Operation Secure: How Interpol and Tech Giants Dismantled a Global Infostealer Empire

Breached Company

18 Jun 2025 — 12 min read

A four-month international operation involving 26 countries and three major cybersecurity firms has dealt a crushing blow to one of the most pervasive threats in cybercrime: information-stealing malware that fuels ransomware attacks and financial fraud worldwide.

In the early hours of April 30, 2025, Vietnamese police surrounded a modest apartment building in Ho Chi Minh City. Inside, they found what authorities describe as the nerve center of a sophisticated cybercrime operation: high-end computers, hundreds of SIM cards, business registration documents, and over VND 300 million ($11,500) in cash. The suspected ringleader was arrested along with 17 accomplices in what marked the culmination of Operation Secure, one of the most successful international cybercrime takedowns in recent history.

By the time the dust settled, this unprecedented four-month operation had dismantled over 20,000 malicious IP addresses and domains, seized 41 criminal servers, arrested 32 suspects across multiple countries, and notified more than 216,000 victims of data theft. Most significantly, it achieved a remarkable 79% takedown rate of identified suspicious infrastructure—a success rate that cybersecurity experts call "extraordinary" for an operation of this scale.

The Silent Epidemic: Understanding Infostealer Malware

Information-stealing malware, or "infostealers," represent one of the most insidious and rapidly growing threats in the cybercriminal ecosystem. Unlike ransomware that announces its presence with dramatic encryption screens, infostealers operate silently in the background, quietly harvesting the digital keys to victims' entire online lives.

These sophisticated programs steal browser credentials, email logins, cryptocurrency wallet data, cookies, and autofill information. They capture everything from banking passwords to social media accounts, creating comprehensive digital profiles that are then sold on underground marketplaces. According to Kaspersky's Digital Footprint Intelligence team, nearly 26 million Windows devices were infected with various types of infostealers in 2023-2024 alone.

The stolen data doesn't just sit idle. Criminal marketplaces trade these "logs"—compiled collections of stolen credentials—as the foundation for larger cyberattacks. Every 14th infostealer infection results in stolen credit card information, while the harvested credentials frequently serve as initial access points for ransomware deployments, business email compromise schemes, and sophisticated fraud operations.

"Infostealers act as the silent entry point for far more devastating cyber incidents," explains Neal Jetton, Interpol's Director of Cybercrime. "Disrupting their infrastructure cuts off a critical supply chain for digital crime."

The Architecture of International Cooperation

Operation Secure represented a new model of international cybersecurity collaboration, bringing together law enforcement agencies from 26 countries across the Asia-Pacific region under Interpol's Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) framework. The participating nations included major regional powers like Japan, India, and Indonesia, alongside smaller island nations like Nauru, Kiribati, and Tonga—demonstrating how cybercrime transcends traditional geopolitical boundaries.

The operation's success hinged on an unprecedented level of intelligence sharing and coordination. Before any arrests were made, Interpol worked closely with three private sector partners—Group-IB, Kaspersky, and Trend Micro—to produce detailed Cyber Activity Reports that mapped the global infostealer infrastructure with surgical precision.

These reports identified malicious servers, command-and-control infrastructure, compromised user accounts, and even the Telegram channels and dark web marketplaces where cybercriminals advertised their services. The depth of this intelligence gathering enabled law enforcement to move simultaneously across multiple countries, preventing criminals from simply relocating their operations when pressure mounted in one jurisdiction.

Private Sector Partnerships: The Force Multipliers

The collaboration between Interpol and cybersecurity companies represents a new paradigm in fighting international cybercrime. Rather than competing for attribution credit or guarding proprietary intelligence, the three partner companies shared critical threat data that proved essential to the operation's success.

Trend Micro's Contribution: As one of the three key private sector partners, Trend Micro leveraged its global threat telemetry to identify malicious servers used for infostealer deployment and command-and-control communications. The company's intelligence revealed that Vidar, Lumma Stealer, and Rhadamanthys were among the most prominent infostealer families operating through the targeted infrastructure.

Trend Micro's analysis went beyond simple detection, providing detailed infection chains showing how these malware families spread through social media platforms, fake GitHub repositories, and sophisticated phishing campaigns disguised as CAPTCHAs. This technical intelligence proved crucial for law enforcement understanding how to disrupt not just the infrastructure, but the entire criminal ecosystem.

Group-IB's Intelligence Operations: Group-IB contributed intelligence from both its Threat Intelligence team and High-Tech Crime Investigations unit, providing detailed information about compromised user accounts, criminal command-and-control infrastructure, and the underground marketplaces where stolen data was traded. Their intelligence helped map the financial flows and organizational structures behind the criminal operations.

Kaspersky's Global Reach: Kaspersky shared data on malicious infrastructures involved in controlling and distributing stealer malware, contributing to the comprehensive mapping of criminal networks across multiple countries. Their research revealed the staggering scale of the threat, with data showing the global impact of infostealer infections.

The Technical Battlefield: Malware Families in Focus

Operation Secure's intelligence gathering revealed the dominance of three major infostealer families, each representing different aspects of the evolving malware-as-a-service ecosystem:

Vidar: The Veteran Operator

Active since 2018, Vidar represents the mature end of the infostealer market. This Malware-as-a-Service platform excels at extracting browser credentials, cookies, and cryptocurrency wallets, but has evolved beyond simple data theft. Trend Micro's research revealed that Vidar operators have experimented with using their malware as a loader for ransomware, demonstrating how different criminal specialties are converging.

Vidar's distribution methods reflect the creativity of modern cybercriminals. The malware spreads through malvertising campaigns, phishing emails, and cracked software downloads. Perhaps most concerning, researchers have documented its distribution through social media platforms, where criminals disguise malicious links as legitimate content to reach younger, less security-aware users.

Lumma Stealer: The Rising Star

First gaining notoriety in late 2022, Lumma Stealer (also known as LummaC2) has become one of the most active infostealer families by 2025. Its rapid growth reflects both technical sophistication and criminal innovation in distribution methods.

Lumma Stealer's operators have shown particular creativity in abusing legitimate platforms for malicious purposes. The malware has been distributed through fake GitHub repositories, making it appear as legitimate open-source software, and has exploited Discord's content delivery network for hosting and payload delivery. This abuse of trusted platforms makes detection more difficult and lends false legitimacy to malicious downloads.

The FBI considered Lumma Stealer significant enough to warrant its own takedown operation in May 2025, led by Brett Leatherman, deputy assistant director of cyber operations, who called it "the most prolific" infostealer of its kind. FBI data indicated that Lumma had been used in 1.7 million cases of data theft since November 2023, with stolen credit card transactions alone associated with $36.5 million in losses.

Rhadamanthys: The Sophisticated Newcomer

First observed in late 2022, Rhadamanthys represents the high-end segment of the infostealer market. Its sophisticated architecture and reliable performance have made it a favorite among professional cybercriminals who prioritize operational security and data quality over volume.

Rhadamanthys communicates over encrypted channels to exfiltrate stolen data, making detection and analysis more challenging for security researchers. Its customization options allow criminal customers to tailor the malware for specific target types or geographic regions, reflecting the increasingly professional nature of the cybercriminal ecosystem.

The malware's distribution through fake CAPTCHA campaigns demonstrates particular sophistication. Victims encounter what appears to be a legitimate security check on websites, but clicking through the fake CAPTCHA process actually downloads and installs the infostealer. This social engineering technique exploits users' familiarity with legitimate security measures to mask malicious activity.

Operation Mechanics: From Intelligence to Action

The four-month operation from January to April 2025 followed a carefully orchestrated sequence designed to maximize impact while maintaining operational security:

Phase 1: Intelligence Gathering (January-February): Private sector partners shared threat intelligence with Interpol, who consolidated and analyzed the data to identify priority targets. This phase involved mapping criminal infrastructure, identifying key servers, and understanding the relationships between different criminal groups.

Phase 2: Operational Planning (March): Law enforcement agencies in participating countries received detailed intelligence packages and began planning coordinated actions. This phase required careful timing to ensure simultaneous action across multiple time zones and legal jurisdictions.

Phase 3: Execution (April): Coordinated raids, server seizures, and arrests took place across the region. The timing was critical—delays in one country could have allowed criminals in other jurisdictions to escape or destroy evidence.

Phase 4: Victim Notification and Follow-up (Post-April): Authorities began the massive task of notifying over 216,000 identified victims, providing guidance on protective measures and working to prevent further victimization.

Country-Specific Successes and Challenges

Different participating countries made varying contributions based on their unique capabilities and the criminal infrastructure present in their territories:

Hong Kong: The Intelligence Hub

Hong Kong Police played a crucial analytical role, processing over 1,700 intelligence leads provided by Interpol and identifying 117 command-and-control servers spread across 89 internet service providers. These servers served as central hubs for phishing campaigns, social engineering attacks, and fraud schemes targeting victims across the region.

Hong Kong's role demonstrates how financial centers often become critical infrastructure points for international cybercrime, even when the actual criminals operate from other locations. The territory's advanced technical capabilities and international connectivity make it both a target and a valuable partner in disruption operations.

Vietnam: The Major Arrests

Vietnamese authorities achieved the operation's most significant arrest numbers, apprehending 18 suspects including suspected ringleaders. The raids revealed sophisticated criminal operations with the suspects found in possession of business registration documents, suggesting they were operating fake companies to legitimize their criminal activities.

The discovery of large amounts of cash alongside technical equipment indicates these operations were highly profitable, providing financial incentives that attracted organized criminal involvement beyond simple technical experts.

Sri Lanka and Nauru: Regional Cooperation

Even smaller participating countries made important contributions. Raids in Sri Lanka resulted in 12 arrests, while operations in Nauru led to 2 arrests and the identification of 40 victims. These successes demonstrate how international cybercrime networks rely on infrastructure and human resources distributed across multiple countries, regardless of size or economic development level.

Technical Infrastructure: Understanding the Criminal Backbone

The criminal infrastructure targeted by Operation Secure revealed the sophisticated nature of modern cybercrime operations. The 41 seized servers weren't simply hosting malware—they formed complex networks that provided multiple services to criminal customers:

Command and Control: Servers provided centralized control over infected computers, allowing criminals to task malware, collect stolen data, and deploy additional payloads remotely.

Data Processing and Storage: Criminal operations required significant storage and processing capabilities to handle the massive volumes of stolen data generated by thousands of infected computers.

Money Laundering and Payment Processing: Some infrastructure supported the financial aspects of criminal operations, including cryptocurrency exchanges and payment processing for malware-as-a-service customers.

Communication and Coordination: Secure communication channels allowed criminal groups to coordinate operations, share resources, and avoid law enforcement detection.

The Human Cost: 216,000 Victims and Beyond

The notification of over 216,000 victims represents one of the largest victim notification efforts in cybercrime history, but the numbers tell only part of the story. Each notification represents an individual or organization whose digital security was compromised, often with consequences extending far beyond the initial data theft.

For individual victims, infostealer infections can result in:

Unauthorized access to bank accounts and financial fraud
Identity theft and synthetic identity creation
Compromise of work accounts leading to corporate data breaches
Emotional distress and loss of privacy
Long-term credit and financial consequences

For corporate victims, the impact often extends to:

Business email compromise leading to financial fraud
Unauthorized access to customer data and intellectual property
Compliance violations and regulatory penalties
Reputational damage and customer trust issues
Operational disruption and recovery costs

The victim notification process itself represents a significant undertaking, requiring translation into multiple languages, coordination with local authorities, and provision of specific guidance for different types of compromise. Many victims were advised to immediately change passwords, freeze accounts, and remove unauthorized access—actions that require technical knowledge many users lack.

Economic Impact and Criminal Profits

While exact financial figures remain under investigation, the scale of Operation Secure suggests criminal profits in the millions of dollars. The FBI's assessment of Lumma Stealer alone—just one of the malware families involved—indicated $36.5 million in credit card fraud losses.

The criminal economics of infostealer operations reveal why they've become so prevalent:

Low Barriers to Entry: Malware-as-a-Service platforms allow technically unsophisticated criminals to operate advanced malware for monthly subscription fees ranging from $250 to $1,000.

High Volume, Low Risk: Automated operations can infect thousands of computers with minimal human intervention, while the silent nature of infostealers means infections often go undetected for months.

Multiple Revenue Streams: Criminals profit from selling stolen data, providing access to ransomware operators, and conducting fraud operations, creating diversified income that's difficult to disrupt.

International Scope: Operating across multiple jurisdictions makes investigation and prosecution more complex, reducing the risk of criminal consequences.

Broader Implications for Cybersecurity

Operation Secure's success provides important lessons for the future of international cybersecurity cooperation:

The Public-Private Partnership Model

The operation demonstrates that effective cybercrime fighting requires resources and capabilities that no single organization possesses. Government agencies have legal authority and international cooperation mechanisms, while private companies have technical expertise and global threat visibility. Combining these capabilities creates synergistic effects that exceed what either sector could achieve independently.

However, this model also raises questions about information sharing, privacy protection, and the appropriate role of private companies in law enforcement operations. Future operations will need to develop frameworks that maximize security benefits while protecting legitimate privacy interests.

Intelligence-Driven Operations

The 79% takedown success rate achieved in Operation Secure reflects the power of intelligence-driven approaches to cybercrime. Rather than reactive investigations following individual incidents, the operation used comprehensive threat intelligence to map entire criminal ecosystems before taking action.

This approach suggests that future cybersecurity efforts should prioritize intelligence gathering and analysis over traditional incident response, potentially preventing far more damage than post-incident investigations can address.

Regional Cooperation Frameworks

The ASPJOC framework that enabled Operation Secure provides a model for regional cybersecurity cooperation that could be adapted to other parts of the world. The framework's success in coordinating activities across 26 diverse countries suggests that regional approaches may be more effective than bilateral cooperation or global frameworks that struggle with competing national interests.

Challenges and Limitations

Despite its successes, Operation Secure also highlights ongoing challenges in fighting international cybercrime:

Infrastructure Resilience

Cybersecurity experts note that criminal infrastructure networks are "highly resilient," capable of "reconstituting infrastructure via bullet-proof hosting and fast-rotating domains." While Operation Secure disrupted existing operations, criminals can often rebuild using new servers and domains relatively quickly.

This resilience suggests that disruption operations must be followed by sustained pressure and continuous monitoring to prevent criminal organizations from simply relocating their activities.

Attribution and Evidence

International cybercrime investigations face significant challenges in attribution and evidence collection. Criminals often use compromised computers in third countries to host their infrastructure, making it difficult to determine actual responsibility and complicating evidence gathering for prosecution.

Operation Secure's success in achieving actual arrests alongside infrastructure disruption suggests that future operations should prioritize human intelligence and financial investigation alongside technical analysis.

Jurisdictional Complexity

The involvement of 26 countries in Operation Secure, while enabling broad cooperation, also creates complexity in evidence sharing, legal proceedings, and ongoing investigation. Different legal systems, evidence standards, and privacy laws can complicate prosecution efforts even when cooperation exists.

Future Trends and Evolution

The criminal ecosystem targeted by Operation Secure continues to evolve, with several trends likely to shape future threats:

AI Integration

Criminals are beginning to integrate artificial intelligence into infostealer operations, from automated victim targeting to improved evasion techniques. Future operations may need to address AI-powered criminal tools that can adapt and evolve in real-time.

Cryptocurrency Integration

The increasing integration of cryptocurrency theft capabilities into infostealers reflects the growing importance of digital assets in both legitimate and criminal economies. Future operations will need specialized expertise in blockchain analysis and cryptocurrency tracking.

Supply Chain Targeting

Criminals are increasingly targeting software supply chains to distribute infostealers through legitimate applications and updates. This trend suggests that future operations may need to focus more on protecting development environments and software distribution channels.

Lessons for Organizations and Individuals

Operation Secure provides important insights for both organizations and individuals seeking to protect themselves from infostealer threats:

Organizational Defenses

Endpoint Hardening: Robust endpoint protection and continuous monitoring can detect infostealer infections before significant data theft occurs
Credential Management: Password managers and multi-factor authentication can limit the impact of stolen credentials
Employee Training: Regular security awareness training can help employees identify and avoid infostealer distribution methods
Incident Response: Rapid response to suspected infections can minimize data exposure and enable quick remediation

Individual Protection

Browser Security: Regular browser updates and avoiding suspicious downloads can prevent many infostealer infections
Password Hygiene: Unique passwords for each account and regular password changes can limit the impact of credential theft
Financial Monitoring: Regular monitoring of financial accounts and credit reports can enable quick detection of fraud
Software Sources: Downloading software only from official sources and avoiding pirated applications can prevent many infections

The Road Ahead: Building on Success

Operation Secure represents a significant victory in the ongoing battle against cybercrime, but it's important to recognize that it's one operation in a larger, ongoing conflict. The criminal ecosystem that produced the targeted infostealer networks remains largely intact, and new threats are already emerging to replace those that were disrupted.

The operation's success provides a template for future international cooperation, but sustaining this level of coordination requires ongoing investment in both technical capabilities and international relationships. The private sector partnerships that proved crucial to Operation Secure's success need to be formalized and expanded, while regional cooperation frameworks like ASPJOC need to be strengthened and replicated in other parts of the world.

Perhaps most importantly, Operation Secure demonstrates that international cybercrime can be effectively disrupted when governments, law enforcement agencies, and private companies work together with sufficient coordination and resources. The 79% infrastructure takedown rate and the arrest of actual criminals—not just the seizure of technical infrastructure—prove that cybercriminals are not beyond the reach of law enforcement.

As cybercriminals continue to evolve their tactics and expand their operations, the international community must maintain the momentum generated by Operation Secure. The 216,000 victims who received notification letters represent just a fraction of those affected by infostealer malware worldwide. Protecting the remaining millions will require sustained effort, continued cooperation, and ongoing innovation in both defensive techniques and international law enforcement coordination.

The success of Operation Secure offers hope that the tide may be turning in the fight against international cybercrime. But turning that hope into sustained progress will require continued vigilance, ongoing cooperation, and recognition that cybersecurity is truly a shared global responsibility that requires all stakeholders—governments, companies, and individuals—to play their part in creating a more secure digital world.