Interpol led a team of law enforcement agencies and cybersecurity firms in a global operation that shut down more than 22,000 malicious servers that were used to launch ransomware, phishing, and information-stealing attacks around the world.

As part of what Interpol said is the second phase of Operation Synergia, the agency and its counterparts also arrested 41 people and seized 59 servers and 43 electronic devices, such as laptops, mobile phones and hard disks. Another 65 people are still be investigated.

Operation Synergia II is part of a larger trend among international agencies to go on the offensive against threat actors by collaborating to target cybercrime operations that are spread around the world and take them down.

Neal Jetton, Interpol’s director of the Cybercrime Directorate, noted such operations are now on a global scale and therefore require a similar response from law enforcement agencies around the world. With the latest initiative, “together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” Jetton said in a statement.

Operation Synergia II follows on the success of its first phase, which was announced in February and involved taking down 1,300 command-and-control (C2) servers that supported botnets, malware connections, phishing servers, and ransomware attacks and ran from September to November.

Phase II Ran Over Four Months

According to Interpol, the second phase stretched from April 1 to August 31, during which about 30,000 suspicious IP addresses were identified and 76% of them taken down. The operation stretched from Eastern Europe and into Asia.

That included Hong Kong police taking more than 1,037 of the malicious servers and authorities in Macau in China taking down another 291. Police in Mongolia searched 21 houses, seized a server, and identified 93 people who had links to illegal cyber activities. Madagascar authorities identified 11 people and seized 11 devices, while those in Estonia grabbed more than 80GB of server data.

They’re working with Interpol to run analyses of the data that is linked to phishing and banking malware, according to Interpol.

In all, 95 countries participated in Operation Synergia II.

Cybersecurity Firms Step Up

Helping the agencies to identify thousands of malicious servers were cybersecurity firms Group-IB, Trend Micro, Kaspersky, and Team Cymru. According to Group-IB officials, the vendor’s analysts identified more than 2,500 IP addresses linked to 5,000 phishing websites, and more than 1,300 IP addresses that were tied to malware activities in 84 countries.

Kaspersky officials wrote that the company shared information about malicious C2 and malware server and infected hosts that were involved in distributing Internet of Things (IoT) malware across multiple countries. It also shared information about botnets.

David Monnier, chief evangelist and Fellow with Team Cymru, wrote in a blog post that his company used its Pure Signal internet telemetry data platform in the operation to research and find some of the malicious servers and other infrastructure. Team Cymru analyzed banking malware and phishing infrastructure, categorized internet-facing nodes via its tagging system, helped investigate malware families, and provided data for threat intelligence reports.

“Operation Synergia II represents just how important collaborative efforts are in the fight against cybercrime,” Monnier wrote. “This operation stands as a testament to how public-private partnerships can effectively combat global cybercrime and protect communities everywhere.”