Full Report
Operation Secure targeted malicious IPs, domains and servers used for infostealer operations that claimed more than 216,000 victims. The post Global law enforcement action in Asia nets large infrastructure seizure, 32 arrests appeared first on CyberScoop.
Analysis Summary
# Incident Report: Operation Secure - Global Takedown of Infostealer Infrastructure
## Executive Summary
Operation Secure was a multi-national law enforcement action spanning the first four months of the year targeting cybercriminal infrastructure dedicated to operating infostealer malware. The operation resulted in the seizure of 41 physical servers, the takedown of over 20,500 malicious IPs and domains, and the arrest of 32 suspects across Asia. The primary impact stems from the disruption of operations utilizing malware variants like Lumma, Risepro, and Meta Stealer, which compromised over 216,000 victims globally, leading to the theft of PII, credentials, and financial data.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the operation ran through the first four months of the year (leading up to the June announcement).
- **Incident Date:** Operation occurred throughout the first four months of the year (January - April 2025).
- **Affected Organization:** Numerous organizations and over 216,000 individual victims globally (no single target organization specified).
- **Sector:** Cybercrime Infrastructure (Affecting all sectors).
- **Geography:** Coordinated action across 26 countries in Asia and the South Pacific.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout January - April 2025.
- **Vector:** Various infection vectors associated with infostealer malware, leveraging already compromised systems.
- **Details:** Infected systems were used to run infostealer malware variants including Lumma, Risepro, and Meta Stealer.
### Lateral Movement
- *Not explicitly detailed, but implied by the nature of infostealer operations which often pivot from initial compromise to credential harvesting and internal network movement to elevate access or identify high-value targets.*
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the operational period.
- **Details:** Over 100 GB of data was seized, including credentials, cookies, credit card details, and cryptocurrency account data stolen from victims.
### Detection & Response
- **Date/Time:** Operation ran January - April 2025; announced June 11, 2025.
- **Details:** Coordinated international effort organized under Interpol’s Asia and South Pacific Joint Operations Against Cybercrime Project, utilizing threat intelligence from Group-IB, Kaspersky, and Trend Micro. 32 arrests were made; infrastructure was seized.
## Attack Methodology
- **Initial Access:** Infection via infostealer malware (Lumma, Risepro, Meta Stealer, etc.).
- **Persistence:** Attackers used the compromised C2 infrastructure (seized servers/IPs) to maintain control over victim data collection points.
- **Privilege Escalation:** *Not explicitly detailed, but often follows credential theft in infostealer campaigns.*
- **Defense Evasion:** *Not explicitly detailed, implied by the ability of the malware variants to operate.*
- **Credential Access:** Theft via infostealer malware (credentials, cookies).
- **Discovery:** Infected systems were used to probe for valuable data (financial data, PII).
- **Lateral Movement:** *Not explicitly detailed.*
- **Collection:** Harvesting of credentials, cookies, credit card details, and cryptocurrency account data.
- **Exfiltration:** Data was aggregated via the Command-and-Control (C2) infrastructure, which was subsequently seized.
- **Impact:** Theft of PII and financial data, which often fuels subsequent fraud and ransomware attacks.
## Impact Assessment
- **Financial:** Resulted in disruption of criminal revenue streams based on stolen financial data/credentials. The direct financial loss to victims is not quantified but is implied to be substantial.
- **Data Breach:** Over 216,000 victims globally. Stolen data includes PII, login credentials, session cookies, credit card details, and cryptocurrency account data.
- **Operational:** Disruption of the C2 infrastructure supporting at least 69 infostealer variants.
- **Reputational:** Positive impact stemming from successful law enforcement disruption.
## Indicators of Compromise
- **Network indicators (Defanged Command/Control Infrastructure):** Over 20,500 taken-down IP addresses and domains associated with C2 servers.
- **File indicators:** Mentioned malware variants include Lumma, Risepro, and Meta Stealer.
- **Behavioral indicators:** Use of communication channels advertising malware and stolen data sales (C2 infrastructure used for advertising was also targeted).
## Response Actions
- **Containment:** Seizure of 41 physical servers and takedown of 20,500+ malicious IPs/domains, dismantling the C2 infrastructure.
- **Eradication:** Arrest of 32 alleged cybercriminals.
- **Recovery:** Authorities sent notices to over 216,000 affected victims advising them of the data compromise.
## Lessons Learned
- **Intelligence Sharing Power:** Collaborative action supported by threat intelligence sharing (from Group-IB, Kaspersky, Trend Micro) is highly effective in dismantling large-scale global cyber threats.
- **Infostealers as a Gateway:** Compromised credentials from infostealer operations serve as a critical initial vector for more severe follow-on attacks, such as ransomware.
## Recommendations
- **Enhance Victim Notification:** Continue robust victim notification programs once infrastructure is seized to mitigate follow-on fraud.
- **Strengthen International Cooperation:** Increase proactive collaboration between international law enforcement bodies to target infrastructure before major impact accrues.
- **Focus on Infrastructure Disruption:** Prioritize the dismantling of underlying C2 infrastructure and data marketplaces used by malware operators.