A joint law enforcement and industry operation dismantled two widely used cybercrime platforms in a single coordinated strike.
Authorities and private firms — including Microsoft — simultaneously targeted Amadey and StealC, two unrelated malware-as-a-service tools that together formed what investigators called a cybercrime "assembly line." Amadey, active since at least 2018, is a platform for compromising devices and dropping ransomware payloads; it was spotted last year using GitHub to harvest system data from infected machines. StealC is an infostealer that hoovers up credentials, authentication cookies, cryptocurrency wallets, and browser files. Together, the two tools are linked to more than $47 million in ransom payments and fraud. The operation succeeded in part because Microsoft's legal team used AI analysis to identify that the two independently operated platforms shared underlying infrastructure — a finding that let attorneys pursue a single court order to disrupt both simultaneously.
The shared-infrastructure discovery is what makes this case notable. Cybercrime tooling is increasingly modular: criminals shop for malware components the way developers shop for libraries, and operators of those components don't always know who else is running on the same servers. That interdependence is now a liability — one legal order, one infrastructure takedown, multiple criminal workflows severed.
Operations like this tend to produce short-term disruption rather than permanent shutdown; Amadey has survived law enforcement attention before. Whether the infrastructure hit lands a lasting blow depends on how quickly the remaining operators reconstitute their backend — and they usually move faster than the press releases suggest.