Global law enforcement has dismantled over 20,000 malicious IP addresses and domains used to serve 69 variants of information‑stealing malware, in a sweeping cybercrime operation spanning 26 countries across the Asia‑Pacific region. The coordinated effort—dubbed Operation Secure—uncovered the digital infrastructure behind credential‑harvesting malware, led to the seizure of 41 servers, over 100 GB of illicit data, and the arrest of 32 suspects, officials said.
The four‑month initiative, conducted between January and April 2025, was facilitated through the Asia and South Pacific Joint Operations Against Cybercrime project, with INTERPOL coordinating national cybercrime units and private cybersecurity firms including Group‑IB, Kaspersky and Trend Micro. Intelligence sharing proved crucial, enabling authorities to disrupt roughly 79% of the identified malicious infrastructure.
Vietnamese police led the arrests, detaining 18 suspects and uncovering VND 300 million, SIM cards, corporate documentation and digital devices during raids targeting a ring alleged to be selling corporate accounts for illicit use. A further 14 individuals were apprehended in Sri Lanka and Nauru, where targeted house raids also led to the identification of 40 victims.
Hong Kong authorities played a vital technical role, analysing more than 1,700 pieces of intelligence supplied by INTERPOL and mapping 117 command‑and‑control servers across 89 ISPs, infrastructure that underpinned phishing, fraud and social media scam campaigns. In the wake of the operation, over 216,000 individuals and organisations at risk were notified, enabling them to take defensive action such as freezing accounts and changing passwords.
Infostealer malware—software designed to extract browser credentials, cookies, credit card details, and cryptocurrency wallet keys—is increasingly being used as a springboard for more destructive operations, according to cyber‑crime experts. Once compromised, credentials are sold on underground forums, facilitating follow‑on attacks including ransomware, data breaches and business email compromise.
Group‑IB, a Singapore‑based cybersecurity firm, confirmed that the operation targeted stealer families such as Lumma, RisePro and Meta, adding that “the compromised credentials and sensitive data acquired by cybercriminals through infostealer malware often serve as initial vectors for financial fraud and ransomware attacks”.
Neal Jetton, INTERPOL’s Director of Cybercrime, emphasised that the success of Operation Secure underlined the power of global cooperation. “INTERPOL continues to support practical, collaborative action against global cyber threats,” he said. “Operation Secure has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large‑scale harm to both individuals and businesses”.
Analysts observe that this operation builds on previous global cyber‑crime crackdowns, such as Operation Synergia II in 2024, which dismantled more than 22,000 malicious IPs worldwide. Taken collectively, such operations demonstrate a growing focus on attacking the root infrastructure that supports cybercrime, rather than just responding to individual attacks.
With cyber threats proliferating in complexity and scale, experts say that such public‑private partnerships and intelligence sharing are vital. By targeting the infrastructure that underpins malware distribution, authorities aim to disrupt criminal ecosystems before they evolve, rather than merely reacting to breaches.