Full Report
Operation Secure targeted malicious IPs, domains and servers used for infostealer operations that claimed more than 216,000 victims. The post Global law enforcement action in Asia nets large infrastructure seizure, 32 arrests appeared first on CyberScoop.
Analysis Summary
# Incident Report: Operation Secure Infostealer Infrastructure Takedown
## Executive Summary
Law enforcement agencies from 26 countries successfully executed "Operation Secure," a coordinated effort targeting major infostealer operations across Asia. The operation resulted in the seizure of significant malicious infrastructure, the arrest of 32 suspects in Vietnam, Sri Lanka, and Nauru, and the disruption of C2 networks linked to malware variants like Lumma and Risepro, protecting hundreds of thousands of potential victims.
## Incident Details
- Discovery Date: Throughout the first four months of the year (Operation ran through this period).
- Incident Date: Ongoing activity over the first four months of the year (2025).
- Affected Organization: Multiple organizations and over 216,000 individual victims globally (identified through stolen data).
- Sector: Broad impact across all sectors due to the nature of infostealer malware.
- Geography: Operations coordinated across 26 countries, focusing infrastructure seizure in Asia (specifically mentioning Vietnam, Sri Lanka, and Nauru for arrests).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing activity leading up to the operation (First four months of the year).
- Vector: Use of various infostealer malware variants (including Lumma, Risepro, and Meta Stealer) to compromise end-user devices.
- Details: Malware was used to steal credentials, cookies, credit card details, and cryptocurrency account data.
### Lateral Movement
- Details: Not explicitly detailed in the summary, but implied through the C2 infrastructure analysis necessary to map out the scope of the operations.
### Data Exfiltration/Impact
- Details: Over 216,000 victims impacted, with PII, credentials, cookies, credit card details, and crypto account data successfully stolen prior to the takedown. Over 100 GB of data was seized by authorities.
### Detection & Response
- Date/Time: Operation ran through the first four months of the year.
- Detection: Intelligence sharing primarily led by Interpol, supported by threat intelligence firms Group-IB, Kaspersky, and Trend Micro.
- Response actions taken: Arrest of 32 suspects; seizure of 41 physical servers; shutdown of over 20,500 malicious IPs and domains; victim notification.
## Attack Methodology
- Initial Access: Infostealer malware (Lumma, Risepro, Meta Stealer).
- Persistence: C2 infrastructure allowed sustained command and control over compromised systems.
- Privilege Escalation: Not explicitly detailed, but common for infostealers is harvesting existing session data/cookies.
- Defense Evasion: Characteristics inherent to the specific malware variants used.
- Credential Access: Harvesting of credentials, cookies, credit card details, and cryptocurrency account data directly from victims' machines.
- Discovery: Implied through the malware functionalities used to enumerate valuable data stores.
- Lateral Movement: Not explicitly detailed.
- Collection: Focused on PII, financial credentials, and session data.
- Exfiltration: Data was exfiltrated via the command-and-control infrastructure used by the cybercriminals.
- Impact: Financial fraud and serving as initial vectors for ransomware attacks (according to Group-IB).
## Impact Assessment
- Financial: Potential for widespread financial fraud stemming from stolen credentials and card details (quantification not provided).
- Data Breach: Stolen PII, login credentials, cookies, credit card details, and cryptocurrency account data affecting 216,000+ individuals.
- Operational: Disruption of the cybercriminal ecosystem supporting these operations.
- Reputational: Minor reputational impact on the victims, but a positive impact for law enforcement agencies showcasing capability.
## Indicators of Compromise
- Network indicators: Over 20,500 malicious IPs and domains taken down (exact list not provided).
- File indicators: Malware variants referenced: Lumma, Risepro, Meta Stealer.
- Behavioral indicators: Command and control communications associated with infostealer infrastructure.
## Response Actions
- Containment measures: Takedown of over 20,500 associated malicious IPs and domains.
- Eradication steps: Seizure of 41 physical and virtual servers used for hosting infrastructure.
- Recovery actions: Authorities sent notices to more than 216,000 potential victims concerning stolen data.
## Lessons Learned
- Key takeaways: Collaborative, intelligence-led law enforcement action across multiple international jurisdictions is highly effective in dismantling complex cybercrime supply chains.
- What could have been done better: Not detailed, but the success demonstrates high operational effectiveness when intelligence sharing (Group-IB, Kaspersky, Trend Micro) is integrated effectively with international law enforcement (Interpol).
## Recommendations
- Prevention measures for similar incidents: Enhanced endpoint protection to prevent infostealer execution; stronger customer education regarding credential hygiene and phishing awareness; multi-factor authentication adoption to minimize impact from credential theft.