Operation Secure disrupts major infostealer malware networks: 32 arrested, 117 servers uncovered

A sweeping international law enforcement operation codenamed Operation Secure has disrupted major infostealer malware networks across 26 countries, leading to dozens of arrests, the dismantling of illicit infrastructure, and the seizure of vast amounts of stolen data. The coordinated effort, which took place between January and April 2025, was spearheaded by Interpol with support from national law enforcement agencies and private cybersecurity firms.

Infostealers, a malicious software designed to covertly extract sensitive user data, have become one of the most pervasive tools used by cybercriminals in recent years. These programs typically harvest account credentials, browser cookies, and cryptocurrency wallet information. The stolen data is compiled into "logs," which are sold on dark web marketplaces or leveraged in more targeted attacks.

As part of Operation Secure, law enforcement took down over 20,000 malicious IP addresses and domains associated with infostealer operations. Authorities also seized 41 servers believed to be directly supporting these malware activities. In total, 32 individuals were arrested globally, and more than 100 gigabytes of stolen data were confiscated. Notifications were issued to 216,000 identified victims whose data had been compromised.

In a notable development, Vietnamese authorities arrested 18 suspects, including a ringleader of a cybercrime group involved in trafficking stolen corporate accounts. These arrests represent a significant blow to one of the more organized and profitable segments of the cybercrime ecosystem.

Investigators also uncovered a network of 117 servers located in Hong Kong that were being used as command-and-control infrastructure for phishing campaigns, online fraud, and scams targeting social media platforms. The identification of this cluster highlights the scale and geographical diversity of the infrastructure supporting these operations.

Private cybersecurity companies played a key role in the success of Operation Secure. Firms including Kaspersky, Group-IB, and Trend Micro contributed intelligence and technical support. Group-IB, in particular, provided actionable insights into the activity of infostealer operators, tracking their use of Telegram channels and dark web forums to promote malware and monetize stolen data.

Group-IB confirmed that the infrastructure linked to well-known infostealer strains such as Lumma, RisePro, and META was significantly impacted by the operation. These malware families have been at the center of numerous cyberattacks worldwide and are often distributed under a malware-as-a-service model, allowing other criminals to purchase access for fees ranging from $250 to $1,000.

This crackdown follows a previous international operation in May 2025 led by the U.S. Department of Justice, the FBI, and Microsoft, which targeted Lumma Stealer. That effort resulted in the seizure of over 2,300 domains associated with the subscription-based malware service. META, another infostealer platform, also saw its operations disrupted in October 2024 during a separate campaign dubbed Operation Magnus.

The widespread use of infostealers has contributed to several high-profile data breaches affecting major organizations such as UnitedHealth, PowerSchool, HotTopic, CircleCI, and Snowflake. These incidents have underscored the ongoing threat posed by stolen credentials and other sensitive data harvested through malware infections.

Interpol and its partners have described Operation Secure as a major success in the ongoing fight against cybercrime. By dismantling key infrastructure and apprehending critical figures behind these malware operations, the global coalition has dealt a significant blow to the infostealer ecosystem.