An international operation has disabled thousands of malware-linked servers and led to multiple arrests across 26 countries.
INTERPOL has announced the successful dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different information-stealing malware strains. The coordinated global operation, codenamed Operation Secure, ran from January to April 2025 and involved law enforcement from 26 countries.
The takedown resulted in the removal of 79% of the identified malicious IPs, the seizure of 41 servers, more than 100 GB of data, and the arrest of 32 suspects. Vietnamese authorities led the arrest count with 18 individuals detained, while additional arrests were made in Sri Lanka and Nauru.
Information-stealing malware, often sold on underground cybercrime marketplaces as subscription-based tools, enables criminals to harvest browser data, passwords, credit card information, and crypto wallet keys from compromised devices. The stolen data is typically bundled into "logs" and sold for use in follow-on attacks such as ransomware, phishing, and business email compromise (BEC).
INTERPOL’s operation included targeted network mapping and takedowns of key infrastructure, including 117 command-and-control servers identified by the Hong Kong Police across 89 internet service providers. These servers were central to managing phishing campaigns, online scams, and other forms of cyber fraud.
Countries that participated in Operation Secure include Singapore, India, Japan, Malaysia, Thailand, Vietnam, and many Pacific Island nations. The operation also involved cybersecurity firm Group-IB, which supplied threat intelligence on malware such as Lumma, Meta Stealer, and RisePro.
INTERPOL stated that the cooperation between national authorities and private sector partners was critical to identifying and dismantling the infrastructure behind the malware networks. Dmitry Volkov, CEO of Group-IB, noted that credentials stolen by infostealers are often used as entry points for financial fraud and ransomware attacks.
The operation follows another recent global action that seized 2,300 domains tied to the Lumma Stealer malware.
Infostealer malware often serves as a precursor to larger cyberattacks, making early intervention necessary. International operations like Operation Secure demonstrate the value of cross-border collaboration in dismantling command infrastructure and disrupting access to stolen data. Targeting early-stage threats has the potential to limit the spread of financially motivated cybercrime and reduce the likelihood of follow-on attacks such as ransomware.
Infostealers are malicious programs that silently collect sensitive data like passwords, browser cookies, and crypto wallets from infected devices. This data is then exfiltrated and sold or reused in cyberattacks.
Stolen credentials are packaged into "logs" and sold on dark web forums. Buyers use them for phishing, fraud, identity theft, or to gain access to corporate networks for larger-scale attacks.
Cybercrime infrastructure is often distributed across multiple countries and hosted on servers in various jurisdictions. International cooperation is needed to take down these networks and prosecute operators effectively.
Firms like Group-IB provide technical intelligence, malware analysis, and victim identification support. Their data helps law enforcement trace malware campaigns and prioritize takedowns.
Organizations should enforce multi-factor authentication, monitor for credential reuse, implement endpoint protection, and regularly audit systems for suspicious activity linked to known malware variants.