INTERPOL Neutralizes Over 20,000 Malicious IP Addresses Associated with 69 Malware Variants in Operation Secure

INTERPOL has reported the successful dismantling of over 20,000 malicious IP addresses and domains associated with 69 information-stealing malware variants. This initiative, codenamed Operation Secure, was executed from January to April 2025 and involved law enforcement agencies from 26 countries working collaboratively to identify servers, map physical networks, and carry out targeted takedowns.

According to INTERPOL, these coordinated efforts led to the takedown of 79% of the identified suspicious IP addresses. Participating nations seized 41 servers and over 100 GB of data while arresting 32 individuals tied to illicit cyber activities.

In Vietnam alone, authorities detained 18 suspects, confiscating devices, SIM cards, business registration documents, and currency amounting to $11,500. Subsequent raids in Sri Lanka resulted in the arrest of an additional 12 suspects, with two more detained in Nauru.

The Hong Kong Police identified 117 command-and-control servers, found across 89 internet service providers. These servers were utilized to launch and manage malicious campaigns including phishing, online fraud, and social media scams.

Countries participating in Operation Secure included Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam.

This announcement follows closely after another global operation that resulted in the seizure of 2,300 domains linked to the Lumma Stealer malware.

Information stealers, commonly available for purchase on the cybercrime underground market via subscription models, are viewed as preliminary tools for threat actors seeking unauthorized access to targeted networks. These malicious programs enable attackers to extract browser credentials, passwords, cookies, credit card information, and cryptocurrency wallet details from compromised systems.

The compromised data is then sold on various forums, facilitating follow-on attacks such as ransomware incidents, data breaches, and business email compromise (BEC).

Group-IB, a Singapore-based cybersecurity firm participating in the operation, provided crucial intelligence concerning user accounts that had been compromised by information stealers such as Lumma, RisePro, and Meta Stealer. Dmitry Volkov, CEO of Group-IB, emphasized that credentials acquired through infostealer malware often serve as enabling vectors for financial fraud and ransomware attacks.