Asia Dismantles 20,000 Malicious Domains In Infostealer Crackdown

Thirty-two people across Asia have been arrested over their suspected involvement with infostealer malware in the latest international collaboration against global cybercrime.

Interpol released details about Operation Secure on Wednesday, confirming it shut down a whopping 20,000 malicious IP addresses – 79 percent of the total identified by operatives.

The four-month effort, carried out between January and April, also led to the seizure of 41 servers and more than 100 GB of data.

Interpol’s announcement did not name-drop any specific infostealers or cybercrime groups caught up in Operation Secure, although it said 69 variants were investigated.

In some cases, officers’ efforts led to the arrests of group leaders. One such example was made by Vietnamese police, the busiest force during the operation, which registered 18 cuffings.

Interpol and domestic police officers examine documents related to Operation Secure’s investigations into infostealer malware in Asia. Pic courtesy of Interpol

They confirmed the arrest of one group leader, who was found with around $11,500 in cash, SIM cards, and business registration documents that suggested their ambition to sell corporate accounts.

Officers also seized devices from the other suspects’ homes and workplaces.

Authorities in Sri Lanka and Nauru raided the homes of several suspects, making a further 14 arrests – 12 in Sri Lanka and two in Nauru.

The intel gleaned from these raids also led to the identification of an additional 40 victims, Interpol said.

More than 216,000 victims and potential victims of infostealer malware were notified by authorities, accompanied by recommendations to change passwords, freeze accounts, and reverse unauthorized account access.

Hong Kong Police also played a key role in the operation, having analyzed more than 1,700 pieces of intelligence received from Interpol and identifying 117 command-and-control servers hosted by 89 different ISPs.

Authorities from 26 countries in total contributed to Operation Secure, offering support with locating servers, mapping physical networks, and coordinating takedowns.

“Interpol continues to support practical, collaborative action against global cyber threats,” said Neal Jetton, director of cybercrime at the policing agency.

“Operation Secure has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”

The news follows a sharpened focus from international law enforcement on dismantling the infrastructure supporting infostealer malware, which is known for being a precursor to ransomware, business email compromise attacks, and more.

In October 2024, Dutch police announced the dismantling of servers supporting the RedLine and Meta infostealers as part of Operation Magnus.

Both were highly popular and relatively affordable options on the infostealer market, with basic-level access to them going for less than $200 each.

The pair had been operating for years, collecting an untold number of victims. Because of the crucial role they play in the cybercrime and ransomware ecosystems, authorities sought to attack the operations’ reputations similar to how they did with LockBit – an approach that has since become the norm in modern-day cyber takedown efforts.

Most recently, the FBI led a campaign to scupper the Lumma infostealer, which Brett Leatherman, deputy assistant director of cyber operations, called the most prolific of its kind, although its success has been called into question.

Lumma was roughly as affordable as RedLine and Meta, with access levels priced between $250 and $1,000, but it had some notoriety behind it, with the likes of Scattered Spider and various ransomware gangs known to be among its clients.

Leatherman said Lumma had been used in 1.7 million cases of data theft since November 2023 and that in stolen credit card transactions alone it was associated with $36.5 million worth of losses. ®

Original Source