Europol’s malware crackdown: what it means for identity teams

TL;DR: Europol’s latest Operation Endgame phase froze more than €41 million in cryptocurrency, seized 326 servers, recovered nearly 27 million stolen credentials, and cleaned almost 15,000 infected websites, underscoring how password, browser-data, and wallet theft now sits at the centre of cybercrime infrastructure, according to SumSub. Credential theft at this scale turns identity exposure into an ecosystem problem, not an isolated endpoint event.

NHIMG editorial — based on content published by SumSub: Europol freezes €41 million in crypto during a global malware crackdown

By the numbers:

• Authorities seized 326 servers, took down 142 domains, recovered nearly 27 million stolen credentials from more than 385,000 compromised devices, and cleaned almost 15,000 infected websites.

Questions worth separating out

Q: What should security teams do when infostealer malware exposes credentials?

A: They should revoke exposed credentials immediately, terminate active sessions, and force reauthentication wherever the stolen secret could still be valid.

Q: Why do browser-stored secrets create such a large identity risk?

A: Browser-stored secrets create risk because they are portable identity material that can be extracted silently and reused outside the original device.

Q: How can organisations tell whether stolen credentials are being reused?

A: They should look for anomalous login geographies, token reuse without normal user behaviour, repeated failed and successful authentications across the same account, and access from newly compromised endpoints.

Practitioner guidance

• Review browser-based secret exposure Audit where passwords, tokens, and session artefacts are stored in browsers and endpoint profiles, then remove persistence for privileged and high-value accounts.
• Prioritise rapid credential invalidation When threat intelligence confirms infostealer activity, revoke exposed credentials, terminate active sessions, and reset linked authentication factors before reuse begins.
• Correlate malware alerts with identity events Tie endpoint detection to IAM and PAM workflows so confirmed infostealer infection triggers account review, session hunting, and secret rotation across affected users.

What's in the full analysis

SumSub's full news article covers the operational detail this post intentionally leaves for the source:

• The exact law-enforcement actions taken across servers, domains, and malware families.
• The operational notes on how stolen credentials were identified and notified through consumer exposure services.
• The references to Microsoft’s findings on infected computers and malware distribution patterns.
• The source article’s context on how StealC, Amadey, and SocGholish fit into the broader crackdown.

👉 Read SumSub’s coverage of Europol’s malware crackdown and stolen credential recovery →

Europol’s malware crackdown: what it means for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →