An international law enforcement operation, cooperating with Bitdefender, ESET, and Microsoft, dismantled infrastructure behind Amadey and StealC malware—two popular infostealers used for credential theft and ransomware attack preparation. The operation recovered 27 million stolen credentials. For B2B companies, this confirms credential theft scale and reminds that compromised passwords may return to circulation even after LE operations—unless organizations rotate their secrets.
Amadey and StealC in the Cybercrime Ecosystem
Amadey is a botnet and loader used to distribute other malware including ransomware and banking trojans. StealC specializes in stealing passwords from browsers, cryptocurrency wallets, and applications. Both tools are sold as MaaS (Malware-as-a-Service), lowering the barrier for criminals. Stolen credentials reach underground markets where IABs and ransomware groups purchase them.
The LE operation disrupted C2 servers and related marketplaces but does not eliminate the threat—other groups fill the niche, and already stolen data may remain in circulation. Organizations whose employees or customers were infostealer targets in recent years should assume their credentials may be in the recovered 27 million record database.
What B2B Companies Should Do
- Password rotation – force password resets for potentially exposed accounts.
- MFA everywhere – passwords alone are insufficient after leaks.
- Dark web monitoring – credential monitoring services alert on corporate domain leaks.
- Endpoint EDR – detect infostealers before exfiltration.
Public-Private Cooperation
Operation success shows the value of security vendor cooperation (Bitdefender, ESET, Microsoft) with law enforcement. Threat intelligence from commercial products often initiates such actions. B2B companies using these solutions indirectly contribute to global defense—while incorporating vendor threat feeds into their SIEM.
Organizations without internal threat intelligence should subscribe to EDR vendor advisories and use IT infrastructure services with built-in credential leak monitoring.
Infostealers and Ransomware
Attack chains often look like: infostealer (Amadey/StealC) → credential sale → IAB → ransomware. Disruption at the infostealer stage is cheaper than post-ransomware recovery. EDR investment, user training, and unauthorized software blocking deliver higher ROI than cyber insurance after an incident.
Organizations should test infostealer resilience in red team exercises—endpoint infection simulation and detection time measurement. "No local admin" policies and application whitelisting significantly hinder MaaS malware installation.
GDPR and Notifications
If the recovered 27 million credential database contains Polish organization employee or customer data, personal data breach analysis obligations may arise. Proactive leak monitoring and rapid rotation minimize GDPR incident and supervisory authority penalty risk.
Passwordless and FIDO2 as Long-Term Response
The Amadey/StealC operation confirms passwords—even strong ones—are stolen at scale. Long-term strategy should steer organizations toward FIDO2/WebAuthn and passwordless authentication, where infostealers have nothing to steal beyond short-TTL session tokens. Microsoft, Google, and Okta offer mature migration paths; B2B companies can pilot passwordless on IT and admin groups before organization-wide rollout.
Blocking logins from atypical geographies for given roles (impossible travel) and conditional access in Microsoft Entra ID further limits stolen credential value even before rotation.
User Awareness After LE Operations
The Amadey/StealC LE operation does not reduce user education needs—infostealers are still distributed via phishing and fake installers. Internal communications after such LE operations are opportunities to remind rules: don't install software outside IT catalog, report suspicious computer slowdown, don't save passwords in browsers. Training should include EDR panel demos showing infostealer appearance—building awareness that attacks are invisible to users.
Organizations with special category data access (health, biometrics) may require GDPR supervisory authority notification even without confirmed exfiltration—proactive rotation and monitoring minimize this scenario.
Amadey/StealC threat hunting should review DNS queries to known C2 domains, unusual browser injection processes, and large workstation uploads during night hours. Proxy log correlation reveals exfiltration even when EDR was disabled or bypassed by attackers.
MSP contracts should require 24h notification upon infostealer detection on client infrastructure—IT supply chain accountability.
Include infostealer response in your incident response plan as a distinct scenario with pre-approved steps: isolate host, reset all sessions for user, force password reset across integrated SaaS, and preserve disk image for forensics before reimaging.
Conclusion
The Amadey/StealC operation is good news but not the end of infostealer threats. B2B companies should treat credential hygiene as priority: MFA, EDR, leak monitoring, and regular training. We invite you to explore our security solutions and IT services for businesses.
Source: The Hacker News – Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered