With evidence that the tools had overlapping infrastructure, company attorneys invoked RICO statutes that target organized crime; the legal action was then able to treat both tools as part of a single conspiracy. As a result, Microsoft said, it disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. Europol, which helped coordinate the law-enforcement part of the operation, said it recovered as many as 27 million stolen login credentials and uncovered $47 million worth of “crypto assets of criminal origin.”

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol said. “By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.”

Other companies assisting in “Operation Endgame” include ESET, Proofpoint and IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions.

Europol said that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. that spreads through compromised websites. Visitors to these sites are tricked into installing trojanized apps posing as browser extensions or other legitimate software. Europol said it has responded by cleaning infected WordPress sites and urging administrators of the sites to change credentials and tighten security. It has also worked to notify parties whose data and credentials were exposed through SocGholish activities. Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US.