Largest Synergia Operation to Date
INTERPOL has announced the conclusion of Operation Synergia III, an international cybercrime enforcement action that sinkholed 45,000 IP addresses and resulted in the seizure of servers linked to ransomware, phishing, and infostealer distribution networks operating across the globe. The operation spanned more than 95 countries and involved coordination between national law enforcement agencies, internet service providers, and private cybersecurity firms.
Operation Synergia III is the third and largest iteration of the Synergia campaign series, following Synergia I (late 2023, targeting phishing and banking malware) and Synergia II (April 2024, disrupting malware infrastructure in 61 countries).
Operation Overview
| Attribute | Details |
|---|---|
| Operation Name | Operation Synergia III |
| Lead Agency | INTERPOL (coordinated with Europol) |
| Countries Involved | 95+ |
| IPs Sinkholed | 45,000+ |
| Infrastructure Seized | Ransomware C2 servers, phishing hosting, infostealer panels |
| Private Sector Partners | Group-IB, Kaspersky, Trend Micro, Team Cymru |
| Duration | Multi-month operation concluded March 2026 |
What a Sinkhole Operation Does
A DNS sinkhole is a law enforcement and defensive technique in which the IP addresses or domain names used by malicious infrastructure are redirected to servers controlled by investigators rather than by the threat actors. Once sinkholed:
- Malware on infected systems that attempts to contact its command-and-control (C2) server is redirected to the sinkhole
- Investigators observe the volume and distribution of infected devices checking in — providing intelligence on the scale of the botnet or campaign
- The malicious infrastructure is effectively neutralized — attackers lose command of infected devices
- Victim notifications can be issued to ISPs whose customers' devices are checking into the sinkhole
The 45,000 IPs sinkholed in Synergia III represent a significant portion of the active C2 infrastructure supporting multiple concurrent cybercrime operations.
Threat Categories Targeted
Ransomware Infrastructure
Operation Synergia III targeted ransomware command-and-control servers used to manage compromised victims, deliver encryption payloads, and facilitate ransom negotiations. Law enforcement officials indicated that multiple ransomware-as-a-service affiliate programs had C2 nodes seized.
Phishing Kit Hosting
Hundreds of phishing kit hosting servers were taken down or sinkholed — platforms used to deploy credential-harvesting pages impersonating banks, government portals, and major SaaS providers. INTERPOL noted that many of these were offered as phishing-as-a-service platforms charging monthly subscription fees to criminal affiliates.
Infostealer Distribution Networks
Infrastructure supporting the distribution and data exfiltration of commercial infostealer malware families was targeted. Infostealers harvest credentials, session cookies, browser-stored passwords, and cryptocurrency wallet data before exfiltrating them to attacker-controlled panels. The seized infostealer panel infrastructure contained credentials from millions of compromised devices.
DDoS-for-Hire Nodes
Botnet infrastructure used to conduct distributed denial-of-service attacks on demand was disrupted, with bot-herder command infrastructure taken offline and associated payment channels investigated.
Geographic Scope
While the full country breakdown has not been released, INTERPOL confirmed that the operation had significant activity in:
- Eastern Europe: Focus on ransomware affiliate infrastructure and payment processing
- Southeast Asia: Concentrated disruption of phishing-as-a-service hosting platforms and scam call center infrastructure
- West Africa: Targeting of Business Email Compromise (BEC) and romance fraud networks
- Latin America: Banking malware distribution networks
- Western Europe: Coordination with Europol on takedown of shared infrastructure serving European victims
Arrests and Individual Actions
INTERPOL confirmed that in addition to the infrastructure takedowns, Operation Synergia III resulted in:
- Over 300 suspects investigated globally across participating countries
- 41 arrests in coordinated actions across multiple jurisdictions
- Seizure of digital evidence including servers, computers, and cryptocurrency holdings linked to cybercrime proceeds
Full details of individual arrests and prosecutions are subject to ongoing judicial proceedings in each jurisdiction and were not fully disclosed at the time of the operation's announcement.
Private Sector Intelligence
The private sector played a major role in Synergia III. INTERPOL's Gateway programme — which facilitates intelligence sharing between law enforcement and private cybersecurity firms — provided critical infrastructure mapping that enabled the targeted sinkholing operation.
Key contributions:
- Group-IB: Supplied threat intelligence on ransomware C2 infrastructure and affiliate panel locations
- Kaspersky: Contributed data on infostealer distribution networks and bot panel locations
- Trend Micro: Provided phishing kit infrastructure intelligence
- Team Cymru: Network telemetry and BGP routing intelligence to identify hosting providers used by threat actors
The Synergia Series: Growing Scale
| Operation | Year | Countries | IPs / Actions |
|---|---|---|---|
| Synergia I | Oct–Nov 2023 | 60 | 1,300+ malicious IPs flagged; 31 suspects arrested |
| Synergia II | April 2024 | 61 | 22,000 IPs identified; 41 arrests; servers seized |
| Synergia III | 2025–2026 | 95+ | 45,000+ IPs sinkholed; 41+ arrests; significant infrastructure seizures |
The scale increase reflects both the growing maturity of the Synergia operational model and the expanding breadth of cybercrime infrastructure being targeted.
Impact and Limitations
What This Achieves
- Immediate disruption of active criminal infrastructure — ransomware operators lose C2 visibility over victims; phishing campaigns fail
- Victim intelligence — sinkhole data reveals the geographic distribution and scale of active infections, enabling national CERTs to notify ISPs and issue victim notifications
- Deterrence signal — repeated high-profile enforcement actions increase operational risk for cybercriminal networks
What This Doesn't Solve
Law enforcement and cybersecurity experts consistently note the structural limits of infrastructure takedowns:
- Threat actors rebuild — well-resourced ransomware groups typically rebuild C2 infrastructure within days to weeks using pre-registered backup domains and IPs
- Affiliate model survives — taking down a ransomware group's C2 does not eliminate the affiliate network; affiliates migrate to surviving or competing platforms
- Global jurisdiction gaps — countries without active law enforcement participation remain safe harbors for hosting criminal infrastructure
INTERPOL has acknowledged these limitations, framing Synergia III as "a persistent pressure campaign" rather than a permanent solution.
What To Do If You Receive a Sinkhole Notification
If your ISP or national CERT contacts you because a device on your network was seen checking into the Synergia III sinkhole:
- Isolate the identified device from the network immediately
- Run a full malware scan using multiple security tools — the sinkhole data indicates active malware on the device
- Change all credentials that may have been stored on or accessible from the device
- Notify your security team (for enterprise environments) and follow incident response procedures
- Consider a clean reimaging of the device if active malware is confirmed
Sources
- BleepingComputer — Police sinkholes 45,000 IP addresses in cybercrime crackdown
- INTERPOL — Operation Synergia III press release