INTERPOL’s Operation Secure: A Global Crackdown on Info-Stealer Malware

On a landmark Wednesday in 2025, INTERPOL revealed the successful dismantling of over 20,000 malicious IP addresses and domains associated with 69 information-stealing malware variants. This decisive action, dubbed Operation Secure, illustrates the coordinated efforts of law enforcement agencies across 26 countries, marking a significant step in the ongoing battle against cybercrime.

The Operation and Its Scope

Running from January to April 2025, Operation Secure was not just a dream of a unified international response; it was a complex and meticulously planned initiative. Agencies from various nations pooled their resources to identify the servers behind the threats, map out the physical networks involved, and execute specific takedown strategies.

Interestingly, INTERPOL reported that 79% of the identified suspicious IP addresses were successfully taken down during the operation. This resulted in the seizure of 41 servers and more than 100 GB of crudely compiled data. Law enforcement agencies also made 32 arrests linked to illicit cyber activities, showcasing the operation’s immediate impact on global cybersecurity.

Arrests and Seizures

Among the notable achievements, Vietnam stood out, where authorities arrested 18 suspects and confiscated various items, including devices, SIM cards, business registration documents, and cash amounting to $11,500. Not stopping there, further house raids led to additional arrests: 12 individuals in Sri Lanka and two in Nauru were taken into custody.

The comprehensive nature of the operations extended to Hong Kong, where police identified 117 command-and-control servers hosted across 89 internet service providers. These servers acted as central hubs for launching and managing various malicious campaigns, encompassing threats like phishing, online fraud, and social media scams.

The Global Participation

Operation Secure wasn’t a one-nation show; it saw participation from an impressive array of countries, including Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam. This collaboration highlights the severity of the cyber threat, transcending borders and demanding a united response.

Recent Background and Significance

This announcement came on the heels of other significant operations targeting cybercrime. Just weeks before, a global initiative led to the seizure of 2,300 domains associated with Lumma Stealer malware. Similarly, efforts in October 2024 disrupted infrastructures linked to the RedLine and MetaStealer families.

The information stealers tackled in Operation Secure are notably sold on the cybercrime underground on subscription bases. These tools serve as gateways for cybercriminals, enabling unauthorized access to target networks. They siphon critical data, like browser credentials, passwords, cookies, credit card information, and cryptocurrency wallet data.

The Dark Marketplace of Stolen Credentials

Stolen data doesn’t just disappear; it finds its way into the dark corners of the internet, often monetized through forums where cybercriminals engage in transactions for logs. This information facilitates follow-up attacks, which might involve ransomware, data breaches, and business email compromises (BEC).

According to Group-IB, a key player in the private sector that participated in Operation Secure, the intelligence provided was pivotal in pinpointing user accounts compromised by stealer malware like Lumma, RisePro, and MetaStealer. As Dmitry Volkov, CEO of Group-IB, noted, “The compromised credentials and sensitive data acquired by cybercriminals through infostealer malware often serve as initial vectors for financial fraud and ransomware attacks.”

Insights from Cybersecurity Firms

Prominent cybersecurity firms also played vital roles in this operation. Trend Micro reported detecting families like Vidar, Lumma Stealer, and Rhadamanthys, which emerged as the most prominent threats identified. Meanwhile, Kaspersky contributed valuable data on malicious infrastructures linked to control and distribution of the stealer malware. Their research reinforces the notion that the threat is pervasive and multifaceted, necessitating ongoing vigilance and collaborative efforts.

As INTERPOL continues to mount operations like Secure, the effort represents a critical alliance among nations in confronting the growing menace of cybercrime. With every takedown, the battle for cybersecurity becomes a testament to collaboration, precision, and determination in safeguarding the digital landscape.