The IT Nerd

An international law enforcement action codenamed “Operation Secure” targeted infostealer malware infrastructure in a massive crackdown across 26 countries, resulting in 32 arrests, data seizures, and server takedowns.

More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.

During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.

Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.

Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.

Ensar Seker, CISO at SOCRadar had this comment:

“Operation Secure marks one of the most impactful international crackdowns on the infostealer ecosystem to date. What stands out is the breadth and coordination of the effort. Spanning 26 countries, seizing infrastructure, and actively notifying over 200,000 victims. This scale demonstrates a global acknowledgment that infostealers are no longer niche threats but form the backbone of modern cybercrime: from initial access brokers to identity theft, fraud, and nation-state reconnaissance.”

“These 32 arrests may seem small compared to the global volume of infections, but they’re strategically vital, targeting the operators and developers, not just low-level distributors. The seizure of 100 GB of stolen data also offers intelligence gold: victim telemetry, malware configuration, and affiliate network structures can now be analyzed to inform threat hunting and attribution efforts.”

“However, it’s important to understand that disruption is not dismantling. Just like with Lumma or RedLine, underground markets are resilient. We should expect forks, rebrands, and rebuilds. The effectiveness of Operation Secure will ultimately hinge on how well this law enforcement data is integrated into public-private threat intelligence sharing, and whether proactive takedowns continue especially in jurisdictions where cybercrime actors have historically operated with little risk.”

“For defenders, the key takeaway is clear: infostealer infections are persistent, silent, and damaging. Credential hygiene, endpoint telemetry, browser artifact scanning, and access management must be prioritized. And from a policy level, this shows the value of collaboration between cybersecurity companies, hosting providers, and global law enforcement. Something the industry must keep supporting if we want to stay ahead of evolving threats.”

Erich Kron, Security Awareness Advocate at KnowBe4 follows with this comment: 

“It’s always welcome news when countries work together to take down cybercrime infrastructure and bad actors. As this is a global problem, this sort of cooperation and coordination between law enforcement organizations and the private sector from around the world is incredibly important if we are going to protect our economies from cybercriminals.”

“The theft of and selling of information is big business for cybercriminal groups, and impacts organizations and individuals alike. From personal information of employees and others, to intellectual property with a significant cost to develop, the market for stolen information has never been greater.”

Takedowns like this one are a good thing. The real trick is ensuring that the threat actors never come back. But given how out of control things are. Any day where the good guys get a win is a good day.

Score one for the good guys.

CNN has reported that the FBI and international partners seized control of the popular hacking forum RaidForum. At the time of the seizure, the forum had over 500k registered members, and was known for advertising hacked American data. Law enforcement agencies in the US, UK, Sweden and elsewhere were involved in the seizure.

Chris Olson, CEO, The Media Trust had this to say:

“The seizure of RaidForum is a great example of what can happen when law enforcement agencies cooperate in the global fight against cybercrime. Unfortunately, it’s not likely to have a significant impact on cybercrime, as users of RaidForum – and any “surface web” hacking boards – are not major players, and many will simply migrate elsewhere.”

“The modern Web is effectively a borderless entity, which makes cybercrime exceedingly difficult to fight. By 2025, the yearly cost for consumers and organizations is expected to reach $10.5 trillion. In the meantime, we need to take better control of our digital borders – until we do, cyber actors will continue to target consumers through Web and mobile endpoints.”

Hopefully we see more takedowns like this. Because everytime the good guys do this, it becomes less and less comfortable for threat actors to exist.

UPDATE: I have two more comments. The first is from Peter Stelzhammer, Co-founder, AV-Comparatives:

“By shutting down this forum a great source for black hats has gone. Nevertheless, there is a massive number of other sources, so stay safe on the internet and use IT security systems and backup.”

“Investigators had been preparing the operation for a year. It was coordinated by Europol’s cybercrime specialists. So, you can see how much it was online without any consequences serving the black heads. Cybercrime is making more money than the whole drug industry nowadays.”

The second is from Artur Kane, CMO, GoodAccess:

 “While hackers’ forums’ social and educational aspects are apparent, these media play a fundamental role in the community’s operational capabilities. It is where members join forces to coordinate their activities, exchange code and tools used in attacks, share experiences about exploiting vulnerabilities, sell stolen data such as passwords, and more. Reestablishing this core exchange and collaboration platform is vital for the success of cybercriminal activities. While, at first, the former members will distribute to smaller sites, a new major successor will soon arise to take the RaidFormus place. One of the likely candidates is BreachForums.”

Germany’s Federal Criminal Police Office today announced (translation here) that the world’s largest illegal dark web marketplace, Hydra Darknet Market, has been taken down. The Darknet market, which has been in operation since 2015, was a Russian-language darknet marketplace that opened as a competitor to the now-defunct Russian Anonymous Marketplace (aka RAMP). The agency attributed the shutdown to an extensive investigation operation conducted by its Central Office for Combating Cybercrime (ZIT) in partnership with US law enforcement authorities since August 2021.

Chris Olson, CEO, The Media Trust, had this to say about this takedown:

“The shutdown of Hydra is a small win for cybersecurity, but a win nonetheless. Attackers who target consumers for credit card details and other personally identifiable information (PII) can’t use it directly without risking discovery and arrest; therefore, they sell this information on darknet markets instead. Without them, the incidence of cybercrime would undoubtedly decrease.”

“Unfortunately, Hydra represents a miniscule drop in the bucket of global cybercrime, which will cost organizations (and therefore consumers) about $10.5 trillion per year by 2025. Cyber actors have perfected the pipeline from Web and mobile-based phishing attacks to darknet markets which we will not name, and new ones are opening all the time. In truth – if past precedent is anything to go by – Hydra operators will likely take their digital assets and resurface in the near future under new identities and domains.”

Any takedown of an online cybercrime marketplace is a good thing. But there needs to be much more of this to send threat actors and wannabe threat actors scared. Let’s hope that law enforcement knows that.