A major INTERPOL-led crackdown on cybercrime infrastructure has led to the dismantling of more than 20,000 malicious IPs and domains linked to infostealer malware, the arrest of 32 suspects, and the seizure of 41 servers across the Asia-Pacific region.
The operation, dubbed Operation Secure, ran from January to April 2025 and was conducted in partnership with law enforcement agencies from 26 countries and private cybersecurity firms.
The coordinated effort was backed by threat intelligence from Group-IB, Kaspersky, and Trend Micro. These firms produced detailed Cyber Activity Reports ahead of the operation, enabling law enforcement to identify and take down 79% of the flagged IP addresses. INTERPOL shared this intelligence with participating countries under its Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) project.
Group-IB’s Threat Intelligence and High-Tech Crime Investigations teams played a key role in mapping the infrastructure of several infostealer families, including Lumma, RisePro, and META Stealer. Their analysts tracked command-and-control servers, Telegram accounts used to advertise malware-as-a-service offerings, and platforms trading stolen credentials. This intelligence was instrumental in pinpointing compromised user accounts and tracing threat actors behind large-scale credential theft operations.
Infostealers are lightweight malware designed to extract sensitive user data from infected machines, such as login credentials, browser cookies, cryptocurrency wallet information, and saved payment methods. The logs harvested by these tools are typically sold on underground markets and are often the entry point for further attacks, including ransomware, business email compromise (BEC), and large-scale data breaches.
One of the most significant enforcement actions occurred in Vietnam, where local police arrested 18 individuals linked to infostealer activity. Among the seized evidence were VND 300 million in cash (approximately USD 11,500), SIM cards, and documents indicating a fraudulent scheme to register and sell corporate accounts, potentially to launder funds or commit business fraud.
Additional raids in Sri Lanka and Nauru led to 14 more arrests, 12 and 2 respectively, and the identification of 40 victims. Meanwhile, the Hong Kong Police Force, leveraging more than 1,700 intelligence items from INTERPOL, identified 117 C2 servers operating across 89 internet service providers. These servers were used for managing phishing operations, online scams, and fraud campaigns targeting both individuals and businesses.
The scale of the impact is reflected in the notification of over 216,000 individuals and organizations identified as victims or at risk. Authorities encouraged them to take immediate security actions such as changing passwords, revoking unauthorized access tokens, and freezing potentially compromised accounts.
Leave a Reply