In brief
- Global police organization Interpol has led a crackdown on infostealers codenamed Operation Secure.
- Police forces around the world arrested 32 as part of the operation, which took down over suspicious 20,000 IPs and domains.
- Infostealer malware is used to steal data such as browser credentials, passwords and cryptocurrency wallet contents.
Police forces around the world have made 32 arrests as part of a major operation cracking down on infostealer malware led by Interpol.
Operation Secure saw law enforcement agencies from 26 countries work to locate the servers, map physical networks and ultimately execute the targeted takedowns, according to a statement released by Interpol.
More than 20,000 IPs and domains were taken down as part of the operation, and over 100GB of data seized across 41 servers. The takedown reportedly neutralized 79% of the suspicious IP addresses identified by Interpol, with assistance from private sector partners including Kaspersky, Trend Micro and Group-IB.
The sweep saw 18 suspects arrested in Vietnam, 12 in Sri Lanka and a further two in Nauru. In the Vietnam arrests the group leader was found with over VND 300 million ($11,500) in cash.
In a statement, Neal Jetton, Interpol’s Director of Cybercrime, said that the operation “has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”
What are infostealers?
Infostealer malware is typically used to infiltrate organizational networks in order to steal browser credentials, cookies, passwords, credit card details and cryptocurrency wallet data.
Logs harvested by infostealers are increasingly being traded on the cybercriminal underground to enable further attacks. These include ransomware, data breaches, fraud schemes and more.
Following Operation Secure, the authorities notified over 216,000 victims and potential victims to take immediate action to secure themselves. This includes changing passwords, freezing accounts and removing unauthorized access.
Speaking to Decrypt, Dmytro Yasmanovych, Compliance Services Lead at blockchain security auditor Hacken praised the operation but warned that infostealer networks are “highly resilient—reconstituting infrastructure via bullet-proof hosting and fast-rotating domains.”
Yasmanovych noted that for Web3 organizations, compliance alone isn’t enough. “Effective defense requires a fusion of robust endpoint hardening, continuous on-chain and off-chain monitoring, and real-time threat‐intelligence sharing,” he said. “Only through this multilayered, proactive posture can the industry stay ahead of rapidly evolving infostealer campaigns targeting crypto wallets and private keys.”
Hacken’s Senior Blockchain Protocol Security Auditor Ali Ashar added that, “To convert this win into lasting disruption, momentum needs to continue,” pointing to the importance of “timely victim alerts, ongoing public-private intel sharing, and follow‑up enforcement.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
