The revelation this week that an international operation took down thousands of malicious IP addresses is good news, says a cybersecurity expert, but the better news is the arrest of 41 suspects.
“Technology disruptions matter, because the alternative to not disrupting their environment is the perception that there’s no consequences, no cost” to cybercrime, David Shipley, head of Canadian awareness training provider Beauceron Security, said in an interview. “What I love about blowing up infrastructure is it imposes a cost on cybercrime. Right now the return on investment is way too lucrative [for crooks].”
But, he added, “the reality is [crooks think] ‘You got 22,000 IP addresses? I will get 22,000 more. I will get a bunch of new phishing domains, new servers.’ So getting some people and imposing consequences that way matters a lot.
“One of the most impactful things is when they [police] do get people, the ability to potentially create distrust in the cyber criminal community is really important. They [crooks] think people are going to squeal, they think they can’t trust connections. That can have a long, lasting impact.”
For example, he said, in 2023, after law enforcement took down the Genesis Market, which was used by crooks to sell stolen credentials to each other, police in several countries traced market members to warn them, “We know who you are, we know what you did. Stop it.”
“That’s worthwhile,” Shipley said.
His comments came after Interpol said this week that law enforcement agencies in 95 countries, working with four cybersecurity firms, took down more than 22,000 malicious IP addresses or servers, and arrested 41 people in five countries. It is still investigating 65 more individuals.
Vendors who helped with threat information included Trend Micro, Kaspersky, Group-IB and Team Cymru.
While the announcement was made Tuesday, the actual action took place between April and August.
It was the second phase of Operation Synergia, going after sites that distribute phishing emails, infostealers, and ransomware around the world.
In addition to the disconnection of the IP addresses, 43 devices, including servers, laptops, mobile phones, and hard disks were seized.
In Hong Kong, more than 1,037 servers were taken down. In Macau, 291 servers were knocked offline. In Estonia, police seized more than 80GB of server data, and in Madagascar, authorities identified 11 individuals with links to malicious servers and seized 11 electronic devices for further investigation.
The first phase of this operation ran in the fall of 2023 and involved 60 law enforcement agencies in 50 countries. It took down command and control servers distributing malware in Europe, Hong Kong, and Singapore, and arrested 30 people.
Jon Clay, Trend Micro’s VP of threat intelligence, told CSO Online in an email that the company regularly helps Interpol and other law enforcement agencies who ask for its knowledge. In this case Trend Micro had information about IP addresses.
“This operation was notable for a few reasons,” he wrote: First, it shows the efforts of law enforcement agencies are improving. Second, arresting many of the cyber criminals will hopefully will send a message to others that they may be vulnerable to arrest too.
“From my perspective, law enforcement agencies are getting more wins lately,” he added, “which is good news, and the public/private partnerships have proven to be a contributing factor in these efforts. Even in the recent Lockbit takedown where the leader wasn’t able to be arrested, their efforts to damage his reputation resulted in less victims by this group.”
Operation Synergia is only one of several ongoing Interpol projects. In December, it said the fourth phase of Operation Haechi concluded with almost 3,500 arrests and seizures of US$300 million (approx. €273 million) worth of assets across 34 countries and blocked 82,112 suspicious bank accounts. One high-profile online gambling criminal was arrested after a two-year manhunt by Korea’s national police agency. Investment fraud, business email compromise, and e-commerce fraud accounted for 75% of cases investigated in Haechi IV.
Operation Haechi focuses on attacking business email compromise fraud, e-commerce fraud, voice phishing, romance scams, online sextortion, investment fraud, and money laundering associated with online gambling.
Meanwhile, the FBI and other law enforcement agencies are continuing to go after ransomware gangs. Their successes included penetrating the Hive gang’s computer infrastructure and providing over 300 decryption keys to Hive victims.
This week, acting on a request from the US, police in Canada arrested a man, reportedly for allegedly being involved in hacks of companies using the cloud-based Snowflake data base.
But cybercrime doesn’t seem to be abating.
According to Microsoft’s most recent Digital Defense Report, “the malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders.”
Cyber attacks, the report says, “are continuing at a breathtaking scale.”
“But what are the alternatives [to pursuing cybercrooks]?” asked Shipley. “If we don’t police and actively try to disrupt, we’re basically saying there’s no cost to committing cybercrime. So we have to do something. And there is good that comes from this. Is it a magic wand that though police action alone and good-old-fashioned gumshoe work and criminal prosecutions we are going to end the scourge of online crime? No. But it doesn’t mean we don’t try.”
Using technology to improve cyber defenses helps, he said, as does building hardware and software to be secure by design. But right now, crooks can make a lot of money at low risk through cybercrime. Until governments fundamentally change that equation — including doing hard things like having a serious conversation about eventually making ransomware payments illegal — that won’t change, he said.
