Full Report
Interpol-coordinated Operation Secure led to 32 arrests, including the suspected ringleader of a cybercriminal organization
Analysis Summary
This incident report summarizes the outcomes of a large-scale, coordinated law enforcement and private sector operation targeting cybercriminal infrastructure used to facilitate information-stealing malware distribution across Asia.
# Incident Report: Operation Secure - Dismantling Asian Infostealer Infrastructure
## Executive Summary
Operation Secure, a multi-national initiative coordinated by Interpol, successfully dismantled significant cybercriminal infrastructure linked to information stealer malware impacting users across Asia. The operation resulted in the takedown of over 20,000 malicious IP addresses and domains, the seizure of data and assets, and the arrest of 32 individuals. The primary focus was disrupting the command and control (C2) channels and distribution networks for infostealers like Lumma, Risepro, and Meta Stealer.
## Incident Details
- **Discovery Date:** Intelligence gathering leading up to the operation was ongoing, with coordinated action commencing around early June 2025.
- **Incident Date:** The operation concluded and results were announced on June 11, 2025.
- **Affected Organization:** Global cybercriminal groups targeting victims primarily in Asia.
- **Sector:** Cybersecurity/Law Enforcement Coordination.
- **Geography:** Asia and the South Pacific (involving 25 countries, Macau, and Hong Kong).
## Timeline of Events
### Initial Access (Pre-Operation Intelligence)
- **Date/Time:** Ongoing prior to June 2025.
- **Vector:** Not explicitly detailed as an endpoint vector for victims, but the investigation focused on the *infrastructure* supporting the malware distribution.
- **Details:** Private sector partners (Group-IB, Kaspersky, Trend Micro) provided crucial intelligence on infostealer malware families (Lumma, Risepro, Meta Stealer) and identified command and control infrastructure.
### Lateral Movement
- **Status:** Not applicable as this report details a counter-operation against the C2 infrastructure, not an internal network compromise timeline.
### Data Exfiltration/Impact
- **Details:** The compromised infrastructure supported the theft of user accounts, likely including credentials, financial data, and sensitive information harvested by infostealer malware. The operation aimed to *prevent* future exfiltration.
### Detection & Response
- **How it was discovered:** Coordinated investigation intelligence sharing between Interpol and private partners based on ongoing threat data.
- **Response actions taken:** Execution of coordinated physical raids across four territories in the Asia-Pacific region, dismantling C2 servers, and seizing related assets.
## Attack Methodology (Infrastructure Analysis)
- **Initial Access:** Threat actors utilized compromised infrastructure (IPs/Domains) to host or route malware distribution/C2 communications.
- **Persistence:** Implied use of resilient C2 infrastructure to maintain communication with infected assets.
- **Privilege Escalation:** Not directly detailed for the infrastructure operation.
- **Defense Evasion:** The infrastructure was likely configured to evade immediate blocking or tracking.
- **Credential Access:** The underlying malware (infostealers) specialized in credential theft.
- **Discovery:** Private sector intelligence teams mapped out the network infrastructure supporting these threats.
- **Lateral Movement:** Not directly detailed for the infrastructure operation.
- **Collection:** Infostealer malware collected various forms of sensitive data from compromised end-user devices.
- **Exfiltration:** Data was funneled through the dismantled IP addresses and domains to C2 nodes.
- **Impact:** Disruption of criminal ecosystem; protection of potential future victims.
## Impact Assessment
- **Financial:** $11,500 in cash seized. (Direct financial loss caused by the criminal network is not quantified, only seized assets).
- **Data Breach:** Over 100GB of data seized from servers. 216,058 notifications sent to potential victims, indicating a massive potential scope of compromise by the observed infrastructure.
- **Operational:** Disruption of major C2 infrastructure for known infostealer families.
- **Reputational:** Positive outcome due to successful international law enforcement collaboration.
## Indicators of Compromise
*Note: As this details a law enforcement disruption, indicators listed are historical C2 elements that were seized, not ongoing indicators for an internal breach.*
- **Network indicators:** Takedown of **20,642 IP addresses and domains**. (Specific IPs/Domains are withheld for security reasons).
- **File indicators:** Mention of Lumma, Risepro, and Meta Stealer malware families.
- **Behavioral indicators:** Infrastructure used for C2 communications related to infostealer retrieval.
## Response Actions
- **Containment measures:** Takedown of **20,642 malicious IP addresses and domains**. Shutting down 41 associated servers.
- **Eradication steps:** Seizure of physical hardware and intelligence caches.
- **Recovery actions:** Notification to over 216,000 potential victims regarding the threat abatement.
## Lessons Learned
- **Key takeaways:** International operational coordination (Interpol, 25 nations, private sector partners) is highly effective in dismantling complex, cross-border cybercriminal infrastructure. Intelligence sharing regarding specific malware families is critical for success.
- **What could have been done better:** Improvement in the speed of notifying global services potentially hosting or utilizing parts of this infrastructure.
## Recommendations
- **Prevention measures for similar incidents:** Organizations should enhance endpoint security measures designed to detect and block known infostealer malware signatures and behaviors. Continuous review of network traffic for C2 beaconing behavior directed toward known threat actor infrastructure patterns.