Skip to content
.ca
sign in
3 mininfo

TrendAI™ Supports Global Law Enforcement Efforts

Trend Micro collaborated with INTERPOL and other global law enforcement agencies in Operation Synergia III, leading to the takedown of 45,000 malicious servers and 94 arrests. The operation targeted distributed infrastructure supporting widespread cybercrime, including BEC, phishing, and extortion schemes.

Conf:highAnalyzed:2026-03-18reports

Authors: TrendAI™ Research

ActorsOperation Synergia IIITycoon2FAOperation SentinelOperation Secure
Operation Synergia IIIPhishingLaw EnforcementTycoon2FABEC

Source:Trend Micro

Key Takeaways

  • INTERPOL's Operation Synergia III, supported by Trend Micro, resulted in the takedown of over 45,000 malicious IPs and servers.
  • The global operation led to 94 arrests, 110 ongoing investigations, and the seizure of 212 electronic devices across 72 countries.
  • Targeted cybercriminal activities included Business Email Compromise (BEC), romance scams, sextortion, investment fraud, and fake casino phishing.
  • Recent related law enforcement successes include the takedown of the Tycoon2FA Phishing-as-a-Service platform, Operation Sentinel, and Operation Secure.

Affected Systems

  • Corporate email systems (BEC targets)
  • Financial institutions
  • General users

Attack Chain

Cybercriminal groups utilized distributed and obfuscated infrastructure to host phishing pages and deliver malware. These networks facilitated various fraud schemes globally, including Business Email Compromise (BEC), romance scams, and sextortion. Threat researchers and law enforcement mapped this infrastructure by analyzing domains, IP addresses, WHOIS records, and ISP lists, ultimately connecting the digital evidence to the individuals operating the networks for coordinated takedowns.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — The article discusses high-level law enforcement takedowns and does not provide technical endpoint indicators or malware behaviors. Network Visibility: None — While 45,000 IPs and servers were taken down, no specific network indicators (IPs/domains) were shared in the text for detection purposes. Detection Difficulty: Hard — Detecting the specific infrastructure mentioned is impossible without the actual IOCs, which were not disclosed in this high-level report.

Required Log Sources

  • Email Gateway Logs
  • DNS Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Monitor for anomalous email communications and newly registered domains indicative of Business Email Compromise (BEC) or phishing attempts.Email Gateway LogsInitial AccessHigh

Control Gaps

  • Visibility into distributed, obfuscated infrastructure without cross-border intelligence sharing

Key Behavioral Indicators

  • Anomalous WHOIS registration patterns
  • Newly registered domains hosting login portals

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Review and update email filtering rules to detect common BEC and phishing lures.

Infrastructure Hardening

  • Implement and enforce DMARC, SPF, and DKIM to prevent email spoofing.

User Protection

  • Deploy phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys, to mitigate credential harvesting.

Security Awareness

  • Conduct regular employee training on identifying BEC attempts, romance scams, and sextortion lures.

MITRE ATT&CK Mapping

  • T1566 - Phishing
  • T1588.002 - Obtain Capabilities: Tool

Related