An international law enforcement action codenamed “Operation Secure” targeted infostealer malware infrastructure in a massive crackdown across 26 countries, resulting in 32 arrests, data seizures, and server takedowns.
More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.
During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.
Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.
Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.
Ensar Seker, CISO at SOCRadar had this comment:
“Operation Secure marks one of the most impactful international crackdowns on the infostealer ecosystem to date. What stands out is the breadth and coordination of the effort. Spanning 26 countries, seizing infrastructure, and actively notifying over 200,000 victims. This scale demonstrates a global acknowledgment that infostealers are no longer niche threats but form the backbone of modern cybercrime: from initial access brokers to identity theft, fraud, and nation-state reconnaissance.”
“These 32 arrests may seem small compared to the global volume of infections, but they’re strategically vital, targeting the operators and developers, not just low-level distributors. The seizure of 100 GB of stolen data also offers intelligence gold: victim telemetry, malware configuration, and affiliate network structures can now be analyzed to inform threat hunting and attribution efforts.”
“However, it’s important to understand that disruption is not dismantling. Just like with Lumma or RedLine, underground markets are resilient. We should expect forks, rebrands, and rebuilds. The effectiveness of Operation Secure will ultimately hinge on how well this law enforcement data is integrated into public-private threat intelligence sharing, and whether proactive takedowns continue especially in jurisdictions where cybercrime actors have historically operated with little risk.”
“For defenders, the key takeaway is clear: infostealer infections are persistent, silent, and damaging. Credential hygiene, endpoint telemetry, browser artifact scanning, and access management must be prioritized. And from a policy level, this shows the value of collaboration between cybersecurity companies, hosting providers, and global law enforcement. Something the industry must keep supporting if we want to stay ahead of evolving threats.”
Erich Kron, Security Awareness Advocate at KnowBe4 follows with this comment:
“It’s always welcome news when countries work together to take down cybercrime infrastructure and bad actors. As this is a global problem, this sort of cooperation and coordination between law enforcement organizations and the private sector from around the world is incredibly important if we are going to protect our economies from cybercriminals.”
“The theft of and selling of information is big business for cybercriminal groups, and impacts organizations and individuals alike. From personal information of employees and others, to intellectual property with a significant cost to develop, the market for stolen information has never been greater.”
Takedowns like this one are a good thing. The real trick is ensuring that the threat actors never come back. But given how out of control things are. Any day where the good guys get a win is a good day.
Like this:
Like Loading...
Related
This entry was posted on June 11, 2025 at 3:47 pm and is filed under Commentary with tags Law Enforcement. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Operation Secure disrupts global infostealer malware operations
An international law enforcement action codenamed “Operation Secure” targeted infostealer malware infrastructure in a massive crackdown across 26 countries, resulting in 32 arrests, data seizures, and server takedowns.
More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.
During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.
Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.
Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.
Ensar Seker, CISO at SOCRadar had this comment:
“Operation Secure marks one of the most impactful international crackdowns on the infostealer ecosystem to date. What stands out is the breadth and coordination of the effort. Spanning 26 countries, seizing infrastructure, and actively notifying over 200,000 victims. This scale demonstrates a global acknowledgment that infostealers are no longer niche threats but form the backbone of modern cybercrime: from initial access brokers to identity theft, fraud, and nation-state reconnaissance.”
“These 32 arrests may seem small compared to the global volume of infections, but they’re strategically vital, targeting the operators and developers, not just low-level distributors. The seizure of 100 GB of stolen data also offers intelligence gold: victim telemetry, malware configuration, and affiliate network structures can now be analyzed to inform threat hunting and attribution efforts.”
“However, it’s important to understand that disruption is not dismantling. Just like with Lumma or RedLine, underground markets are resilient. We should expect forks, rebrands, and rebuilds. The effectiveness of Operation Secure will ultimately hinge on how well this law enforcement data is integrated into public-private threat intelligence sharing, and whether proactive takedowns continue especially in jurisdictions where cybercrime actors have historically operated with little risk.”
“For defenders, the key takeaway is clear: infostealer infections are persistent, silent, and damaging. Credential hygiene, endpoint telemetry, browser artifact scanning, and access management must be prioritized. And from a policy level, this shows the value of collaboration between cybersecurity companies, hosting providers, and global law enforcement. Something the industry must keep supporting if we want to stay ahead of evolving threats.”
Erich Kron, Security Awareness Advocate at KnowBe4 follows with this comment:
“It’s always welcome news when countries work together to take down cybercrime infrastructure and bad actors. As this is a global problem, this sort of cooperation and coordination between law enforcement organizations and the private sector from around the world is incredibly important if we are going to protect our economies from cybercriminals.”
“The theft of and selling of information is big business for cybercriminal groups, and impacts organizations and individuals alike. From personal information of employees and others, to intellectual property with a significant cost to develop, the market for stolen information has never been greater.”
Takedowns like this one are a good thing. The real trick is ensuring that the threat actors never come back. But given how out of control things are. Any day where the good guys get a win is a good day.
Share this:
Like this:
Related
This entry was posted on June 11, 2025 at 3:47 pm and is filed under Commentary with tags Law Enforcement. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.