A large international cybercrime operation coordinated by INTERPOL has disrupted thousands of systems used for phishing, malware distribution, and ransomware attacks.
The operation, called Operation Synergia III, ran from July 18, 2025, to January 31, 2026, and involved law enforcement agencies from 72 countries and territories. Investigators targeted malicious infrastructure used by cybercriminal groups rather than focusing only on individual attacks.
During the operation, authorities took down more than 45,000 malicious IP addresses and servers. The coordinated actions also led to 94 arrests, while 110 additional suspects remain under investigation in multiple countries.
Law enforcement agencies carried out raids and technical takedowns based on intelligence gathered during the investigation. In total, over 200 electronic devices and servers were seized as part of the operation.
In its press release, INTERPOL said the investigation focused on online fraud infrastructure, including phishing websites, malware distribution networks, ransomware infrastructure, and social engineering scams. Although investigations are still ongoing, early findings have already revealed several types of fraud campaigns.
In Macau, China, authorities identified more than 33,000 phishing and fraudulent websites that impersonated online casinos, banks, government services, and payment platforms. Victims were tricked into depositing money through fake platforms or providing personal and financial information.
In Togo, police arrested 10 suspects who operated a fraud ring from a residential area. Some members focused on hacking social media accounts while others carried out romance scams and sextortion schemes. After compromising accounts, attackers contacted the victim’s friends and family while pretending to be the account owner and asked for money transfers.
In Bangladesh, investigators arrested 40 suspects and seized 134 electronic devices connected to cybercrime activities, including loan scams, fake job offers, identity theft and credit card fraud.
INTERPOL worked with cybersecurity firms Group-IB, Trend Micro, and S2W to identify malicious infrastructure and track cybercriminal activity during the operation.
Neal Jetton, Director of INTERPOL’s Cybercrime Directorate, said the investigation showed how international cooperation can help disrupt organized cybercrime networks operating across multiple regions.
It is worth noting that in 2024, INTERPOL conducted Operation Synergia II, which led to 41 arrests and the takedown of 22,000 malicious IP addresses and 59 servers worldwide.
Separate takedown targets SocksEscort proxy network
As reported on the 12th of March 2026, in a separate cybercrime enforcement action, European and US authorities dismantled SocksEscort, a proxy network used by cybercrime groups to hide their online activity.
The service provided access to compromised routers and devices, allowing criminals to route malicious traffic through residential IP addresses and hide their real location. Authorities also seized 34 domains and 23 servers linked to the operation and froze around $3.5 million in cryptocurrency associated with the service.
Investigators said the proxy network had advertised access to hundreds of thousands of IP addresses across more than 160 countries. The infrastructure was used in multiple fraud schemes, including cryptocurrency theft and payment card fraud.
Both cases show how law enforcement agencies are focusing on dismantling the technical infrastructure used by cybercriminal groups rather than only following individual attackers.
Waqas
