Cybersecurity firm Proofpoint and IBM X-Force helped law enforcement disrupt StealC, a major malware-as-a-service infostealer capable of stealing passwords, browser data and crypto wallets, in a Europol-coordinated operation targeting one of cybercrime’s most active credential-theft ecosystems.
The disruption, carried out under Operation Endgame, affected 66 domains and 296 servers tied to StealC and Amadey, while authorities seized more than 25.6 million unique credentials stolen from over 385,000 compromised systems, according to a report by Proofpoint and IBM X-Force received by TheCoinHeadlines.
Crypto wallets among StealC targets
StealC has operated as a malware-as-a-service platform since January 2023, allowing affiliates to use a command-and-control panel to build malware samples and distribute them to victims.
The malware targets browser credentials, cookies, tokens, payment card data, messaging apps, VPN credentials and crypto wallets, giving attackers the material needed to hijack accounts, steal identities or launch follow-on attacks.
Proofpoint and IBM X-Force said stolen data could be used directly by affiliates or sold through underground markets, feeding a wider cybercrime economy built around credential theft.
Researchers turned malware’s weakness against it
To better understand how StealC operators moved across the cybercrime chain, Proofpoint and IBM X-Force built an emulator that recreated the network behavior of an infected machine and prompted command-and-control servers to reveal payload links.
The work gave researchers a clearer view of the malware’s infrastructure and follow-on delivery routes, including remote access trojans, loaders, other stealers and, in one edge case, LockBit Black ransomware.
Researchers also found a vulnerability in StealC’s command-and-control panel, which law enforcement later used to support search-and-seizure actions against StealC servers.
The takedown is expected to hit StealC both operationally and reputationally, disrupting services, damaging trust among affiliates and raising costs for cybercriminal customers.
Proofpoint joins OpenAI Daybreak for AI-powered cyber defense
The StealC disruption comes after Proofpoint said it had joined OpenAI’s Daybreak Cyber Partner Program, a defensive security initiative aimed at helping trusted cybersecurity organizations integrate advanced AI into threat investigation, alert enrichment, intelligence analysis and incident response.
Proofpoint said it can use GPT-5.5 within its managed products, services and security workflows for customer-facing defensive use cases, without giving customers direct access to OpenAI models.
Proofpoint said it currently uses OpenAI models within Satori, its agentic AI suite, and expects GPT-5.5 to unlock additional capabilities across defensive workflows such as threat investigation, incident response and security operations.
