From January to April 2025, INTERPOL coordinated “Operation Secure,” a concerted strike on the technical backbone that fuels the global trade in stolen credentials. Working with cyber‑crime units from 26 Asia‑Pacific countries and telemetry from Group‑IB, Kaspersky and Trend Micro, investigators mapped more than 20,000 IP addresses and domains that funnelled loot from 69 different infostealer strains. By April’s end, 79 % of that infrastructure was offline, 41 servers were in evidence bags, and 32 suspects were behind bars.
Why hit infostealers first?
Infostealers such as Lumma, RedLine and Raccoon don’t encrypt files or demand ransoms. Instead, they silently vacuum up browser cookies, session tokens, passwords, autofill data and crypto‑wallet keys. Those “logs” sell for as little as US $5 apiece on underground markets, giving ransomware crews an instant foothold in corporate networks without firing off phishing emails. Choking the supply of fresh logs disrupts an entire downstream economy of credential stuffing, business‑email compromise (BEC) and extortion.
Operation Secure Number:
- 20,000 + malicious IPs and domains dismantled (command‑and‑control or exfiltration points)
- 41 physical servers seized for forensics
- 69 distinct infostealer families affected, including Lumma, RisePro, Meta Stealer, Vidar and Titan
- 100 GB + of stolen data recovered
- 32 suspects arrested – 18 in Vietnam, 12 in Sri Lanka and 2 in Nauru
- 216,000 + potential victims alerted by national CERTs within days
How the takedown unfolded
Telemetry pooling
Private vendors pushed live feeds of suspicious IPs, malware hashes and Telegram bot IDs into INTERPOL’s threat‑mapping portal.
Infrastructure clustering
Analysts linked IP addresses to hosting providers in 89 data centres, grouping them into 117 confirmed command‑and‑control clusters.
Legal action
National cyber units issued simultaneous takedown requests, search warrants and data‑preservation orders.
Server seizures
Field teams imaged or physically removed 41 key servers, capturing configuration files, admin credentials and stolen data archives.
Victim notification
Parsed e‑mail addresses, passwords and cookies were cross‑checked against national datasets; affected users received immediate alerts with reset guidance.
Immediate security takeaways
Defenders can take four concrete actions straight away:
Reset at‑risk credentials
Force‑reset passwords tied to cookies or addresses stolen before May 2025 and move high‑value accounts to hardware‑bound or passkey MFA.
Audit for CMS/hosting compromise
Review admin‑panel and SSH logs for requests from the now‑offline APAC IP ranges; then rotate privileged keys and tokens.
Secure your supply chain
Require vendors and contractors to confirm they have rotated any credentials that could have been harvested prior to the takedown.
Block and monitor
Feed the published IP and domain indicators into your SIEM or EDR blocklists so you can spot and stop any latecomers.
Beyond Asia‑Pacific borders
Although the seized servers sat mostly in the Asia‑Pacific region, the malware they controlled harvested victims worldwide. If your organisation suddenly sees 404 errors or dead connections to APAC‑hosted C2 addresses, that’s likely fallout from Operation Secure — and a chance to close leftover backdoors before attackers spin up alternatives.
What’s next?
INTERPOL representatives hinted that Operation Secure will act as a blueprint for recurring sweeps every 6–12 months. With victim‑notification pipelines now proven, future waves could arrive faster and hit harder. For defenders, the message is clear: automate credential hygiene, embrace phishing‑resistant MFA, and treat silent infostealers as the new entry point for every big‑ticket cybercrime.
