DIVD-2026-00007 - Victim Notification Operation Endgame - S03E03 & S03E04
| Our reference | DIVD-2026-00007 |
| Case lead | Bart van Wijk |
| Author | DIVD CSIRT |
| Researcher(s) | |
| CVE(s) |
|
| Products |
|
| Recommendation | See the "What you can do" chapter below |
| Status | Open |
| Last modified | 30 Jun 2026 21:53 CEST |
Summary
Welcome to season 3 Episode 3 and 4 of Operation Endgame, the biggest coordinated multi-police force and justice departments operation against cybercriminals.
In this season of international cooperation between The Netherlands, France, The United States of America, the United Kingdom, Germany, Canada, Belgium and Australia, with support from Europol and Eurojust, another criminal infrastructure has been taken offline and victim data harvested.
This data has been shared with us to perform victim notification.
Season 3 Episode 3 - SocGholish
The third episode of season three is about the SocGholish malware downloader and the stealer malware it delivers.
We have received two datasets related to SocGholish:
- A dataset that contains victims of the stealer malware delivered by SocGholish
- A dataset of WordPress websites that have been compromised with the SocGholish malware downloader and are currently or have been spreading malware.
Season 3 Episode 4 - StealC and Amadey
The fourth episode of season three is about the StealC information stealer and the Amadey botnet.
We have received a dataset related to StealC and Amadey. This dataset contained credentials stolen from many users as well as information that identifies infected computers (laptops and desktops).
What you can do
What you can do depends on your personal situation.
- If you are an administrator of a WordPress website that has been infected, see our instructions for WordPress administrators
- If you are a victim of the SocGholish delivered stealer, see our instructions for victims of SocGholish delivered stealers
- If you are an individual user and you want to know if you were part of the StealC data set, we recommend you check this at Have I Been Pwned
- If you are an individual and you found out that your credentials have been compromised, please visit our instructions for StealC victims
- If you are a system administrator and wonder if accounts of your users are involved, see our instructions for using the apex lists
- If you are a SOC/CSIRT and wonder if this involves your constituency, the instructions for using the apex lists also apply to you.
What we are doing
S03E03 - SocGholish
Based on the datasets we received, we are contacting victims directly. We will email victims whose credentials, including email addresses and passwords, have been stolen, as well as administrators of WordPress websites that have been compromised and have been spreading malware.
S03E04 - StealC and Amadey
Because the information relates to over 26M individual email addresses we cannot mail individuals whose credentials have been compromised directly. The police has handed over this information to Have I Been Pwned.
As per our leaked credentials policy we are doing the following
We have created two extracts that can be downloaded here
- Email apex extract: This extract will contain the apex domains of the emails involved in the breach and for each apex the number of unique email addresses and password combinations.
- URL apex extract: we have the URL that the password belongs to, we will also make this extract. It will contain the apex domains of the URLs and per apex the number of unique email addresses contained in the breach.
Based on these extracts we will invite (government and other) CERTS, CSIRTs and Security Teams to provide us with the apexes that are in the extract and in their constituency or that they otherwise have a demonstrable legitimate interest in. For those apexes, we will return the data. See our instructions for using the apex lists for more details.
Frequently asked questions
General
Q: Is this a scam?
A: It’s great that you’re skeptical. However, this is legit and definitely not a scam. This operation is a collaboration between the Dutch National Police, Europol, Digital Trust Center, NCSC and others. We, the Dutch Institute of Vulnerability Disclosure (DIVD), are mentioned on the partner page of the Operation Endgame site as well as the Press release of the Dutch National Police.
Q: Do you have my password?
A: No, we do not have your password. We may have sent you an email containing a partial password, with only the last few characters visible. This is the only part of your password we possess. The Dutch Police ensured that all passwords were hidden before sharing the data with us.
Q: Are you going to go after the criminals who stole my information?
A: No, we are not. That is a matter for law enforcement. As per article 9 of our code of conduct: We analyze online threats, not threat actors. We are researchers and don’t serve the needs of governments or law enforcement.
Q: If you “don’t serve the needs of governments or law enforcement”, why are you cooperating with the Dutch National Police on this case?
A: Acting on this data set is directly in line with article 3 of our code of conduct: Analyze databases with leaked credentials and report to the organizations or people who are compromised to take appropriate measures.
We analyze every database we receive, including those from law enforcement. However, we do this independently, without any obligation or intention to share any specific information in return.
Technical
Q: Do you know how the Dutch National Police obtained this information?
A: No we don’t know any details, but we know that Operation Endgame contains information from several criminal operations.
Q: Do you know from which criminal operation my data was obtained?
A: In some cases we know the name of the infostealer malware, but further details were not shared with us. The first notifications we sent out relate to the SocGholish malware downloader The second notifications we sent out relate to StealC Malware-as-a-Service infostealer batch1
Legal
Q: You are processing my personal data without my consent, is that legal?
A: Yes it is. Under Dutch law and European privacy regulations, we can process this data based on a so-called “legitimate interest.” DIVD is a private foundation that operates under a strict code of conduct, with the aim to make the digital world safer.
Press release of Dutch police Press release of Dutch police
Timeline
| Date | Description |
|---|---|
| 18 Jun 2026 | Dutch National Police goes public with Operation Endgame S03E03 (The SocGholish episode) |
| 18 Jun 2026 | DIVD sends out first notifications with regard to SocGholish to website owners |
| 24 Jun 2026 | Dutch National Police goes public with Operation Endgame S03E04 (The StealC and Amadey episode) |
More information
- Operation Endgame website
SocGholish
- Press release of Dutch police
- Press release of Dutch police about StealC and Amadey