INTERPOL Operation Synergia III 45,000 Malicious IPs Dismantled, 94 Arrested Across 72 Countries

• .What: Six-month international law enforcement operation targeting criminal cyber infrastructure across 72 countries and territories.
• .Who: INTERPOL Cybercrime Directorate coordinating agencies from 72 member states. Private sector intelligence from Group-IB, Trend Micro, and S2W.
• .How: Intelligence-led infrastructure identification followed by coordinated takedowns, server seizures, and arrests.
• .Infrastructure Targeted: Phishing websites, malware distribution networks, ransomware command-and-control servers, fraudulent platforms, romance scam operations, and credit card fraud schemes.
• .Scale: 45,000+ malicious IPs dismantled, 94 arrests, 212 devices seized, 110 suspects under ongoing investigation.
• .Duration: July 18, 2025 - January 31, 2026 (approximately 6.5 months).
• .Impact: Largest coordinated cyber infrastructure takedown of 2026. Third iteration of INTERPOL's Synergia series, representing exponential escalation from 1,300 IPs (2023) to 22,000 IPs (2024) to 45,000+ IPs (2026).

Operation Synergia III launched on July 18, 2025, as the third phase of INTERPOL's escalating campaign against cybercrime infrastructure.

The operation ran for approximately six and a half months, concluding on January 31, 2026. INTERPOL's Cybercrime Directorate coordinated law enforcement agencies from 72 countries and territories, making it one of the most geographically distributed cyber operations ever conducted.

The operation targeted the infrastructure layer - the servers, domains, and IP addresses that enable cybercriminal operations at scale - rather than individual threat actors alone.

Phishing websites, malware distribution networks, ransomware command-and-control infrastructure, fraudulent e-commerce and gambling platforms, romance scam operations, and credit card fraud schemes all fell within scope.

INTERPOL's approach relied on a public-private intelligence model. Group-IB provided threat intelligence on phishing domains, hosting infrastructure, and servers distributing malware including infostealers.

Trend Micro contributed data from its global sensor network, identifying malicious infrastructure through telemetry analysis.

S2W, a South Korean dark web intelligence firm, provided monitoring of underground forums and marketplaces where cybercriminal services and infrastructure were traded.

INTERPOL's Cybercrime Directorate aggregated this private sector intelligence with law enforcement data to produce actionable targeting packages for participating agencies.

The results were announced on March 13, 2026. " Group-IB CEO Dmitry Volkov echoed: "Cybercriminal groups rely on complex infrastructure to scale phishing and malware operations globally.

Macau, China: Police identified more than 33,000 phishing and fraudulent websites. The sites impersonated online casinos, banks, government service portals, and payment processing platforms, designed to harvest personal data, banking credentials, and credit card numbers.

The sheer volume - 33,000 sites from a single jurisdiction - indicates automated deployment using templating systems and hosting infrastructure designed for rapid scaling. Macau accounted for the largest single share of the 45,000+ IP takedowns.

Bangladesh: Authorities arrested 40 suspects and seized 134 electronic devices linked to a broad range of cybercrime schemes including loan scams, fake job offers, identity theft, and credit card fraud.

This represented the single largest arrest count from any participating jurisdiction.

Togo: Police dismantled a fraud ring operating from a residential area, arresting 10 suspects. The ring had a division of labor: technical operatives handled social media account compromise while social engineers conducted romance fraud and sextortion.

The arrests demonstrate that cybercrime operations in West Africa have professionalized beyond individual actors into structured criminal enterprises.

Additional participating countries included Angola, Argentina, Austria, Bahrain, Bolivia, Bosnia and Herzegovina, Botswana, Brazil, Brunei, Burkina Faso, Burundi, Cameroon, Colombia, Democratic Republic of Congo, Eritrea, Eswatini, France, Gambia, Georgia, Greece, Guatemala, Guinea, Guinea Bissau, Guyana, Honduras, Iceland, India, Iraq, Ireland, Israel, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Latvia, Lebanon, Lesotho, Liechtenstein, Madagascar, Malaysia, Maldives, Moldova, Mongolia, Niger, Nigeria, North Macedonia, Oman, Pakistan, Palestine, Paraguay, Philippines, Poland, Qatar, Singapore, South Africa, South Sudan, Spain, Sri Lanka, Switzerland, Tanzania, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, Venezuela, Zambia, and Zimbabwe.

MENA participation was significant: Bahrain, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, and the UAE all contributed to the operation - reflecting INTERPOL's expanding cybercrime enforcement footprint in the Gulf region.

The Synergia series represents INTERPOL's most sustained and escalating cybercrime infrastructure campaign. Each iteration has expanded in scope, geographic reach, and impact:

Operation Synergia I (September - November 2023): Ran across 54 countries. Identified 1,300 suspicious IP addresses and URLs linked to ransomware, malware, and phishing campaigns. Approximately 70% of identified command-and-control servers were taken down.

31 individuals arrested, 70 additional suspects identified. Group-IB provided 500 phishing IP addresses and 1,900 IPs associated with ransomware, Trojans, and banking malware. Europe accounted for the majority of takedowns and 26 of the 31 arrests.

Hong Kong dismantled 153 servers; Singapore dismantled 86.

Operation Synergia II (April - August 2024): Expanded to 95 countries - the broadest geographic participation. Identified approximately 30,000 suspicious IPs, of which 22,000 (76%) were taken down. 59 servers and 43 computing devices seized.

41 arrests, 65 additional suspects under investigation. Private sector partners expanded to include Group-IB, Trend Micro, Kaspersky, and Team Cymru.

Operation Synergia III (July 2025 - January 2026): 72 countries. 45,000+ malicious IPs dismantled. 94 arrests. 212 devices seized. 110 suspects under investigation. Partners: Group-IB, Trend Micro, S2W.

The progression: IPs taken down increased from 1,300 to 22,000 to 45,000+ (a 3,361% increase from Synergia I to III).

Arrests increased from 31 to 41 to 94. Device seizures scaled from unreported to 102 to 212. The operation has shifted from primarily European arrests (Synergia I) to a genuinely global enforcement action with major results in Asia and Africa.

The notable shift in Synergia III's partner composition - Kaspersky and Team Cymru participated in Synergia II but were replaced by S2W in Synergia III - may reflect geopolitical considerations following the US Commerce Department's ban on Kaspersky software sales in June 2024.

• .Phishing infrastructure - Websites impersonating legitimate financial institutions, government portals, payment processors, and online services. Macau alone accounted for 33,000+ fraudulent domains designed to harvest credentials and financial data.
• .Malware distribution networks - Servers hosting and distributing malicious payloads including infostealers - malware designed to exfiltrate saved passwords, browser session cookies, cryptocurrency wallet data, and authentication tokens from infected devices.
• .Ransomware command-and-control servers - Infrastructure used by ransomware operators to manage encrypted victim networks, exfiltrate data, and coordinate ransom demands.
• .Fraud platforms - Romance scam infrastructure, fake job listing sites, fraudulent loan application portals, and sextortion operations.
• .Credit card fraud schemes - Systems used to process stolen card data, conduct card-not-present fraud, and monetize harvested financial credentials.
• .Social engineering platforms - Compromised social media accounts repurposed for downstream fraud, including romance scams and identity impersonation.

The operational focus on infrastructure rather than individual actors reflects INTERPOL's strategy of raising the cost of cybercrime by forcing threat actors to rebuild their technical capabilities after each disruption cycle.

1. Intelligence aggregation from private sector partners. Group-IB, Trend Micro, and S2W provided raw threat intelligence - phishing domain lists, malicious IP addresses, dark web marketplace data, and infostealer distribution server locations.

INTERPOL's Cybercrime Directorate fused this commercial intelligence with law enforcement data to produce targeting packages.

2. Cross-jurisdictional coordination across 72 countries. Each participating country received intelligence relevant to infrastructure hosted within or operated from its jurisdiction.

Local law enforcement agencies conducted the physical operations - server seizures, device confiscation, and arrests - while INTERPOL provided the coordination framework and intelligence distribution.

3. Infrastructure-first targeting methodology. Rather than pursuing individual operators from the outset, the operation prioritized dismantling the infrastructure that enables cybercrime at scale.

Server takedowns, domain sinkholing, and IP blacklisting degrade operational capability across multiple criminal groups simultaneously. Arrests followed as infrastructure seizures exposed the operators behind them.

4. Automated infrastructure identification. The volume - 45,000+ IPs across 72 countries - indicates heavy reliance on automated detection and classification. Manual analysis at this scale would be impossible within a six-month operational window.

Trend Micro's global sensor network and Group-IB's automated infrastructure tracking were essential to identifying targets at this volume.

5. Concurrent multi-layer disruption. The March 2026 announcement of Synergia III coincided with the separate takedown of SocksEscort, a 16-year-old proxy network that had compromised 369,000 residential routers to provide criminal anonymization services.

Authorities seized 34 domains, 23 servers, and $3.5 million in cryptocurrency associated with SocksEscort.

The concurrent timing was not coincidental - it represents a coordinated strike against multiple layers of the cybercrime stack: infrastructure (Synergia III) and anonymization (SocksEscort).

Infrastructure Disrupted:

• .45,000+ malicious IP addresses sinkholed or seized across 72 jurisdictions
• .33,000+ phishing and fraudulent domains identified in Macau alone (fake casinos, spoofed bank/government/payment portals)
• .212 electronic devices and servers physically seized
• .Infostealer distribution servers identified and shared by Group-IB

Note: INTERPOL has not published specific IP addresses, domain lists, or indicators of compromise from Operation Synergia III. The operational nature of law enforcement takedowns means detailed IoCs are typically shared through INTERPOL's restricted channels with member state CERTs rather than published publicly.

Organizations seeking specific IoCs should contact their national CERT or INTERPOL National Central Bureau.

Concurrent SocksEscort Takedown:

• .34 domains seized
• .23 servers seized
• .369,000 residential routers compromised since 2020
• .Approximately 8,000 infected routers actively available to customers as of February 2026
• .$3.5 million in cryptocurrency frozen

This section addresses the regulatory framework governing the cybercrime activities disrupted by Operation Synergia III - specifically, the data protection obligations that organizations whose infrastructure was exploited, or whose customers were victimized, must address.

For Victim Organizations Whose Infrastructure Was Compromised:

• .GDPR Articles 32 and 33 - Organizations in the EU whose servers were identified as hosting malicious content - whether through compromise or negligent configuration - face obligations under Article 32 (security of processing) and Article 33 (72-hour breach notification) if personal data was processed through the compromised infrastructure. Fines up to EUR 20 million or 4% of annual global turnover.

• .UK GDPR / DPA 2018 - UK organizations identified in the operation face identical obligations under UK data protection law. ICO enforcement powers include fines up to GBP 17.5 million or 4% of global turnover.

• .NIS2 Directive - EU organizations classified as essential or important entities whose infrastructure was used for cybercrime may face mandatory incident reporting requirements and potential enforcement for failure to implement adequate cybersecurity measures.

For Jurisdictions Where Arrests Were Made:

• .Computer Misuse Laws - The 94 arrested individuals face prosecution under their respective national computer misuse, cybercrime, and fraud statutes. Togo's 10 arrested suspects face prosecution under the country's cybercrime legislation. Bangladesh's 40 suspects face charges under the Digital Security Act 2018 and the ICT Act.

• .Anti-Money Laundering - The financial proceeds of the disrupted operations - estimated in the tens of millions given the scale of phishing, ransomware, and credit card fraud involved - trigger anti-money laundering investigation and asset recovery proceedings under each jurisdiction's financial crime framework.

For MENA Participating Countries:

• .Bahrain PDPL - Bahrain's participation signals growing enforcement capability. Organizations whose infrastructure was exploited face fines up to BD 20,000 under the Personal Data Protection Law.

• .UAE PDPL (Federal Decree-Law No. 45/2021) - UAE participation included coordination with TDRA and national CERT. Fines up to AED 10 million for data protection failures. DIFC and ADGM data protection regulations apply to financial free zone entities.

• .Saudi Arabia PDPL / NCA - While Saudi Arabia was not listed among the 72 participating countries, the operation's disruption of phishing and fraud infrastructure targeting Gulf financial institutions has direct implications for Saudi organizations. PDPL fines up to SAR 5 million. NCA Essential Cybersecurity Controls apply to critical infrastructure.

• .Qatar PDPA - Qatar's participation through its National Cyber Security Agency reinforces the country's expanding enforcement posture. QFC Data Protection Office jurisdiction applies to financial center entities.

• .Oman PDPL - Oman participated and faces obligations under its PDPL (fully enforced February 5, 2026) for any domestic infrastructure implicated.

• .Jordan Cybercrime Law No. 17/2023 - Jordan's participation reflects its updated cybercrime legal framework.

• .Kuwait / Iraq / Lebanon - Participation noted; enforcement frameworks vary in maturity.

Cross-Border Regulatory Coordination:

The operation's 72-country scope highlights a persistent regulatory gap: cybercrime infrastructure is jurisdictionally distributed by design, while data protection enforcement remains jurisdictionally siloed.

A phishing server in one country targets victims in another, processes stolen data through a third, and monetizes it in a fourth. No single regulator has authority across the entire chain.

INTERPOL's coordination framework addresses the law enforcement dimension but does not resolve the regulatory fragmentation.

1. Infrastructure reconstitution rates are unknown. The critical question for every takedown operation is: how quickly does criminal infrastructure reconstitute?

When Microsoft and the US DOJ disrupted LummaC2 infrastructure in May 2025, operators had replacement domains active within 24 hours. No public data exists on how quickly the 45,000+ IPs dismantled in Synergia III were replaced.

Without sustained monitoring and measurement of reconstitution timelines, the operational impact cannot be meaningfully assessed.

2. No breakdown of infrastructure by crime type. INTERPOL has not published what proportion of the 45,000+ IPs were associated with phishing versus malware distribution versus ransomware C2 versus fraud platforms.

This breakdown would allow the security community to assess which criminal ecosystems were most disrupted.

3. No data on downstream victim notification. When phishing infrastructure is taken down, the individuals whose credentials were already harvested remain compromised.

INTERPOL has not disclosed whether participating agencies initiated victim notification programs for individuals whose data was collected through the now-dismantled infrastructure.

4. Limited technical detail on infrastructure architecture. The operation's targeting methodology - how infrastructure was identified, classified, and prioritized - has not been disclosed in detail.

Understanding whether the 45,000 IPs represent 45,000 independent servers or a smaller number of bulletproof hosting providers serving thousands of domains would materially change the assessment of operational impact.

5. Kaspersky's exclusion from Synergia III is unexplained.

Kaspersky participated in Synergia II (2024) but was replaced by S2W in Synergia III. This coincides with the US Commerce Department's ban on Kaspersky software sales (effective July 2024) and the company's withdrawal from the US market.

Whether this reflects a policy decision by INTERPOL, by Kaspersky, or by participating member states has not been disclosed.

6. Saudi Arabia's non-participation is notable. Saudi Arabia - the Gulf's largest economy and a major target for cybercrime - was not among the 72 participating countries despite its neighbors Bahrain, Kuwait, Qatar, Oman, and the UAE all participating.

Whether this reflects an operational choice, a diplomatic consideration, or simply a gap in reporting has not been clarified.

7. The 94 arrests represent a low ratio relative to infrastructure scale. 94 arrests across 45,000+ IPs suggests that the vast majority of the infrastructure was disrupted without corresponding arrests of operators.

This is expected - infrastructure-first targeting degrades criminal capability even without identifying every operator - but the low arrest-to-disruption ratio means most operators remain at large and capable of rebuilding.

8. No quantification of victim impact. INTERPOL's announcement focused on infrastructure disrupted and arrests made.

No data was provided on the estimated number of individuals victimized through the now-dismantled infrastructure, the estimated financial losses attributed to these operations, or the volume of stolen data recovered.

1. Organizations should cross-reference their infrastructure against known malicious IP databases. The takedown of 45,000+ IPs means security teams should verify that none of their own IP space was flagged, sinkholed, or associated with malicious activity during the operation.

Compromised servers used as unwitting hosts for phishing or C2 infrastructure may have been identified and taken down without the legitimate owner being notified.

2. Credential exposure from dismantled phishing infrastructure requires proactive response. The 33,000+ phishing sites identified in Macau alone were actively harvesting banking credentials, government portal logins, and payment card data.

Organizations in financial services, government, and e-commerce should assume that customer credentials exposed to these sites remain compromised and enforce password resets for any accounts that may have interacted with the targeted domains.

3. Deploy DNS-layer and network-layer protections against phishing infrastructure. The scale of automated phishing deployment - 33,000 sites from one jurisdiction - demonstrates that URL-based blocklists cannot keep pace.

Organizations should implement DNS filtering (Protective DNS), certificate transparency monitoring, and brand impersonation detection services that identify fraudulent domains at registration time rather than after victim reports.

4. Infostealer defenses must extend beyond endpoint detection. Group-IB's intelligence contribution focused on infostealer distribution servers.

Organizations should deploy browser isolation for high-risk web activity, disable password saving in browsers (enforcing dedicated password managers instead), implement session token rotation to limit the value of stolen cookies, and monitor dark web marketplaces for employee credential exposure.

5. MENA organizations should engage their national CERTs for Synergia III-specific intelligence. Eight MENA countries participated in the operation.

Organizations in Bahrain, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, and the UAE should request threat intelligence briefings from their national CERTs on infrastructure and threat actors identified within their jurisdiction.

This intelligence may not be publicly disclosed but should be available through official channels.

6. Assume infrastructure takedowns are temporary. History demonstrates that cybercrime infrastructure reconstitutes rapidly after law enforcement disruption. LummaC2 rebuilt within 24 hours. The 45,000 IPs dismantled in Synergia III will be partially replaced.

Defensive controls must be continuous, not reactive to enforcement announcements.

INTERPOL, The Register, Help Net Security, Hackread, Infosecurity Magazine, SecurityAffairs, Security MEA, Group-IB, BleepingComputer, The Record, ScamWatchHQ, TechNadu, Computer Weekly, Sahara Reporters, Europol (SocksEscort), International Enforcement Law Reporter, CPO Magazine, Capital FM Kenya, CXO Insight Middle East, Intelligent CISO, TechAfrica News, BackBox.org, Cyberwarzone, Archyde, Red Packet Security, The Edvocate, IBTimes UK, The420.in, Yahoo News