An international law enforcement operation codenamed “Operation Secure” has disrupted global infostealer malware infrastructure, resulting in 32 arrests and the takedown of 20,000 malicious IPs and domains. The INTERPOL-led operation, announced on June 11, 2025, targeted cybercriminal networks across 26 countries, with significant arrests in Vietnam and Sri Lanka1. Private sector partners including Group-IB, Kaspersky, and Trend Micro provided critical intelligence that enabled the takedown of 41 servers and notification of over 216,000 victims2.
Operation Secure: Key Findings
The operation focused on infostealer malware families that harvest credentials, cookies, and cryptocurrency wallets. These stolen credentials often serve as initial access vectors for ransomware groups and business email compromise (BEC) scams. According to INTERPOL’s ASPJOC framework, the operation identified a direct link between infostealer activity and 49% of subsequent breaches, with poor password hygiene being a major contributing factor3. Verizon’s 2025 DBIR report corroborates this finding, showing that 46% of U.S. internet users had passwords stolen in 20244.
Infostealer Threat Landscape
The disruption comes as infostealer malware evolves in sophistication and targeting. The Lumma Stealer, taken down in a separate Europol-Microsoft operation in May 2025, had infected over 394,000 Windows devices before its disruption5. Malware-as-a-Service (MaaS) models have made these tools widely accessible, with subscriptions ranging from $250 to $20,000 on underground forums. Post-takedown analysis shows that 13.2 billion credentials were harvested from stealer logs in 2024 alone6.
| Malware Family | Primary Features | Current Status (2025) |
|---|---|---|
| RedLine | MaaS model, credential/wallet theft | Disrupted (2024 operations) |
| Lumma | Subscription-based, Steam C2 fallbacks | Dominant post-takedown |
| AppleProcessHub | macOS targeting, evasion techniques | Emerging threat |
Mitigation Strategies
For organizations defending against infostealer threats, several key measures are recommended:
- Implement credential monitoring services to detect compromised passwords
- Enforce multi-factor authentication (MFA) across all critical systems
- Monitor for cookie theft attempts through endpoint detection systems
- Participate in threat intelligence sharing programs like INTERPOL’s ASPJOC
The emergence of macOS-targeted stealers like AppleProcessHub highlights the need for cross-platform security strategies. Symantec’s recent discovery shows threat actors are expanding beyond traditional Windows targets7.
Conclusion
Operation Secure represents a significant milestone in global cybercrime disruption, but the evolving infostealer landscape requires continued vigilance. The public-private partnership model demonstrated in this operation provides a blueprint for future collaborative takedowns. Organizations should prioritize credential protection and assume breach postures given the scale of credential theft documented in these operations.
References
- “20,000 malicious IPs and domains taken down in INTERPOL infostealer crackdown,” INTERPOL, 2025.
- “Verizon 2025 Data Breach Investigations Report,” Verizon, 2025.
- “American Password Habits Survey,” Forbes Advisor, 2024.
- “Europol and Microsoft disrupt world’s largest infostealer Lumma,” Europol, 2025.
- “The Evolution of Stealer Malware,” Bitsight, 2025.
- “AppleProcessHub: New macOS Infostealer,” Symantec, 2025.
- “Operation Secure disrupts global infostealer malware operations,” BleepingComputer, 2025.
