Interpol says global cybercrime crackdown sinkholed 45,000 malicious IPs and led to 94 arrests

An Interpol-led cybercrime operation has taken down more than 45,000 malicious IP addresses and servers tied to phishing, malware, ransomware, and online fraud. The operation, called Operation Synergia III, ran from July 18, 2025, to January 31, 2026, and involved law enforcement agencies from 72 countries and territories. Interpol says the action also resulted in 94 arrests, while another 110 suspects remain under investigation.

The scale matters because this was not a single takedown or one-country raid. Investigators targeted the infrastructure behind cybercrime campaigns, which means the operation focused on the servers, IP space, and websites that criminals used to run attacks at scale. Interpol says authorities seized 212 electronic devices and servers during the sweep.

One of the biggest findings came from Macau, where investigators identified more than 33,000 phishing and fraudulent websites. According to Interpol, those sites impersonated casinos, banks, government pages, and payment services in order to steal personal information and credit card details.

The results suggest that international cybercrime enforcement is becoming more coordinated, not just more visible. Operation Synergia III followed earlier Synergia actions that also focused on criminal infrastructure, but this latest phase appears to be the largest by disrupted IP footprint so far.

What Operation Synergia III achieved

Interpol says the operation delivered action across multiple fronts, not just arrests.

Measure	Result
Countries and territories involved	72
Operation period	July 18, 2025 to January 31, 2026
Malicious IP addresses and servers taken down	45,000+
Arrests made	94
Suspects still under investigation	110
Electronic devices and servers seized	212

Source: Interpol.

Why the Macau discovery stands out

The Macau case shows how broad these operations have become. Interpol says investigators there uncovered over 33,000 phishing and fraudulent websites tied to scams that imitated trusted brands and institutions. That volume alone highlights how attackers continue to rely on fake web properties to steal payment data and identities.

This part of the operation also shows why infrastructure takedowns matter. When authorities remove malicious sites, sinkhole IP addresses, and seize backend systems, they do more than stop one scam. They can interrupt large sections of the criminal delivery chain at once. That is an inference based on the nature of the infrastructure Interpol said it targeted.

Country-level examples Interpol highlighted

Interpol included several examples to show the operation’s reach.

• In Togo, police arrested 10 suspects linked to a fraud ring operating from a residential area. Interpol says some handled account hacking while others ran social engineering scams, including romance scams and sextortion.
• In Bangladesh, police arrested 40 suspects and seized 134 electronic devices tied to multiple schemes, including loan scams, job scams, identity theft, and credit card fraud.
• In Macau, investigators identified over 33,000 phishing and fraudulent websites used to impersonate casinos, banks, government sites, and payment services.

How this compares with earlier Synergia operations

Operation Synergia III builds on a campaign that Interpol has been expanding over several years.

Operation	Reported outcome
Synergia I	1,300 command-and-control servers disrupted and 70 suspects identified
Synergia II	41 suspects arrested and infrastructure linked to 22,000 IP addresses disrupted
Synergia III	45,000+ malicious IPs and servers taken down, 94 arrests

Source: Interpol and follow-up reporting.

The comparison shows how quickly the scale has grown. The number of countries involved and the volume of infrastructure disrupted both increased sharply from earlier phases, which suggests better intelligence sharing and broader law enforcement coordination. That interpretation is based on the published operational figures.

Why this crackdown matters

Cybercrime groups depend on infrastructure that can be rented, replaced, and moved across jurisdictions. That reality makes global cooperation essential. A sinkhole operation can redirect malicious traffic away from criminal servers, while coordinated seizures can strip groups of hosting, devices, and access points they need to keep campaigns running. This explanation reflects common security practice and matches the type of infrastructure action Interpol described.

The arrests matter too, but the infrastructure impact may last longer if agencies can keep disrupting the networks that support phishing kits, malware delivery, and ransomware operations. That does not end cybercrime, but it can raise costs and slow down active campaigns. This is an inference based on the operation’s design and published outcomes.

Key points

• Interpol says Operation Synergia III took down more than 45,000 malicious IP addresses and servers.
• The operation involved 72 countries and territories between July 2025 and January 2026.
• Police made 94 arrests and continue to investigate another 110 suspects.
• Macau investigators identified more than 33,000 phishing and fraudulent websites during the operation.
• Interpol says the campaign targeted infrastructure used in phishing, malware, ransomware, and fraud.

FAQ