Skip to content

Microsoft and BKA Shut Down 200 Command-and-Control Servers from Amadey and StealC

Bottom line: For the first time, AI analysis and US RICO law were combined to shut down two interconnected botnet loaders and over 18,000 infected computers in a single international operation.

Europol, Germany’s Federal Criminal Police Office (BKA) and Microsoft have shut down over 200 control servers for the malware Amadey and StealC in a coordinated operation, severing control over more than 18,000 infected computers worldwide. The action marked the first use of AI-supported code analysis and the US law against organized crime (RICO).

The malware Amadey and StealC were involved in more than 140,000 infections worldwide in the first half of May. Amadey acts as an entry vector into target systems, while StealC is designed to steal login credentials and confidential information. During this period, Germany was second only to the United States in the number of attacks. The consequences range from outages in hospitals to state-sponsored espionage operations, such as those by the Russia-associated group “Secret Blizzard,” which uses Amadey infections against targets in Ukraine.

Investigators used artificial intelligence to analyze the functionality of both malware programs—a task that normally takes days but was accomplished by AI in minutes. This analysis led to a crucial discovery: although Amadey and StealC were developed by different criminals, they rely on the same technical infrastructure. With this information, Microsoft’s legal team was able to apply the RICO law (Racketeer Influenced and Corrupt Organizations Act), originally developed to combat organized crime in the United States. This made it possible to pursue the various actors not in isolation, but as part of a single global criminal conspiracy, allowing the entire network to be attacked in one operation.

The operation was the result of intensive international collaboration: while Microsoft investigated the Amadey infrastructure, Europol’s Cybercrime Centre (EC3) focused on StealC. The BKA worked closely with Dutch and Danish authorities and played a leading role in implementation. This coordinated action is part of “Operation Endgame,” conducted in May 2024, the largest international police operation against cybercrime to date, in which hundreds of servers were seized, millions of infected computers freed, and worldwide arrest warrants issued against the operators.


Source: www.it-daily.net · Published 24 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: