Crypto Clipper Worm (Microsoft DCU Takedown June 2026)

2026-02-01

Microsoft Defender Experts begin tracking the CryptoBandits cryptocurrency clipper campaign. The malware is observed spreading via malicious USB .lnk shortcut files with Tor-based C2 communications.

2026-05-01

Amadey botnet linked to over 140,000 infected computers worldwide during the first two weeks of May 2026, according to Operation Endgame figures. BitSight TRACE analyzes over 200,000 Amadey infections over a 90-day window.

2026-06-17

Microsoft Threat Intelligence and Microsoft Defender Experts publicly disclose the CryptoBandits campaign in a detailed security blog post, documenting USB LNK propagation, Tor C2, seed phrase theft, wallet address substitution, and backdoor capabilities.

2026-06-18

Operation Endgame disrupts SocGholish malware infrastructure in an earlier phase of the coordinated law enforcement sweep.

2026-06-19

CoinDesk, The Next Web, and multiple crypto-security outlets publish coverage of the CryptoBandits disclosure, broadening awareness of the USB worm campaign.

2026-06-24

Microsoft's Digital Crimes Unit and Europol, in coordination with law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, announce Operation Endgame disruption of StealC and Amadey infrastructure: 326 servers and 142 domains actioned; 182 C2 IP addresses seized across 47 domains; 18,000+ victim computers severed from criminal control; approximately 27 million stolen credentials recovered; EUR 41 million in cryptocurrency assets frozen. Microsoft files civil lawsuits against alleged operators and affiliates.