A global law enforcement crackdown on information-stealing malware led to the arrest of 32 suspects and the dismantling of more than 20,000 malicious IP addresses and domains linked to cybercrime. 

The operation, which ran from January to April, led to the arrest of 18 suspects in Vietnam who were allegedly involved in illegal cyber activities, according to a Wednesday statement from Interpol. Vietnamese police also seized computers, SIM cards, cash and corporate documents in raids that uncovered a scheme to open and sell business accounts for criminal use.

Information-stealer malware is increasingly used by cybercriminals to extract sensitive data from infected devices, including login credentials, credit card information and cryptocurrency wallet details. This stolen data is often traded on underground forums and can be used to gain initial access to networks for ransomware attacks and financial fraud.

As part of the crackdown, police agencies across 26 countries, mostly in Asia, seized 41 servers and more than 100 gigabytes of stolen data linked to various infostealer variants. Authorities said they notified more than 216,000 victims of potential breaches, urging them to take protective steps such as changing passwords or freezing compromised accounts.

Hong Kong police also identified 117 command-and-control servers hosted across 89 internet service providers. These servers were allegedly used to coordinate a wide range of criminal campaigns, including phishing attacks and social media scams.

One of the private cybersecurity firms that helped with the operation, Singapore-based Group-IB, said it targeted malware variants such as Lumma, Risepro and Meta.

Earlier in May, law enforcement agencies coordinated a global takedown of infrastructure supporting the Lumma malware, which is capable of stealing passwords, credit card data, bank account details and cryptocurrency wallets.

As part of that operation, the authorities dismantled nearly 2,300 malicious domains that formed the backbone of Lumma’s infrastructure. Researchers said that while the takedown significantly disrupted Lumma, it did not permanently affect much of its Russia-hosted infrastructure.

In a separate operation last October, police also disrupted infrastructure and seized data associated with the Meta infostealer.