The Problem: Cybercrime Runs Like a Business
Most people picture hackers as lone wolves. The reality is far more boring — and far more dangerous.
Modern cybercrime is modular. Specialized tools handle each step of an attack like stations on a factory floor. One tool breaks in. Another steals credentials. A third sells or exploits that access for ransomware, fraud, or espionage. Different actors may never meet, but their tools are built to interoperate.
Amadey and StealC are a textbook example of this. Amadey infects a device and establishes access. StealC moves in to harvest passwords and sensitive data. Together, they form a critical link in the chain — and in just the first two weeks of May 2026, they were linked to more than 140,000 infected computers globally.
The downstream effects are anything but abstract. A hospital locked out of patient records. A city unable to deliver basic services. A small business wiped out overnight. Microsoft has even observed Russian-affiliated actor Secret Blizzard leveraging Amadey infections to deploy custom malware against targets in Ukraine.
The Insight: Same Infrastructure, Different Criminals
Here’s where it gets interesting.
Amadey and StealC were developed by separate cybercriminals — but investigators discovered they relied on the same underlying infrastructure. That connection was the key to everything that followed.
Finding it, however, required digging through dense, obfuscated malware code. That’s exactly where AI entered the picture.
How Copilot Accelerated the Investigation
Microsoft’s team used AI — including Copilot — to analyze the malware by asking questions in plain English rather than manually reverse-engineering complex code line by line. The AI helped surface key behavioral patterns, uncover hidden data structures, and validate findings at a speed that compressed what would have taken days into minutes.
This isn’t AI replacing analysts. It’s AI removing the friction that slows analysts down.
Those insights gave the legal team what they needed to make a bold move: treat both malware families as part of a single criminal conspiracy.
The Legal Innovation: RICO Meets Cybercrime
Microsoft has long used civil litigation to disrupt criminal infrastructure — filing around 40 cases since 2008. What’s new here is the expanded application of RICO, the Racketeer Influenced and Corrupt Organizations Act — a law originally designed to dismantle organized crime syndicates.
By using RICO, Microsoft could charge multiple complicit enablers across both operations simultaneously, rather than pursuing each tool in a separate, slower legal action. The case was filed in the US District Court for the Southern District of Florida (Case No. 26-cv-24064-JB).
The practical effect: instead of playing whack-a-mole with individual services, the legal action targeted the connective tissue of the operation itself.
The Execution: No One Does This Alone
A coordinated legal strategy only works if the intelligence behind it is solid — and that required serious collaboration.
Microsoft had been tracking Amadey alongside cybersecurity partners ESET, BitSight, Lumen, and MBSD. Meanwhile, Europol’s EC3, together with Germany’s Federal Criminal Police Office, the Dutch National Police, the Danish National Police, IBM X-Force, and Proofpoint, had been investigating StealC as part of Operation Endgame.
Bringing those two parallel investigations together expanded the collective dataset and made it possible to identify the infrastructure overlap — and act on it quickly.
The seized domains now display a clear message:
This website domain has been seized by Microsoft.
That’s not just a legal notice. It’s a signal to every operator in the ecosystem: the chain is visible, and it can be broken.
Why Disrupting the Supply Chain Matters More Than Single Takedowns
Taking down one tool creates a temporary inconvenience for cybercriminals. Disrupting the supply chain creates sustained friction.
When multiple stages of an operation are hit simultaneously, attackers can’t simply swap one component and continue. They have to rebuild trust, re-establish infrastructure, and find new partners — all while under increased scrutiny. That takes time and money, which raises the cost of doing business in cybercrime.
Microsoft’s approach pairs court-authorized disruption with ongoing tracking through its Statutory Automated Disruption program, which accelerates the removal of malicious domains as criminals attempt to rebuild. The goal isn’t a single win. It’s a system that keeps applying pressure.
The Takeaway: AI as a Force Multiplier for Defenders
The most important shift in this story isn’t legal or operational — it’s analytical.
AI didn’t catch the criminals. Investigators, lawyers, and law enforcement partners did that. But AI compressed the time between “we have data” and “we understand what it means” — and in cybersecurity, speed is everything.
For founders building security workflows, for teams evaluating AI tools, and for anyone trying to understand where AI actually delivers value in the real world: this is it. Not magic. Not automation for its own sake. A force multiplier that lets skilled people move faster, see further, and act with more precision.
The cybercrime assembly line is real. The good news is that the disruption assembly line is getting smarter too.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!