INTERPOL has announced the dismantling of over 20,000 malicious IPs or domains linked to 69 information-stealing malware variants. This major joint action, codenamed Operation Secure, involved law enforcement agencies from twenty-six different countries working closely together. These coordinated efforts resulted in the takedown of seventy-nine percent of all identified suspicious IP addresses by these authorities. Participating countries reported seizing 41 servers, over 100 GB of data, and arresting 32 suspects linked to illegal cyber activities. This operation took place between the months of January and April of 2025, showing a sustained and coordinated international police effort.
The Hong Kong Police, according to INTERPOL, identified 117 command-and-control servers that were hosted across 89 different internet service providers.
These servers were specifically designed to act as a central hub to launch and manage various malicious online campaigns. These campaigns included phishing, online fraud, and also various different types of widespread social media scams against many users. Vietnamese authorities arrested eighteen suspects and confiscated devices, SIM cards, business registration documents, and around $11,500 in cash. Further house raids have led to the arrests of another twelve people in Sri Lanka and two individuals in the nation of Nauru.
Information stealers are often sold on the cybercrime underground on a subscription basis and are used to gain unauthorized system access.
These malicious programs make it possible to siphon browser credentials, passwords, cookies, and credit card details from infected machines. The stolen information is then monetized in the form of logs on various forums, enabling other actors to conduct follow-on attacks. These subsequent attacks can include ransomware, major data breaches, and also various business email compromise (BEC) fraud schemes. Singapore-headquartered Group-IB said it provided mission-critical intelligence related to user accounts compromised by several specific stealer malware families.
This important new development comes just weeks after a global operation led to the seizure of 2,300 domains associated with Lumma Stealer. In a separate police operation last October 2024, authorities also disrupted infrastructure and seized data associated with RedLine malware. Stolen data from these types of malware infections has been linked to incidents at UnitedHealth, PowerSchool, and also at Snowflake. This is the second significant operational disruption for Lumma Stealer, following another international effort led by the U.S. Department of Justice. These law enforcement actions clearly demonstrate a concerted global effort to dismantle the entire cybercrime-as-a-service ecosystem for criminals.
Reference:
