Interpol sinkholed over 45,000 malicious IP addresses in its largest cybercrime crackdown yet. Operation Synergia III, the third phase of the initiative that began in 2023, arrested 94 people across 72 countries between July 18, 2025, and January 31, 2026. Another 110 suspects remain under investigation, and 212 electronic devices and servers were seized during raids.
The operation targeted infrastructure behind phishing campaigns, malware distribution, ransomware attacks, romance scams, and credit card fraud. Interpol converted threat intelligence from private-sector partners into tactical leads, then coordinated cross-border raids by national police agencies. Group-IB, Trend Micro, and S2W provided server tracking and malicious activity mapping throughout the operation.
Cybercrime in 2026 is more sophisticated and destructive than ever before, but Operation Synergia III stands as a powerful testament to what global cooperation can achieve.
— Neal Jetton, Director of Interpol's Cybercrime Directorate.
Bangladesh produced the single largest haul. Police arrested 40 suspects and seized 134 devices tied to loan scams, employment fraud, identity theft, and credit card schemes. In Togo, authorities arrested ten people suspected of leading a fraud ring that combined hacking with social engineering from a residential compound. Macao police identified more than 33,000 phishing and fraudulent websites impersonating casinos, banks, government portals, and payment services.
Behind every malicious server or phishing kit sits a wider criminal ecosystem that needs to be mapped and understood before arrests become possible.
— Robert McArdle, Director of Cybercrime Research at Trend Micro's TrendAI unit.
Trend Micro linked its Synergia III support to research on Tycoon 2FA. The phishing-as-a-service platform bypasses multi-factor authentication by proxying real login pages. The connection suggests Interpol's takedowns targeted not just standalone fraud operations but the shared criminal infrastructure powering modern phishing kits at scale.
Each iteration of Operation Synergia has grown in scope. The first phase (September to November 2023) involved 60 agencies across 50+ countries, identified 1,300 suspicious IPs and URLs, and led to 31 arrests. Synergia II (April to August 2024) expanded to 95 countries, took down 22,000 malicious IPs (76% of 30,000 identified), seized 59 servers and 43 devices, and produced 41 arrests. Synergia III more than doubled the IP takedowns and brought the arrest count to its highest level yet.
By sharing intelligence on malicious infrastructure and attacker tactics, Group-IB remains committed to supporting global efforts to dismantle cybercrime operations.
— Dmitry Volkov, CEO of Group-IB
Synergia III landed during a busy week for cybercrime enforcement. European and US authorities dismantled SocksEscort, a proxy network that sold access to compromised routers and residential IPs across 160+ countries, seizing 34 domains, 23 servers, and freezing roughly $3.5 million in cryptocurrency. India's Central Bureau of Investigation (CBI) ran parallel raids at 15 locations across Delhi, Rajasthan, Uttar Pradesh, and Punjab, targeting an organized investment fraud ring linked to Dubai-based fintech platform Pyypl.
Countries across Africa, Europe, Asia, and the Americas participated in Synergia III. The United Kingdom, India, Nigeria, South Africa, and the United Arab Emirates were among the named contributors. Interpol did not disclose the total financial damage prevented or the monetary value of seized assets beyond the device count.
Synergia reflects a shift toward targeting criminal infrastructure over individual attacks. Sinkholing 45,000 IPs disrupts the routing layer that phishing kits, malware droppers, and ransomware C2 servers depend on. The 110 open investigations suggest additional arrests will follow as forensic analysis of the 212 seized devices continues.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
