INTERPOL Dismantles Global Infostealer Network

INTERPOL’s Operation Secure led to the takedown of more than 20,000 IP addresses and domains linked to infostealer malware. The initiative, carried out from January to April 2025 across 26 countries, concluded with the arrest of 32 suspects and the seizure of 41 servers, disrupting a vast cybercrime network.

The operation had the purpose to dismantle the initial entry point for larger-scale cyberattacks. “Logs stolen by infostealers are often the starting point for broader security breaches. Cutting these initial access points disrupts larger criminal operations,” says Neal Jetton, Director of Cybercrime, INTERPOL.

Infostealer malware has become a key tool for unauthorized access to organizational networks, reports Kaspersky. This malicious software is designed to covertly extract sensitive data from infected devices, known as bots. Stolen information typically includes browser credentials, passwords, session cookies, credit card details, and cryptocurrency wallet data.

For B2B environments, the threat is direct and multifaceted. Collected data, or logs, are traded on underground cybercrime markets and serve as gateways for subsequent attacks. These logs are the initial access vector enabling ransomware deployment, large-scale data exfiltration, and cyber fraud schemes such as business email compromise (BEC). Neutralizing infostealer infrastructure, therefore, represents a critical preventive measure to protect corporate assets.

“By understanding how infostealers operate and how their log files are distributed, organizations and individuals can take proactive measures to strengthen their cybersecurity posture,” reads Kaspersky’s The Evolving Threat Landscape of Infostealers report.

Operation Secure

Operation Secure, conducted under the project Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC), relied on public-private collaboration. INTERPOL partnered with cybersecurity companies Group-IB, Kaspersky, and Trend Micro to generate Cyber Activity Reports distributed to law enforcement teams in participating countries. This intelligence enabled a 79% takedown rate of identified suspicious IP addresses.

Authorities seized 41 servers containing over 100GB of data. Following the infrastructure takedown, law enforcement notified over 216,000 victims and potential victims to take remediation steps, such as password changes and account freezes. 

In Vietnam, police arrested eighteen suspects. The group leader had more than 300 million VND (US$11,500), SIM cards, and corporate registration documents seized, indicating a scheme to create and sell corporate accounts for illicit activities. Meanwhile, Hong Kong police analyzed over 1,700 pieces of intelligence provided by INTERPOL. 

This analysis led to the identification of 117 command-and-control (C2) servers hosted by 89 internet service providers (ISPs). These C2 servers form the central infrastructure from which cybercriminals manage and launch malicious campaigns. In Sri Lanka and Nauru, raids resulted in the arrest of 14 individuals — 12 in Sri Lanka and two in Nauru — and the identification of 40 direct victims.