Proofpoint and IBM X-Force built a tool that pretended to be infected, then used what they learned to support one of the largest cybercrime takedowns in history. 

by Zaara Abbas, Digital Media Reporter at Tech Revolt

[For more news, click here]

When law enforcement and their private sector partners dismantled the infrastructure behind one of the internet’s most active credential theft operations last week, the takedown was made possible in part by a deception! Researchers had spent months pretending to be infected computers. The intelligence they gathered in the process helped bring down 66 domains and 296 servers, and recover more than 25.6 million unique credentials stolen from over 385,000 compromised systems worldwide. 

The action, announced on 24 June 2026 as the latest phase of Operation Endgame, targeted StealC and Amadey, two malware families that operate as a pair in the modern cybercrime supply chain. Europol coordinated the international operation, which involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside private sector partners including Microsoft, Proofpoint, IBM X-Force, Bitdefender, and others. As part of the action, Microsoft’s Digital Crimes Unit filed a lawsuit against multiple alleged enablers and took down associated infrastructure. 

An Assembly Line for Cybercrime 

To understand why this operation mattered, it helps to understand how StealC and Amadey work together. Amadey is a loader: a software criminals use to gain a foothold on a victim’s machine and install additional tools. StealC, on the other hand, is an information stealer designed to extract browser credentials, cookies, payment card data, messaging platform accounts including Telegram, Discord, and Outlook, gaming credentials, VPN tools, and cryptocurrency wallets from compromised systems. Sold as a service to criminal affiliates since January 2023, StealC returns stolen data to a control panel where affiliates can manage active infections, push further payloads, or sell the credentials on underground markets. 

Experts have described infostealers as one of the most important gateways to ransomware. Stolen credentials and session cookies harvested by tools like StealC are routinely sold to access brokers, who resell them to ransomware operators seeking an entry point into corporate networks. According to Microsoft intelligence, Amadey and StealC were linked to more than 140,000 infected computers worldwide in just the first two weeks of May 2026. 

The version under disruption was not even the original. In March 2025 the developers released StealC version 2, and the latest build was released on 26 May 2026, three weeks before the takedown. The malware is under active development by its criminal operators, which is precisely what makes the emulation approach developed by Proofpoint and IBM X-Force so significant. 

Building Fake Infected Machines 

What Proofpoint and IBM X-Force’s technical contribution did was create a StealC emulator. The software mimicked the network behavior of a real StealC infection without any actual victim being harmed. By feeding genuine StealC malware samples from internal sources, external repositories, and sharing partners into sandboxes and running configuration extraction scripts, the researchers were able to read the malware’s operating instructions and then simulate the traffic a compromised machine would generate. 

What the emulator revealed was a detailed picture of StealC’s operational landscape which servers affiliates were using as well as what secondary payloads were being pushed to infected machines, and how the distribution chains were structured. In some cases, a single StealC infection delivered one follow-on payload, such as a remote access trojan. In other cases, StealC delivered a loader, which then retrieved a final payload. One documented example involved StealC downloading XTinyLoader, which then installed LockBit Black ransomware, another payload. These multi-stage delivery chains were common across the operations they observed. 

Disrupting the Cybercrime-as-a-Service Economy 

The broader operation represented a deliberate shift in law enforcement strategy. Rather than targeting the end stage of an attack, Operation Endgame went after the tools that make every subsequent stage possible, the loaders and stealers that form the foundation of the cybercrime-as-a-service economy. Europol’s own language framed it in terms of disrupting the assembly line rather than individual products. In addition to the server and domain seizures, authorities identified and froze more than 41 million euros in criminal cryptocurrency assets across the operation. 

For Proofpoint and IBM X-Force, the operation reflects an approach to threat intelligence that extends beyond protecting individual customers. By building tools capable of tracking malicious infrastructure at scale and sharing that intelligence with law enforcement, private cybersecurity firms are becoming structural components of global disruption efforts. StealC version 2 was still being actively updated weeks before the takedown. This time however, the emulator was watching in real time.

Related Articles:

Lenovo's Saudi Housing Pact Signals a Shift from Building Homes to Running Them With AI

What HPE Announced at Discover 2026, and Why It Matters for Enterprise AI

How the Gulf Skipped a Financing Stage That Took Western Startups Decades to Reach