On June 24, 2026, an international law enforcement coalition seized the infrastructure behind StealC, one of the more widely used information stealers of the past three years. The action was the latest phase of Operation Endgame, led by Germany’s Federal Criminal Police Office and coordinated by Europol, and it targeted StealC alongside the Amadey loader that often delivered it. Authorities and their private-sector partners took down hundreds of servers, seized well over a hundred domains, recovered roughly 27 million stolen credentials, and froze more than $47 million in cryptocurrency.
By early 2026, StealC had spent three years as a mainstay of the infostealer market, a subscription product its developer kept patching and upgrading long after most malware families go stale. To the outside world it still looked like a healthy, actively maintained criminal product operating at real scale.
SpyCloud’s data tells a more complicated story. In our analysis of recaptured infostealer malware logs, StealC was already collapsing months before law enforcement arrived, running more than 90% below its January peak by the time the servers went dark. That invites an interesting question: if the family was already dying, did the takedown accomplish anything the market wasn’t already heading toward on its own?
What StealC is, and how it got here
StealC first appeared in January 2023, advertised by an actor using the handle “Plymouth” on the Russian-language forums XSS and BHF and sold as malware-as-a-service at roughly $300 a month. Plymouth built it on ideas taken from several popular and pervasive infostealers – Vidar, Raccoon, Mars, and RedLine – and marketed it to move volume: a customizable file grabber, an easy admin panel, and out-of-the-box theft of browser passwords, session cookies, autofill data, payment cards, and cryptocurrency wallets. Cheap, low-effort, and effective, it caught on fast.
In March 2025 the developer shipped StealC v2, an x64 rewrite with a JSON-over-HTTP command-and-control protocol, a redesigned web panel and builder, and expanded theft capabilities. The family stayed under active development right up to the takedown, reaching version 2.22.0 with its last observed build dated May 26, three weeks before the disruption. Operationally, StealC usually rode in behind the Amadey loader, which handled initial access and dropped StealC as a second stage, and it leaned on trojanized software installers and ClickFix-style social-engineering lures for delivery.
Microsoft reported that Amadey and StealC together were linked to more than 140,000 infected devices in the first two weeks of May 2026.[1]
The malware family the takedown hit was already fading
StealC peaked in SpyCloud recaptured data in January 2026, with daily volume approaching 14,000 infected victims and a seven-day average near 9,500. From there it fell steeply through February and March and settled into a low baseline of a few hundred victims a day by late spring. By the time of the June 24 disruption, StealC was running more than 90% below its January peak.
The cumulative view tells the same story from the other side. StealC accounts for roughly 420,000 infected victims in our data across the first half of 2026, and the curve is nearly flat by June. This decline predates the takedown and tracks a broader market shift, most of all toward Vidar, which released a rewritten version 2.0 in October 2025 and quickly became the family of choice. LummaC2 also clawed back activity over the same stretch, despite a May 2025 law enforcement action against its infrastructure, and a public doxxing of its operators later that year.
Figure 2: Cumulative StealC victims, January through early July, with a counterfactual projection estimating the number of infections averted by the disruption (so far).
Nonetheless, we regularly watch malware families appear to die, or drop to a handful of new infections a day, only to resurge after months lying dormant, and LummaC2 is a case in point. So while the disruption clearly didn’t cause a massive drop in daily infections, it may still turn out to be the thing that keeps StealC from ever coming back.
StealC’s panel was leaking for months
StealC’s decline didn’t happen in a vacuum, and part of the pressure was self-inflicted through a control panel that researchers kept finding holes in. In January 2026, CyberArk disclosed a cross-site scripting flaw in the StealC web panel that exposed details of the operation, including one of its customers. Proofpoint and IBM X-Force separately found a directory-traversal bug in how the panel handled filenames from infected machines, a flaw that allowed a web shell to be uploaded to a StealC C2 server. They built a StealC emulator, tracked affiliate operations through extracted configurations, and used the flaw during the disruption itself. The developers patched it in February 2026, but not before it had likely been abused to steal data from other affiliates.
For a business that runs on affiliate trust, a panel that leaks your logs to rivals and researchers is a serious problem. It’s reasonable to think some affiliates drifted toward quieter alternatives as the panel’s reputation soured, and the data on where those actors went supports that reading, which is the subject of the peer-family section below. The timing lines up, too: the public reporting in January and the fix a month later roughly coincide with the largest drop in new victims we see in Figure 1, which suggests the news of these security failures may have pushed customers to abandon StealC for a different family well before law enforcement ever touched it.
Reading the post-takedown data honestly
Here’s how we can tell the takedown worked, rather than merely coinciding with a family that was already sinking.
If StealC’s fall were an ecosystem-wide slump in infostealer deployment, every family in the chart would sag together. A decline that hits one family and leaves its rivals untouched is a family-specific event, and in my view that’s the clearest signature we have of a disruption that actually worked.
This inference rests on one assumption worth saying plainly: SpyCloud’s collection pipeline surfaces all of these families, so a genuine cross-market slump would show up in our data. That assumption holds for how we ingest and identify logs, which is why the divergence is meaningful rather than coincidental, and why we can infer the disruption had a measurable impact on StealC.
Figure 4: StealC infections in the 30 days either side of June 24. Volume falls from a pre-disruption average of 389/day to a post-disruption average of 162/day, with recent-day ingests in the single-digits.
Because StealC was already running near its floor before the takedown, the infections it has averted so far are modest, around 900 as of July 5. That number is the product of a short observation window and a low pre-disruption rate, and it grows with every additional day StealC stays offline, so read it as a running baseline rather than a final figure.
Why StealC was already declining, and what it means for other disruptions
As a thought experiment, I formulated several theories that could, in my view, explain this pre-disruption decline:
- A highly competitive market pressuring the StealC customer base to stay loyal,
- Security research exposing vulnerabilities in the StealC panel and driving customers away, and
- A broader market slump dragging every family down together. The third is already ruled out by the peer-family analysis above, so only the first two are worth discussing here.
01
Vidar shipped a full rewrite, Vidar 2.0, in October 2025, moving from C++ to C with multithreaded collection and a rebuilt cookie-theft path that defeats Chrome’s App-Bound Encryption through direct memory injection, and by our count it became the most commonly-deployed infostealer by November 2025, surpassing LummaC2. Acreed, first seen in February 2025, built its appeal on stealth: unusually small logs that omit forensic artifacts like browser history, with command-and-control hidden behind Steam community profiles and a BNB Smart Chain dead-drop resolver that makes its operations harder to trace and its infrastructure harder to seize. Then in December 2025, VoidStealer arrived with a debugger-based bypass of Chrome’s App-Bound Encryption that needed no administrator rights and made far less noise than the older COM-based methods StealC’s generation used.
Against that, StealC’s problem wasn’t that it stopped working. It still carried an App-Bound Encryption bypass, per IBM X-Force, and its developer was still shipping builds three weeks before the seizure. Its problem was that it had become the older, louder, more heavily-researched option in a market that now offered fresher and quieter ones.
02
Researchers found and exploited real flaws in the C2 panel across early 2026 and publicly outed the methods, which were fairly basic and really should not have held up in a malware family that had been active, by that point, for almost three years. With plenty of comparable options sitting in the same market, Vidar, LummaC2, and a dozen smaller variants, it’s entirely plausible that a portion of the customer base decided StealC was poorly built and moved on. This isn’t clear-cut, though, and you could argue it’s really a sub-case of the first theory: without a competitive market to run to, some of those customers might have felt locked in and been far less willing to trade StealC for greener, more secure pastures.
What this means for disruptions is more interesting than it first looks. Law enforcement and private industry have little say over how stealer developers spend their time, aside from the ones who have already earned themselves a set of silver bracelets. But bad press is different. It measurably hurts operations, and it sits almost entirely under the control of the good guys. Casting public doubt on a stealer’s security, something the people living off those infections take very seriously, is a genuine disruption in its own right, and more research aimed squarely at that soft spot is likely to do real good, by pushing customers to migrate between families and keeping the whole ecosystem unstable. The developers, I imagine, will feel differently about it.
What the takedown means for defenders
Ecosystem-wide credential exposure did not fall when StealC did. Demand for stolen logins routes to whichever family is up next, and right now that’s Vidar. A security team watching only StealC volume would have concluded in early July that its exposure had improved, when really the source had just moved.
So track cross-family credential and session-cookie exposure, not one brand’s volume. SpyCloud tracks over 105 malware families and the one constant across every family in that previous chart is session and cookie theft that walks right past MFA, and no single takedown changes that. When recovered credentials land in victim-notification channels, act on them fast.
None of this is a case against disruption. If anything, it’s a case for more of it, more often. Repeated, coordinated, public-private action raises the cost of operating faster than the market can rebuild, and every operation feeds intelligence into the next one. The Lumma-to-Vidar handoff is proof enough that a single seizure won’t end the problem on its own, but StealC shows that when a seizure lands on a family already on the ropes, it lands hard. That’s why in alignment with our mission to disrupt cybercime, SpyCloud puts metrics and targeting into Operation Endgame and other community investigative and takedown programs: sustained pressure, applied family after family, is what actually shrinks the ecosystem.
Discover what cybercriminals know about your business and your customers – and how to prevent targeted attacks with SpyCloud.
FAQs
StealC is an information-stealing malware family that launched in January 2023 as a subscription service for roughly $300 per month, designed to steal browser passwords, session cookies, autofill data, payment cards, and cryptocurrency wallets from infected devices.
Law enforcement seized StealC’s infrastructure on June 24, 2026, as part of Operation Endgame led by Germany’s Federal Criminal Police Office and coordinated by Europol, taking down hundreds of servers and seizing over a hundred domains.
StealC peaked in January 2026 and fell more than 90% by June due to security flaws in its control panel that researchers exploited and publicized, plus competition from newer stealers like Vidar 2.0 and VoidStealer that offered better stealth and more advanced capabilities.
Vidar became the dominant information stealer after StealC’s decline, particularly after releasing version 2.0 in October 2025 with improved capabilities including a multithreaded design and advanced cookie-theft methods that defeat Chrome’s App-Bound Encryption.
[1] SpyCloud’s data is solely from successful infections – those that exfiltrated data from an infected endpoint – and cannot account for attempts, which include infections that did not successfully complete. Numbers will necessarily differ depending on the analytical lens.
[2] Note that only 66% of Rhadamanthys and 68% of LummaC2 contain a field we can accurately interpret as an infection timestamp, while 99% of Vidar and StealC logs have such a field. Logs without an infection timestamp are not included in this or other graphs within this report.