INTERPOL Dismantles Global Infostealer Botnet Network
In a major blow to cybercriminal operations worldwide, INTERPOL has successfully dismantled a global botnet infrastructure linked to large-scale infostealer campaigns. The operation—coordinated across 11 countries—resulted in the takedown of more than 20,000 malicious IP addresses and the arrest of 32 individuals directly involved in the deployment and monetization of infostealer malware. The international law enforcement collaboration marks one of the most significant global cybercrime disruptions in recent years.
While the infrastructure was primarily attributed to infostealers—malware designed to siphon credentials, personal data, and financial information—investigators have raised concerns about the dual-use nature of such botnets. With the ability to collect and route massive volumes of stolen data, these networks can also be repurposed for cyberespionage and nation-state surveillance, blurring the lines between financially-motivated cybercrime and state-sponsored operations.
Overview of the Operation
The botnet takedown was the result of a months-long, intelligence-driven campaign involving:
- Joint efforts by INTERPOL's Cybercrime Directorate
- Digital forensics support from national cybersecurity agencies
- Coordination with CERTs, financial fraud divisions, and ISP partners
- Legal cooperation through the INTERPOL Global Complex for Innovation (IGCI)
Countries participating in arrests and infrastructure seizures included the United States, Germany, Brazil, Ukraine, Nigeria, India, Thailand, and others across Europe and Asia. The botnet, believed to be modular and for-hire, was reportedly used to distribute multiple strains of infostealers, including Raccoon Stealer, Vidar, RedLine, and Lumma.
What Are Infostealers?
Infostealers are a class of malware designed to operate silently on infected machines, collecting and exfiltrating:
- Login credentials for websites, VPNs, and cloud services
- Stored browser cookies and session tokens
- Cryptocurrency wallet keys
- Autofill data and system information
- Files of interest based on extension or path
Unlike ransomware or destructive malware, infostealers often prioritize stealth. Once deployed, they gather data in bulk and send it to command-and-control (C2) servers or intermediaries, where it is either monetized on dark web marketplaces or leveraged for further intrusions.
Key Infrastructure Findings
INTERPOL’s forensic investigation revealed a highly distributed and modular botnet composed of:
- Over 20,000 unique IPs acting as C2 nodes, proxies, or infected endpoints
- Use of Fast Flux DNS techniques to obscure server locations
- Bulletproof hosting from jurisdictions with minimal cybercrime laws
- Command instructions embedded in TLS-encrypted traffic and steganographic payloads
- Distributed panels for botnet operation accessible through onion services
Many of these IP addresses had been flagged by prior threat intelligence research as nodes involved in credential stuffing, email harvesting, and banking trojans, indicating their reuse across multiple criminal campaigns.
Overlap with Cyberespionage
While the primary use case for this botnet appears to have been cybercrime-for-profit, INTERPOL warned of emerging overlaps with state-aligned cyberespionage. Infostealer infrastructures can become low-cost data funnels for foreign intelligence agencies, offering access to troves of PII, internal documents, diplomatic communications, and proprietary IP.
In particular, investigators observed:
- Exfiltrated data from government institutions, think tanks, and embassies
- Cross-referencing of stolen data with known geopolitical targets
- Hosting services commonly used by both cybercriminals and APT groups
- Overlap in malware loader infrastructure with nation-state-linked malware such as Agent Tesla and njRAT
This suggests that some elements of the botnet may have been leased or subcontracted to espionage groups, or that APT actors were quietly harvesting from cybercriminal data pools.
Suspects and Prosecution
The 32 individuals arrested were involved in various aspects of the botnet’s operation:
- Botnet operators and infrastructure maintainers
- Malware developers and crypting service providers
- Credential traffickers and dark web vendors
- Money mules laundering proceeds via crypto exchanges and shell companies
INTERPOL noted that many suspects were part of loose, transnational cybercrime networks rather than centralized groups, making international cooperation essential for prosecution. Extradition requests and cybercrime charges are being prepared across multiple jurisdictions.
Security and Policy Implications
This operation reinforces the growing consensus that cybercrime infrastructure poses both criminal and national security threats. Governments and enterprises must treat infostealer botnets as part of the broader cyber threat landscape—not merely financial nuisances.
Key Takeaways:
- Infostealer botnets are becoming platforms-for-hire for both cybercrime and espionage
- Cybercriminals now deploy stealth-first malware with long-term value
- Proactive international cooperation is critical to dismantle decentralized threat actors
- The boundaries between criminal and state-linked activity continue to erode
Recommendations for Organizations
- Monitor for known indicators of compromise (IOCs) linked to RedLine, Vidar, and Raccoon Stealer
- Deploy threat detection systems that can identify fileless or memory-resident malware
- Educate employees about phishing emails used to deliver infostealer payloads
- Enforce MFA, rotate credentials regularly, and monitor for compromised credentials on dark web
- Work with ISPs and cybersecurity agencies to identify infected IPs and suppress propagation
INTERPOL’s dismantling of a global infostealer botnet marks a significant step forward in transnational cybercrime enforcement. As the lines between cybercrime, espionage, and information warfare continue to blur, proactive, global cyber policing must become the norm. Botnets are no longer just digital nuisances—they are strategic assets in a rapidly evolving threat landscape.
Organizations, both public and private, must recognize that infostealer infections are not isolated incidents. Each compromised endpoint is a doorway—not just to financial fraud—but to corporate espionage, strategic intelligence loss, and reputational damage.