{"slug": "scaling-cybercrime-disruption-through-innovation-and-ai", "title": "Scaling cybercrime disruption through innovation and AI", "summary": "Microsoft disrupted over 200 command-and-control servers by targeting two cybercrime tools, Amadey and StealC, simultaneously using AI-assisted analysis and the RICO statute. The operation, conducted with Europol and industry partners, severed criminal control of more than 18,000 victim computers and aims to break the cyberattack supply chain. This marks a new approach to fighting cybercrime by targeting coordinated infrastructure rather than individual services.", "body_md": "Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, [Amadey and StealC](https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/), after AI-assisted analysis revealed they rely on the same infrastructure.\n\nThis action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used.\n\nWorking with [Europol and industry partners](https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks), we targeted both tools at once. The goal: break the chain. Since the start of the operation, Microsoft has identified more than 18,000 victim computers, severed criminal control of those devices, and is working with telecommunications providers to help protect affected customers globally.\n\nWhen multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from. The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild.\n\nIt’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.\n\n**What’s different about this action **\n\nMicrosoft has [long used civil legal action to disrupt cybercriminal infrastructure](https://www.microsoft.com/en-us/corporate-responsibility/topics/cybersecurity/disrupting-cyberthreats-since-2008/#tycoon-2fa=) and pioneered the innovative use of existing laws, including the Racketeer Influenced and Corrupt Organizations Act (RICO), a US law designed to target organized crime.\n\nWhat’s new is how we’re combining AI analysis with an expanded use of that law.\n\nAmadey and StealC were developed by separate cybercriminals, but they relied on the same infrastructure. To understand how they worked, investigators used AI, including Copilot, to quickly analyze the malware, asking questions in plain English instead of manually combing through complex code. That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster.\n\nThose insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used RICO to charge multiple complicit enablers involved across the operation. In total, Microsoft’s Digital Crimes Unit disrupted over 200 command-and-control servers—the systems criminals use to control infected devices, steal data, and keep attacks running.\n\nBy targeting tools together, we can disrupt the cybercrime chain more efficiently and more effectively, in a way that better reflects how these networks actually operate today.\n\n**Cybercrime now runs like an assembly line**\n\nCybercrime is no longer a series of isolated attacks—it’s a coordinated system.\n\nSpecialized tools handle each step: one gains access, another steals credentials, and others sell or exploit that access for fraud, ransomware, espionage, or other nefarious purposes. Different actors may be involved at each stage, but together they turn access into profit, quickly and at scale.\n\nThat structure also creates a point of vulnerability. The people behind these cybercriminal tools may never interact directly, but their tools are designed to work together. If those connections can be identified, multiple stages of an attack can be disrupted at once.\n\n**How these attacks play out in the real world**\n\nMost people will never hear the names Amadey or StealC, but they feel the effects. A hospital locked out of critical systems. A city unable to deliver essential services. A small business losing access to accounts overnight. A retiree who lost their life savings.\n\nThese attacks don’t happen all at once. They unfold step by step: attackers get in, passwords are stolen, access is reused or sold, and sometimes repurposed for more targeted operations. For example, Microsoft has observed [Russian-affiliated actor Secret Blizzard](https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/) leveraging Amadey infections to deploy custom malware against targets in Ukraine.\n\nBy targeting multiple points in that chain at once, we reduce the chance that a single compromise turns into widespread harm. Put simply: fewer attacks succeed and fewer people feel the impact when they do.\n\n**No one organization can do this alone**\n\nActions like this underscore a fundamental reality: we’re successful when we collaborate. No single organization, whether government or industry, has full visibility into how cyber threats operate across borders and sectors. What makes this effort effective is the combination of perspectives and data.\n\nMicrosoft had been tracking Amadey due to its impact on customers, working with cybersecurity partners [ESET](https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/), [BitSight](https://www.bitsight.com/blog/bitsight-aids-disruption-efforts-on-amadey-malware-and-stealc-malware), Lumen, and [Mitsui Bussan Secure Directions (MBSD)](https://www.mbsd.jp/research/20260624/amadey-c2-en/) to better understand how it operated. At the same time, [Europol’s European Cybercrime Centre (EC3)](https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3), together with European law enforcement partners including [Germany’s Federal Criminal Police Office](https://www.ibm.com/think/x-force/stealc-you-later-proofpoint-x-force-support-operation-endgame-disruptions) and the Dutch and Danish National Police, was investigating StealC as part of [Operation Endgame](https://www.ibm.com/think/x-force/stealc-you-later-proofpoint-x-force-support-operation-endgame-disruptions), alongside [IBM X-Force and Proofpoint](https://www.ibm.com/think/x-force/stealc-you-later-proofpoint-x-force-support-operation-endgame-disruptions).\n\nBringing those efforts together expanded our collective datasets and made it possible to identify the connections between the two tools and act on them quickly. That shared understanding enabled a coordinated response that went further than any single organization could achieve alone.\n\nThis shows why partnerships matter. Industry shares technical insight, government brings visibility, and we need trusted ways to exchange that information. Only by working from the same picture can we stay ahead of attackers, disrupting not just individual tools but also the systems that make cybercrime possible.\n\n**Creating sustained pressure on cybercrime **\n\nThis work doesn’t end with a single action. Cybercriminals adapt quickly, which is why we continue tracking how these operations evolve and working with partners to disrupt them.\n\nMicrosoft’s court-authorized disruption in this case is paired with ongoing efforts to track how cybercriminals rebuild, identify new infrastructure, and work with partners to disrupt the services they rely on to operate. It also includes incorporating the findings from this disruption into initiatives like [Microsoft’s Statutory Automated Disruption program](https://blogs.microsoft.com/on-the-issues/2025/06/04/microsoft-launches-new-european-security-program/), which helps accelerate the removal of malicious domains and infrastructure.\n\nThe goal is not just to stop one operation but to slow the system itself—making attacks harder to launch, scale, and recover from. By combining AI-driven insight, legal action, and strong partnerships, we can continue to raise the cost of cybercrime and reduce its impact.\n\n*For more than a decade, Microsoft’s Digital Crimes Unit (DCU) has worked to disrupt cybercrime and nation-state threats, filing around 40 cases since 2008 and partnering with law enforcement to take down criminal networks. Learn more about the team’s efforts **here**. *", "url": "https://wpnews.pro/news/scaling-cybercrime-disruption-through-innovation-and-ai", "canonical_source": "https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/", "published_at": "2026-06-24 20:54:24+00:00", "updated_at": "2026-06-24 21:19:28.506490+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-tools", "ai-research"], "entities": ["Microsoft", "Europol", "Amadey", "StealC", "Copilot", "Digital Crimes Unit", "RICO"], "alternates": {"html": "https://wpnews.pro/news/scaling-cybercrime-disruption-through-innovation-and-ai", "markdown": "https://wpnews.pro/news/scaling-cybercrime-disruption-through-innovation-and-ai.md", "text": "https://wpnews.pro/news/scaling-cybercrime-disruption-through-innovation-and-ai.txt", "jsonld": "https://wpnews.pro/news/scaling-cybercrime-disruption-through-innovation-and-ai.jsonld"}}