INTERPOL Coordinates Massive Takedown: Over 20,000 Malicious Networks Dismantled in Global Cybercrime Crackdown

INTERPOL has announced the successful completion of a major international cybersecurity operation that resulted in the elimination of more than 20,000 malicious IP addresses and domains connected to 69 different information-stealing malware families. The coordinated enforcement action, designated Operation Secure, demonstrates unprecedented international cooperation in combating cybercrime infrastructure.

Operation Scope and Timeline

The multi-national operation spanned from January through April 2025, bringing together law enforcement agencies from 26 countries across multiple continents. The collaborative effort focused on identifying malicious servers, mapping criminal network infrastructure, and executing strategic takedowns of cybercriminal operations.

The operation achieved remarkable success, eliminating 79% of all identified suspicious IP addresses through coordinated enforcement actions. Participating nations reported significant seizures including 41 servers and more than 100 gigabytes of criminal data, while also apprehending 32 individuals connected to illegal cyber activities.

International Arrests and Seizures

Vietnamese law enforcement made the largest number of arrests, taking 18 suspects into custody while confiscating various items including electronic devices, SIM cards, business registration documentation, and approximately $11,500 in cash. Additional enforcement actions in Sri Lanka resulted in 12 arrests through coordinated house raids, while authorities in Nauru apprehended two additional individuals.

Hong Kong Police made particularly significant discoveries, identifying 117 command-and-control servers distributed across 89 different internet service providers. These servers functioned as central coordination points for launching and managing various malicious campaigns including phishing operations, online fraud schemes, and social media scams.

Participating Nations

The operation included extensive participation from countries across the Asia-Pacific region and beyond. Contributing nations included Brunei, Cambodia, Fiji, Hong Kong, India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau, Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam.

Recent Enforcement Context

Operation Secure represents the latest in a series of major international cybercrime enforcement actions. Just weeks prior, a separate global operation resulted in the seizure of 2,300 domains associated with the Lumma Stealer malware family. Additionally, law enforcement agencies disrupted infrastructure and confiscated data related to the RedLine and MetaStealer malware families during an operation in October 2024.

Information Stealer Threat Landscape

Information-stealing malware represents a critical component of the modern cybercrime ecosystem, typically distributed through subscription-based models on underground criminal marketplaces. These malicious programs serve as initial access tools for threat actors seeking to infiltrate target networks and systems.

The malware families targeted in Operation Secure are designed to extract sensitive information from infected computers, including browser credentials, stored passwords, authentication cookies, credit card information, and cryptocurrency wallet data. This stolen information is subsequently monetized through underground forums where criminals sell access logs to other malicious actors.

Criminal Monetization and Follow-on Attacks

The stolen credentials and sensitive data harvested by information stealer malware frequently become the foundation for more sophisticated cybercriminal operations. These initial compromises enable secondary attacks including ransomware deployments, large-scale data breaches, and business email compromise schemes that can result in significant financial losses for organizations and individuals.

Private Sector Collaboration

Singapore-based cybersecurity firm Group-IB played a crucial role in Operation Secure by providing essential intelligence about user accounts compromised by various stealer malware families including Lumma, RisePro, and MetaStealer. The company's participation highlights the importance of public-private partnerships in combating modern cybercrime.

According to Group-IB CEO Dmitry Volkov, the compromised credentials and sensitive information obtained through information stealer malware campaigns frequently serve as the initial attack vectors for financial fraud operations and ransomware incidents, emphasizing the broader impact of these seemingly basic malware families.

Strategic Impact

Operation Secure demonstrates the effectiveness of coordinated international law enforcement efforts in disrupting cybercriminal infrastructure. By simultaneously targeting servers, networks, and individuals across multiple jurisdictions, the operation significantly degraded the operational capabilities of numerous information stealer campaigns while sending a strong deterrent message to the broader cybercriminal community.

The operation's success in eliminating nearly 80% of identified malicious infrastructure represents a substantial blow to cybercriminal operations that rely on these networks to conduct their illegal activities. However, the dynamic nature of cybercrime means that continued vigilance and international cooperation remain essential to maintaining pressure on these criminal enterprises.