Global Summary
Law enforcement and cyber security partners executed a historic coordinated disruption of two major malware ecosystems on 2026-06-24, with Operation Endgame taking down Amadey loader and StealC infrastructure across multiple jurisdictions. Simultaneously, U.S. authorities concluded large-scale enforcement sweeps against healthcare fraud, gang crime, and financial crime linked to Cambodia-based money laundering networks. The cumulative effect represents one of the largest single-day convergence of law-enforcement cyber and financial-crime actions this year, reducing active commodity malware prevalence and criminal infrastructure capacity across North America and Europe.
Top Developments
- Global cyber infrastructure disruption (2026-06-24): Europol, Microsoft, and international partners executed Operation Endgame, dismantling dozens of command-and-control servers and associated domains for the Amadey loader botnet and StealC information-stealer malware families, among the most prolific Windows commodity malware threats currently active.
- Credential theft recovery (2026-06-24): Law enforcement and private-sector partners recovered 25.6 million stolen credentials from infrastructure associated with StealC, affecting over 385,000 compromised systems across multiple countries.
- U.S. healthcare fraud takedown (2026-06-23): The FBI and Department of Justice charged 455 defendants in connection with over $6 billion in alleged healthcare fraud schemes in the 2026 National Health Care Fraud takedown operation.
- Gang and transnational crime arrests (2026-06-23): The FBI reported over 750 arrests across U.S. cities under Operation Summer Heat, targeting gang membership, transnational criminal organizations, illegal firearms trafficking, and repeat violent offenders.
- Cambodia-linked money laundering seizure (2026-06-23): The FBI and DOJ seized a cloud computing account used by subsidiaries of the Cambodia-based Huione Group, which is alleged to have laundered cryptocurrency investment fraud and cyber-scam proceeds.
- UK critical infrastructure attack convictions (2026-06-23): Two members of the Scattered Spider criminal group pleaded guilty to a cyberattack against Transport for London's computer network, representing a significant prosecution outcome for attacks on critical transportation infrastructure in a Five Eyes ally.
- Online exploitation sentencing (2026-06-17, announced 2026-06-23): A defendant was sentenced to 30 years in prison for sextortion targeting multiple minor female victims and dissemination of sensitive material.
Regional Watch
Americas: U.S. law-enforcement agencies have concluded three major enforcement operations (healthcare fraud, gang/transnational crime, and financial-crime asset seizure) within 48 hours, indicating increased coordination between federal agencies and international partners on financial and cyber crime. Cambodia-based money-laundering networks remain an active vector for U.S. enforcement focus.
Europe: The UK has achieved convictions against Scattered Spider members for critical-infrastructure cyberattacks. Europe-led Operation Endgame represents the most significant coordinated law-enforcement cyber disruption announced in recent months, with implications for malware ecosystem resilience and the maturity of EU-U.S. cyber law-enforcement partnerships.
Asia-Pacific: Cambodia-based Huione Group subsidiaries have been directly targeted by U.S. seizure actions, signaling continued pressure on transnational financial-crime networks operating from Southeast Asia.
How GeoBit Would Assist
Operation Endgame & StealC disruption: Corporate security and risk teams would use Network & Actor Analysis and OSINT Fusion & Corroboration to track the identified infrastructure takedowns, cross-reference seized C2 domains against internal logs and third-party breach databases, and measure residual exposure from the 25.6 million stolen credentials recovered. Teams should query Intel Sweep for any internal mentions of Amadey or StealC indicators of compromise and apply Shodan queries to identify any remaining accessible infrastructure tied to the disrupted botnets.
Huione Group money-laundering seizure & U.S. financial-crime operations: Risk and compliance teams managing payments, cloud infrastructure, and vendor relationships in high-risk jurisdictions should employ Search & Research (financial crime and regime-stability focused) to identify any direct or subsidiary exposure to Huione-affiliated entities, combined with Economic & Trade analysis to map broader Cambodia-based payment and logistics networks that may carry reputational or sanction-exposure risk.
Scattered Spider TfL cyberattack convictions: Organizations operating critical infrastructure or managing cybersecurity incident response should use Conflict & Military and Asymmetric & Proxy Warfare threat-actor profiling to review Scattered Spider's known target sectors and TTPs, and establish AOI Monitoring & Early Warning on dark-web forums, Telegram channels, and paste-sites for any retaliation communications or new operational announcements from the group.
Elevated-Risk Countries
Threat-ranking data is currently unavailable. However, the United States and United Kingdom emerge as active law-enforcement and cyber-defense priorities given the scale and coordination of this week's enforcement actions; Cambodia remains a jurisdiction of elevated financial-crime risk due to Huione Group's continued involvement in transnational money laundering despite asset seizures.
12-Hour Outlook
Additional arrests or asset seizures related to Operation Endgame or the healthcare/gang enforcement sweeps are possible as supporting investigative results are processed. Watch for statements from major cloud and payment-processing providers regarding credential-reset or fraud-prevention measures tied to the recovered StealC credential cache.
GeoBit Threat Ranking
| # | Country | Threat | Primary Driver |
|---|---|---|---|
| Ranking unavailable. | |||