Europol and Eurojust, with Microsoft and Bitsight support, dismantled infrastructure for StealC (infostealer), Amadey (loader), and SocGholish (FakeUpdates drive-by framework), seizing 326 servers, 142 domains, and recovering 27 million stolen login credentials. Disruption does not equal eradication — remaining infrastructure and credentials exfiltrated before takedown create active downstream risk for organizations whose employees were compromised. Organizations that experienced unexplained credential theft, browser-based fake update prompts, or unrecognized remote access activity before June 25, 2026 should treat this as an active investigation signal.