Blow to cybercrime as Interpol blacklists 45,000 malicious IPs and arrests 94 in ‘Operation Synergia III’

Last week, Interpol announced the successful conclusion of Operation Synergia III, a six-month global sting that resulted in the dismantling of over 45,000 malicious IP addresses and the arrests of 94 individuals across 72 countries.

Targeting the "nerve centers" of global phishing, malware, and ransomware operations, the crackdown has severely disrupted the infrastructure that allows cybercriminal syndicates to operate with impunity across borders.

The scale of the strike

Operation Synergia III, which ran from July 2025 through January 2026, represents a massive leap in capability compared to previous iterations. For context, the first wave of the operation in 2023 took down just 1,300 IPs; by 2026, that number has surged by over 3,300%.

Law enforcement in Macau, China, was responsible for a staggering 33,000 of the total IP takedowns. These servers were primarily hosting fraudulent online casinos and "spoofed" versions of official bank and government portals designed to harvest credit card data.

In addition to the arrests, authorities seized 212 electronic devices and servers, providing a "treasure trove" of data that Interpol officials say will fuel investigations for years to come.

The operation was supported by a coalition of cybersecurity firms, including Group-IB, Trend Micro, and S2W, who provided the real-time telemetry needed to "sinkhole" (neutralize) the malicious traffic.

Breaking the syndicates: Regional victories

While the technical takedowns were automated, the human arrests required high-stakes physical raids across multiple continents.

The largest concentration of arrests occurred in Bangladesh, where police apprehended 40 suspects. The group was allegedly running a sophisticated "multi-scam" operation involving identity theft, fake job postings, and fraudulent loan applications.

In Togo, authorities dismantled a syndicate operating from a residential neighborhood. Ten suspects were arrested for running a hybrid operation of technical hacking and social engineering, including romance scams and sextortion.

Parallel to the Interpol announcement, India’s CBI revealed it had frozen scores of bank accounts linked to a transnational "investment scam" syndicate that used the Dubai-based fintech platform Pyypl to launder stolen funds into cryptocurrency.

The evolution of ‘Synergia’

Interpol’s Director of the Cybercrime Directorate, Neal Jetton, noted that the professionalization of cybercrime has forced law enforcement to evolve.

"Cybercrime in 2026 is more destructive than ever," Jetton stated. "Operation Synergia III is a testament to what global cooperation can achieve against these emerging threats."

While phishing remains the primary entry point, investigators found that these 45,000 IPs were also critical for ransomware command-and-control (C2) and the distribution of "infostealer" malware.

Interpol confirmed that on top of 94 people in custody, another 110 individuals remain under active investigation, suggesting a second wave of arrests may be imminent.

"We are no longer just playing whack-a-mole with individual hackers," said one researcher from Group-IB. "We are surgically removing the entire nervous system of their hosting infrastructure."