Interpol operation nets 41 arrests, takedown of 22,000 malicious IPs

Avatar

Interpol announced 41 arrests and the seizure of hundreds of servers in an operation intended to take down malicious IP addresses used for phishing, ransomware and infostealer malware.

On Tuesday, the intergovernmental organization said it worked with law enforcement agencies from 95 member countries and multiple cybersecurity firms on the second phase of Operation Synergia, which was announced earlier this year.

From April 1 to August 31, Interpol took down more than 22,000 malicious IP addresses — more than three-quarters of the 30,000 that researchers collaborating with law enforcement identified as suspicious.

Alongside the 41 arrests, Interpol seized 43 devices including laptops, phones and hard drives. They noted that 65 other people are still under investigation but were not arrested. 

“Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” said Neal Jetton, Interpol’s Director of the Cybercrime Directorate.

Interpol said it worked with cybersecurity researchers at Team Cymru, Kaspersky, Group-IB and Trend Micro who traced malicious activity back to the IP addresses. 

The organization then shared the companies’ findings with law enforcement agencies around the world, which investigated the research before launching coordinated takedowns. Interpol did not specify which strains of malware or cybercriminal organizations were being targeted.

Hong Kong police took down 1,037 servers, and in Mongolia 21 house searches were conducted leading to the seizure of one server and the identification of 93 people who may be involved in malicious cyber activities. 

Officials in Macau also took down 291 servers and Madagascar identified 11 people potentially involved in cybercrime, seizing 11 devices.

Estonian police said they seized data allegedly related to phishing and banking malware. 

David Monnier, chief evangelist at Team Cymru, said in a blog post that they contributed to the operation by “identifying and categorizing malicious infrastructure” using a platform they created. 

“These efforts provided INTERPOL with high-confidence attributions of malicious servers and infrastructure. Our methodology included: Implementing comprehensive analysis of banking malware and phishing infrastructure [and] categorizing Internet-facing nodes through our extensive tagging system,” he said.

They also investigated specific malware families and validated data to assist in the creation of threat intelligence reports, Monnier added. 

The first phase of Operation Synergia — announced in February — involved 31 arrests and the identification of 1,300 malicious servers that were used to carry out phishing attacks and distribute malware.

NewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

Next Post

Georgia hospital unable to access record system after ransomware attack

Related Posts

LinkedIn Halts AI Data Processing in U.K. Amid Privacy Concerns Raised by ICO

The U.K. Information Commissioner's Office (ICO) has confirmed that professional social networking platform LinkedIn has suspended processing users' data in the country to train its artificial intelligence (AI) models. "We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its U.K. users," Stephen
Omega Balla
Read More

LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. "The plugin suffers from an unauthenticated privilege escalation vulnerability
Avatar
Read More