proofpoint, BitSight, Lumen, and Shadowserver Foundation. The operation actioned 326 servers and 142 domains across the broader infrastructure, specifically seizing 182 C2 IP addresses (34 Amadey core, 69 Amadey task, 79 StealC) across 47 domains. Microsoft identified over 18,000 victim computers and severed criminal control of those devices, working with telecommunications providers to notify affected customers. Approximately 27 million stolen login credentials were recovered. Law enforcement identified and froze approximately EUR 41 million (roughly USD 47 million) in cryptocurrency assets of criminal origin. Microsoft's DCU also filed civil lawsuits against alleged malware operators and affiliates. Microsoft's DCU utilized AI-assisted analysis to convert infrastructure mapping tasks that previously required hours or days into minutes, enabling recognition of shared infrastructure across separately developed malware families.","heading":"Operation Endgame: DCU and Europol Takedown (June 24, 2026)","severity":"critical","sources":[{"credibility":1,"name":"Europol: Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks","type":"regulatory","url":"https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks"},{"credibility":1,"name":"Microsoft Security Blog: StealC and Amadey — Breaking down infostealers and the cybercrime services that deliver them","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/"},{"credibility":2,"name":"Infosecurity Magazine: Europol-Led Operation Endgame Takes Down StealC and Amadey Infostealers","type":"news_article","url":"https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/"},{"credibility":2,"name":"Help Net Security: Law enforcement hits StealC and Amadey malware networks","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/"},{"credibility":2,"name":"HackRead: Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks","type":"news_article","url":"https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/"}]},{"content":"Multiple reporting sources indicate the CryptoBandits campaign affected users across at least 14 countries, with the highest concentrations of infections reported in the United States, Germany, South Korea, and Brazil. Microsoft has allegedly estimated that more than USD 45 million in cryptocurrency assets were stolen from individual and institutional victims during the campaign. These figures have been reported by secondary crypto-news outlets but have not been independently confirmed through a Microsoft primary source; they should be treated as alleged pending official confirmation. The broader Operation Endgame disruption, which targeted the StealC and Amadey delivery infrastructure linked to the campaign, independently confirmed EUR 41 million in frozen criminal cryptocurrency assets and over 140,000 infected computers attributable to the Amadey botnet worldwide in May 2026 alone.","heading":"Geographic Scope and Financial Impact","severity":"high","sources":[{"credibility":3,"name":"TFTC: Microsoft Warns Windows USB Worm CryptoBandits Is Hijacking Bitcoin Addresses","type":"news_article","url":"https://www.tftc.io/cryptobandits-usb-worm-hijacks-bitcoin-clipboard-windows/"},{"credibility":1,"name":"Europol: Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks","type":"regulatory","url":"https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks"},{"credibility":2,"name":"Microsoft Security Threat Intelligence on X (post)","type":"social_media","url":"https://x.com/MsftSecIntel/status/2067386600670089699"}]},{"content":"Microsoft has not formally attributed the CryptoBandits campaign to a specific named threat actor or nation-state as of the June 2026 disclosure. Microsoft's advisory noted similarities with techniques used by financially motivated threat actors with alleged connections to Eastern Europe, but the company explicitly stated it had not reached a definitive attribution conclusion. No arrests directly linked to the CryptoBandits operators have been publicly announced. The Operation Endgame actions against StealC and Amadey infrastructure include civil lawsuits filed by Microsoft's DCU against alleged malware operators and affiliates, but defendant identities have not been confirmed in publicly available court filings reviewed at the time of this writing. The SocGholish component of the same Operation Endgame sweep was linked by Europol to the Russian cybercriminal group Evil Corp, but this attribution does not extend to CryptoBandits.","heading":"Attribution","severity":"medium","sources":[{"credibility":2,"name":"The Next Web: Microsoft finds USB worm that steals cryptocurrency through clipboard hijacking and Tor","type":"news_article","url":"https://thenextweb.com/news/microsoft-crypto-clipper-usb-malware-tor-cryptocurrency-theft"},{"credibility":1,"name":"Europol: Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks","type":"regulatory","url":"https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks"},{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"}]},{"content":"Microsoft Defender detects the malware as Trojan:Win32/CryptoBandits and related variants. The campaign was actively tracked by Microsoft Defender Experts. General mitigation recommendations from security researchers include: disabling AutoRun and AutoPlay for USB devices; treating all USB-delivered .lnk (shortcut) files with suspicion, particularly those bearing document file names; monitoring for ugate.exe or renamed Tor binaries in non-standard directories; monitoring localhost:9050 SOCKS5 connections indicating a Tor proxy; using hardware wallet devices rather than software clipboard-based address entry for cryptocurrency transfers; verifying wallet addresses through secondary channels rather than relying solely on clipboard paste operations; and maintaining workstation separation between development environments and custody operations. The disruption of StealC and Amadey C2 infrastructure via Operation Endgame on June 24, 2026 has reduced but not eliminated the delivery network available to the campaign operators.","heading":"Detection and Mitigation","severity":"medium","sources":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":2,"name":"BetaNews: Crypto Clipper malware uses USB drives and Tor","type":"news_article","url":"https://betanews.com/article/crypto-clipper-usb-tor-wallet-malware/"},{"credibility":3,"name":"Spotted Crypto: Crypto Clipper Malware 2026 — Windows Wallet Hijack and Protection Guide","type":"other","url":"https://www.spotedcrypto.com/crypto-clipper-malware-windows-2026-wallet-protection/"}]}],"sources_used":[{"credibility":1,"name":"Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control (June 17, 2026)","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"credibility":1,"name":"Microsoft Security Blog: StealC and Amadey — Breaking down infostealers and the cybercrime services that deliver them (June 24, 2026)","type":"official","url":"https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/"},{"credibility":1,"name":"Europol: Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks","type":"regulatory","url":"https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks"},{"credibility":2,"name":"The Hacker News: Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2","type":"news_article","url":"https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html"},{"credibility":2,"name":"CoinDesk: Microsoft identifies malware worm that hijacks crypto wallets, spreads through USB drives","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/19/microsoft-found-malware-that-hijacks-crypto-wallets-and-spreads-through-usb-sticks"},{"credibility":2,"name":"BleepingComputer: USB worm spreads crypto-stealing malware via Windows shortcut files","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/"},{"credibility":2,"name":"SecurityWeek: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor","type":"news_article","url":"https://www.securityweek.com/cryptobandits-malware-doubles-as-a-backdoor-abuses-tor/"},{"credibility":2,"name":"Infosecurity Magazine: Europol-Led Operation Endgame Takes Down StealC and Amadey Infostealers","type":"news_article","url":"https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/"},{"credibility":2,"name":"Help Net Security: Law enforcement hits StealC and Amadey malware networks","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/"},{"credibility":2,"name":"BitSight: BitSight Aids Disruption Efforts on Amadey and StealC Malware","type":"research","url":"https://www.bitsight.com/blog/bitsight-aids-disruption-efforts-on-amadey-malware-and-stealc-malware"},{"credibility":2,"name":"HackRead: Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks","type":"news_article","url":"https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/"},{"credibility":2,"name":"AMBCrypto: Microsoft warns new Crypto Clipper malware can steal seed phrases and hijack wallet transfers","type":"news_article","url":"https://ambcrypto.com/microsoft-warns-new-crypto-clipper-malware-can-steal-seed-phrases-and-hijack-wallet-transfers/"},{"credibility":2,"name":"TechRadar: New lightweight, self-propagating crypto stealing malware delivered by USB spotted by Microsoft researchers","type":"news_article","url":"https://www.techradar.com/pro/security/new-lightweight-self-propagating-crypto-stealing-malware-delivered-by-usb-spotted-by-microsoft-researchers-crypto-clipper-script-based-stealer-hunts-for-vulnerable-wallets"},{"credibility":2,"name":"The Next Web: Microsoft finds USB worm that steals cryptocurrency through clipboard hijacking and Tor","type":"news_article","url":"https://thenextweb.com/news/microsoft-crypto-clipper-usb-malware-tor-cryptocurrency-theft"},{"credibility":2,"name":"BetaNews: Crypto Clipper malware uses USB drives and Tor","type":"news_article","url":"https://betanews.com/article/crypto-clipper-usb-tor-wallet-malware/"},{"credibility":2,"name":"CryptoDaily: USB Wallet Malware Warning — Why Offline Crypto Storage Still Has Supply-Chain Risk","type":"news_article","url":"https://cryptodaily.co.uk/2026/06/usb-wallet-malware-offline-storage-supply-chain-risk"},{"credibility":2,"name":"Microsoft Security Threat Intelligence on X","type":"social_media","url":"https://x.com/MsftSecIntel/status/2067386600670089699"},{"credibility":2,"name":"Crypto.news: Microsoft warns crypto clipper now acts like backdoor","type":"news_article","url":"https://crypto.news/microsoft-warns-crypto-clipper-now-acts-like-backdoor/"},{"credibility":3,"name":"TFTC: Microsoft Warns Windows USB Worm CryptoBandits Is Hijacking Bitcoin Addresses","type":"news_article","url":"https://www.tftc.io/cryptobandits-usb-worm-hijacks-bitcoin-clipboard-windows/"}],"summary":"CryptoBandits is a self-propagating Windows malware campaign active since February 2026 that combines clipboard hijacking, seed-phrase theft, wallet-address substitution, and worm-like USB propagation with Tor-based command-and-control infrastructure. Microsoft Threat Intelligence disclosed the campaign on June 17, 2026, under the Defender detection name Trojan:Win32/CryptoBandits. Microsoft's Digital Crimes Unit, acting alongside Europol and law enforcement from multiple countries as part of Operation Endgame, disrupted the broader StealC and Amadey botnet infrastructure that delivered related infostealers on June 24, 2026, seizing 182 C2 IP addresses across 47 domains and freezing approximately EUR 41 million in criminal cryptocurrency assets.","timeline":[{"date":"2026-02-01","event":"Microsoft Defender Experts begin tracking the CryptoBandits cryptocurrency clipper campaign. The malware is observed spreading via malicious USB .lnk shortcut files with Tor-based C2 communications.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"date":"2026-05-01","event":"Amadey botnet linked to over 140,000 infected computers worldwide during the first two weeks of May 2026, according to Operation Endgame figures. BitSight TRACE analyzes over 200,000 Amadey infections over a 90-day window.","source":"Europol / Help Net Security","source_url":"https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/"},{"date":"2026-06-17","event":"Microsoft Threat Intelligence and Microsoft Defender Experts publicly disclose the CryptoBandits campaign in a detailed security blog post, documenting USB LNK propagation, Tor C2, seed phrase theft, wallet address substitution, and backdoor capabilities.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"},{"date":"2026-06-18","event":"Operation Endgame disrupts SocGholish malware infrastructure in an earlier phase of the coordinated law enforcement sweep.","source":"Help Net Security","source_url":"https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/"},{"date":"2026-06-19","event":"CoinDesk, The Next Web, and multiple crypto-security outlets publish coverage of the CryptoBandits disclosure, broadening awareness of the USB worm campaign.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/06/19/microsoft-found-malware-that-hijacks-crypto-wallets-and-spreads-through-usb-sticks"},{"date":"2026-06-24","event":"Microsoft's Digital Crimes Unit and Europol, in coordination with law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, announce Operation Endgame disruption of StealC and Amadey infrastructure: 326 servers and 142 domains actioned; 182 C2 IP addresses seized across 47 domains; 18,000+ victim computers severed from criminal control; approximately 27 million stolen credentials recovered; EUR 41 million in cryptocurrency assets frozen. Microsoft files civil lawsuits against alleged operators and affiliates.","source":"Europol / Microsoft Security Blog","source_url":"https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks"}]},"v":1}