INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

Jun 11, 2025Ravie LakshmananCybercrime / Malware

INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants.

The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns.

“These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses,” INTERPOL said in a statement. “Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.”

Vietnamese authorities arrested 18 suspects, and confiscated devices, SIM cards, business registration documents, and money worth $11,500. Further house raids have led to the arrest of another 12 people in Sri Lanka and two individuals in Nauru.

The Hong Kong Police, per INTERPOL, identified 117 command-and-control servers hosted across 89 internet service providers. These servers were designed to act as a hub to launch and manage malicious campaigns, such as phishing, online fraud, and social media scams.

Countries involved in Operation Secure include Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam.

The development comes weeks after a global operation led to the seizure of 2,300 domains associated with the Lumma Stealer malware.

Information stealers, often sold on the cybercrime underground on a subscription basis, are seen as a stepping stone for threat actors to gain unauthorized access to target networks. These malicious programs make it possible to siphon browser credentials, passwords, cookies, credit card details, and cryptocurrency wallet data from infected machines.

The stolen information is then monetized in the form of logs on various forums, enabling other actors to conduct follow-on attacks, including ransomware, data breaches, and business email compromise (BEC).

Singapore-headquartered Group-IB, which was one of the private sector companies that participated in the operation, said it provided mission-critical intelligence related to user accounts compromised by stealer malware like Lumma, RisePro, and Meta Stealer.

“The compromised credentials and sensitive data acquired by cybercriminals through infostealer malware often serve as initial vectors for financial fraud and ransomware attacks,” said Dmitry Volkov, CEO of Group-IB.