Kaspersky & INTERPOL Dismantle 20,000 Malicious Domains During Paris Olympics
Operation Secure
-
What happened: From January to April 2025, INTERPOL launched Operation Secure under the Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) initiative. This effort united law enforcement from 26 countries alongside private-sector partners—including Kaspersky, Group‑IB, and Trend Micro—to dismantle infostealer malware infrastructure.
-
Core objective: Identify, locate, and neutralize servers, IPs, and domains tied to infostealer malware campaigns
Kaspersky’s Role & Threat Intelligence
-
Shared intelligence: Kaspersky’s Digital Footprint Intelligence team contributed data on command-and-control (C&C) infrastructure—key for planning takedowns.
-
Scope of analysis: The operation investigated around 70 infostealer variants and nearly 26,000 associated IPs and domains.
-
Global infection scale: Kaspersky estimates ~26 million Windows devices were infected with some type of infostealer between 2023–2024—realizing the scope and urgency of the threat.
Key Outcomes of Operation Secure
-
Infrastructure dismantled:
-
Over 20,000 malicious IPs and domains were disabled.
-
41 servers seized, along with over 100 GB of forensic data.
-
-
Disruption success: Authorities successfully took down 79% of identified suspicious IP addresses.
-
-
Vietnam: 18 arrests; leader found with VND 300 million (≈USD 11,500), SIM cards, business documents.
-
Sri Lanka and Nauru: 14 arrests (12 in Sri Lanka, 2 in Nauru), with 40 victims identified.
Arrests and raids: 32 suspects were arrested, with enforcement actions including:
-
-
Hong Kong: Analysis of 1,700+ intelligence pieces revealed 117 C&C servers across 89 ISPs—central hubs for phishing, fraud, and scams.
-
-
Victim outreach: Over 216,000 individuals and organizations were notified of potential compromise and advised to act (e.g., change passwords, freeze accounts).
Spotlight: Infostealers—What’s at Stake?
-
What are infostealers? Malware designed to stealthily extract sensitive data from infected devices, such as browser credentials, cookies, passwords, credit card details, and cryptocurrency wallet information.
-
Weaponizing stolen data: Harvested logs become currency in cybercriminal marketplaces, enabling follow-on attacks like ransomware, data breaches, and business email compromise (BEC).
Why This Case Study Matters
1. Public–private synergy in action
The operation underscores how threat intelligence from cybersecurity firms like Kaspersky can fuel coordinated law enforcement takedowns—accelerating response and impact.
2. Regional collaboration, global effect
Even though focused on Asia-Pacific, the resulting disruption had implications worldwide—highlighting how criminal networks span borders and demand multinational responses.
3. Rapid operational tempo
In just four months, Operation Secure achieved significant arrests, infrastructure takedown, and widespread victim outreach—a blueprint for future cyber campaigns.
4. Awareness and resilience building
This case emphasizes the importance of proactive monitoring, victim notification, and continuous intelligence-sharing to stay ahead of evolving cyber threats.
Summary Table
| Aspect | Details |
|---|---|
| Timeline | January–April 2025 |
| Focus | Infostealer malware infrastructure (IPs, domains, servers) |
| Partners | INTERPOL, 26 countries, Kaspersky, Group-IB, Trend Micro |
| Targets | C&C infrastructure, 70+ malware variants, 26,000 IPs/domains |
| Results | >20,000 takedowns, 41 servers seized, 32 arrests |
| Victim Response | 216,000+ notifications issued |
| Threat Impact | Credential theft, phishing, fraud, ransomware enablement |