Microsoft AI Analysis Cracks Cybercrime Assembly Line, Dismantling Amadey and StealC in Global Operation

International authorities and a coalition of private technology companies, including Microsoft, have disrupted a cybercrime "assembly line" responsible for collecting millions of stolen login credentials and more than $47 million in ransomware payments and other fraudulent proceeds. The coordinated takedown struck simultaneously at two separate but intertwined criminal platforms — Amadey and StealC — after Microsoft's AI-assisted analysis revealed that the tools shared critical underlying infrastructure.

The Two Weapons at the Core of the Operation

Amadey is a malware-as-a-service platform that has been active in the wild since at least 2018. It functions as a delivery mechanism: compromising target devices and dropping customized malicious payloads used in ransomware attacks and other scams. As recently as last year, Amadey was observed exploiting GitHub to gather system information from infected machines before installing those tailored payloads — a sign of continued operational sophistication.

StealC operates on a different but complementary axis. The infostealer-as-a-service platform is designed to extract credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files whose names match patterns specified by each paying customer. Together, the two platforms effectively covered the full criminal workflow: Amadey broke in, StealC harvested the valuables.

How Microsoft Tied the Two Together

Amadey and StealC are distinct products, operated independently, with separate customer bases. The convergence point was infrastructure. Microsoft said it determined — through AI-driven analysis of both tools — that they relied on some of the same underlying systems to function. That finding gave Microsoft's legal team the grounds to seek a single court order targeting the shared infrastructure, cutting both platforms simultaneously rather than pursuing sequential, piecemeal takedowns.

The simultaneity was the operational advantage. Because many cybercriminals subscribe to both services as part of individual attack chains, disrupting the shared backbone severed what authorities described as an assembly-line model for large-scale fraud — one in which commoditized tools are stacked and rented rather than built from scratch.

What the Disruption Means for the Cybercrime Economy

The operation underscores a shift in how law enforcement and the private sector approach malware-as-a-service ecosystems. Rather than chasing individual threat actors, the strategy targets the commercial platforms that supply them — removing the tools before attacks are launched. The $47 million figure attributed to the two platforms reflects the scale that off-the-shelf criminal software can reach when distributed across a broad subscriber base.

Microsoft's use of AI to identify the infrastructure overlap adds a consequential precedent: automated analysis can expose hidden dependencies between nominally unrelated criminal networks, compressing the timeline from investigation to legal action. For cybersecurity investors and enterprise security buyers, the takedown signals that AI-driven threat intelligence is increasingly the axis on which major enforcement actions turn.

Related reading

• Engram Raises $98 Million to Attack AI's Token Cost Problem
• Tech Stocks Mostly Recover Wednesday After Global AI Selloff Hammers Chip Companies
• MoEngage Acquires AI-Agent Technology in All-Cash Deal, Targeting One-to-One Marketing at Scale