Interpol announced 41 arrests and the seizure of hundreds of servers in an operation intended to take down malicious IP addresses used for phishing, ransomware and infostealer malware.

On Tuesday, the intergovernmental organization said it worked with law enforcement agencies from 95 member countries and multiple cybersecurity firms on the second phase of Operation Synergia, which was announced earlier this year.

From April 1 to August 31, Interpol took down more than 22,000 malicious IP addresses — more than three-quarters of the 30,000 that researchers collaborating with law enforcement identified as suspicious.

Alongside the 41 arrests, Interpol seized 43 devices including laptops, phones and hard drives. They noted that 65 other people are still under investigation but were not arrested. 

“Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” said Neal Jetton, Interpol’s Director of the Cybercrime Directorate.

Interpol said it worked with cybersecurity researchers at Team Cymru, Kaspersky, Group-IB and Trend Micro who traced malicious activity back to the IP addresses. 

The organization then shared the companies’ findings with law enforcement agencies around the world, which investigated the research before launching coordinated takedowns. Interpol did not specify which strains of malware or cybercriminal organizations were being targeted.

Hong Kong police took down 1,037 servers, and in Mongolia 21 house searches were conducted leading to the seizure of one server and the identification of 93 people who may be involved in malicious cyber activities. 

Officials in Macau also took down 291 servers and Madagascar identified 11 people potentially involved in cybercrime, seizing 11 devices.

Estonian police said they seized data allegedly related to phishing and banking malware. 

David Monnier, chief evangelist at Team Cymru, said in a blog post that they contributed to the operation by “identifying and categorizing malicious infrastructure” using a platform they created. 

“These efforts provided INTERPOL with high-confidence attributions of malicious servers and infrastructure. Our methodology included: Implementing comprehensive analysis of banking malware and phishing infrastructure [and] categorizing Internet-facing nodes through our extensive tagging system,” he said.

They also investigated specific malware families and validated data to assist in the creation of threat intelligence reports, Monnier added. 

The first phase of Operation Synergia — announced in February — involved 31 arrests and the identification of 1,300 malicious servers that were used to carry out phishing attacks and distribute malware.