Full Report
INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants. The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns. "These
Analysis Summary
# Incident Report: INTERPOL Operation Dismantles Global Information Stealer Infrastructure
## Executive Summary
INTERPOL coordinated "Operation Secure," a multi-month international effort that successfully dismantled over 20,000 malicious IP addresses and domains linked to 69 variants of information-stealing malware. The operation, involving 26 countries, focused on global takedowns of Command-and-Control (C2) infrastructure, leading to significant seizures of data and arrests of associated cybercriminals. The primary impact was disrupting the ecosystem used to harvest credentials, financial data, and cryptocurrency wallet information for subsequent attacks like ransomware and BEC.
## Incident Details
- **Discovery Date:** Operation took place between January and April 2025.
- **Incident Date:** Ongoing global criminal activity spanning a period leading up to and during the operation (Jan-Apr 2025).
- **Affected Organization:** Not a single entity; targeted global criminal infrastructure supporting various victims.
- **Sector:** Global Cybersecurity Infrastructure, impacting various sectors relying on secured credentials.
- **Geography:** Multi-national operation involving agencies across Asia, the South Pacific, and involving infrastructure hosted globally.
## Timeline of Events
### Initial Access
- **Date/Time:** Activity ongoing prior to and during Jan-Apr 2025.
- **Vector:** Information Stealer Malware (including variants like Lumma, RisePro, Meta Stealer) deployed on end-user devices.
- **Details:** Malware installed to siphon browser credentials, passwords, cookies, credit card details, and cryptocurrency wallet data.
### Lateral Movement
- **Details:** Compromised credentials obtained via stealer malware were used as initial vectors for follow-on attacks such as ransomware, BEC, and data breaches. (Specific internal lateral movement details for infected victims are not provided, but the stolen data facilitates external access/movement).
### Data Exfiltration/Impact
- **Details:** Over 100 GB of data was reported seized during physical takedowns. Stolen data includes user credentials and sensitive financial information, which is then monetized.
### Detection & Response
- **How it was discovered:** Law enforcement agencies (LEAs) across 26 countries conducted targeted identification and mapping of C2 servers, guided by intelligence provided by private sector partners like Group-IB.
- **Response actions taken:** Targeted takedowns of C2 infrastructure, resulting in the removal of 79% of identified suspicious IPs/domains, seizure of 41 servers, and 32 arrests across Vietnam, Sri Lanka, and Nauru.
## Attack Methodology
- **Initial Access:** Deployment of Information Stealer Malware (e.g., Lumma, RisePro, Meta Stealer).
- **Persistence:** Not explicitly detailed for the malware itself, but C2 servers maintained persistence to manage campaigns.
- **Privilege Escalation:** Not explicitly detailed; focus was on credential theft.
- **Defense Evasion:** Malicious IPs and domains were used to hide C2 infrastructure.
- **Credential Access:** Stealer malware actively siphoned browser credentials, passwords, cookies, credit card details, and cryptocurrency data.
- **Discovery:** C2 servers identified across 89 Internet Service Providers by Hong Kong Police.
- **Lateral Movement:** Stolen credentials used for subsequent attacks (ransomware, BEC).
- **Collection:** Gathering of stored artifacts on infected machines (passwords, financial data).
- **Exfiltration:** Stolen logs sold/monetized on underground forums.
- **Impact:** Facilitation of financial fraud, ransomware deployment, and data breaches.
## Impact Assessment
- **Financial:** Costs associated with the ongoing criminal activities were avoided; monetary seizures included $11,500 cash in Vietnam.
- **Data Breach:** Poses high risk of credential theft leading to account takeovers, financial data loss, and cryptocurrency theft.
- **Operational:** Disruption of the C2 infrastructure reduces the ability of threat actors to launch coordinated campaigns.
- **Reputational:** The operation reinforces trust in international law enforcement cooperation.
## Indicators of Compromise
*(Note: Specific real IOCs are not provided in the article; these are categorized based on the type of threat detailed.)*
- **Network indicators:** Over 20,000 malicious IP addresses/domains linked to C2 infrastructure (Exact list redacted/unreleased).
- **File indicators:** Malware file hashes for 69 variants of information stealers (Not listed).
- **Behavioral indicators:** Uncharacteristic access attempts using stolen credentials; high volume outbound traffic associated with C2 communication.
## Response Actions
- **Containment measures:** Takedown of 79% of identified suspicious IP addresses/domains serving as C2 infrastructure.
- **Eradication steps:** Seizure of 41 servers globally.
- **Recovery actions:** Arrest of 32 suspects linked to the cyber activities across multiple jurisdictions.
## Lessons Learned
- **Key takeaways:** International, multi-agency cooperation (Operation Secure) is highly effective at dismantling large-scale, distributed C2 infrastructure spanning multiple jurisdictions. Information stealers remain a critical initial step in the cyber-kill chain.
- **What could have been done better:** While successful, 21% of identified suspicious IPs remained active, indicating ongoing threat persistence that requires continuous monitoring.
## Recommendations
- **Prevention measures for similar incidents:** Enhance endpoint protection to prevent information stealer malware execution; implement Multi-Factor Authentication (MFA) ubiquitously to neutralize the primary impact of stolen credentials; regular security awareness training focused on phishing/social engineering that leads to malware installation.