Global Collaboration Triumphs: Qakbot Malware Dismantled and $8.6 Million Seized in Historic Cybersecurity Operation
LOS ANGELES – The United States Department of Justice has formally declared a collaborative international operation spanning the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia aimed at disrupting and dismantling the Qakbot botnet and its associated malicious software infrastructure.
The Qakbot malware, renowned for its pernicious capabilities, has been successfully purged from infected victim computers, effectively curbing its capacity to inflict further harm. Furthermore, the operation has led to the confiscation of over $8.6 million in cryptocurrency, accrued through illegitimate means.
This endeavor stands as a historic achievement, representing the most extensive financial and technical disruption led by the United States against a botnet infrastructure employed by cybercriminals for activities such as ransomware attacks and financial fraud.
Attorney General Merrick B. Garland stated, “Today, cybercriminals who rely on malware like Qakbot to pilfer private data from unsuspecting individuals are reminded that their actions are not beyond the reach of the law. In collaboration with our international partners, the Department of Justice has successfully compromised Qakbot’s infrastructure, initiated a vigorous campaign to eradicate the malware from victim computers globally, and seized $8.6 million in extorted funds.”
United States Attorney Martin Estrada emphasized the collaborative nature of this operation: “An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world. Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My Office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”
Donald Always, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, praised the Operation ‘Duck Hunt’ Team for their exceptional expertise and dedication in identifying and neutralizing Qakbot, a highly complex and multi-layered bot network that had been a major contributor to the global cybercrime ecosystem. Always affirmed that these actions will prevent numerous cyberattacks, ranging from individual personal computers to potential catastrophic assaults on critical infrastructure.
As outlined in court documents, Qakbot, also known under various aliases such as “Qbot” and “Pinkslipbot,” is operated by a cybercriminal syndicate and has been systematically targeting essential industries worldwide. The Qakbot malware typically infiltrates victim computers through spam email containing malicious attachments or hyperlinks. Once inside a victim’s system, Qakbot can deliver additional malware, including ransomware, thus making it a preferred initial infection vector for prominent ransomware groups like Conti, ProLock, Egregor, REvil, Mega Cortex, and Black Basta. These groups have inflicted significant harm on businesses, healthcare providers, and government agencies globally, resulting in considerable financial losses. Investigations reveal that Qakbot administrators received fees amounting to approximately $58 million in ransom payments from victims between October 2021 and April 2023.
Victim computers infected with the Qakbot malware constitute a botnet, enabling the perpetrators to remotely control all compromised computers in a coordinated fashion, typically without the knowledge of the computer owners and operators.
As part of the takedown operation, the FBI gained access to Qakbot’s infrastructure and identified over 700,000 infected computers worldwide, with more than 200,000 located in the United States. These computers were directed to download a law enforcement-created file that removed the Qakbot malware, effectively severing their connection to the Qakbot botnet and thwarting further malware installations through Qakbot.
It’s crucial to note that this law enforcement action was limited to eradicating Qakbot-installed information on victim computers and did not extend to addressing other pre-existing malware on those systems. Furthermore, it did not involve accessing or altering the information of the computer owners and users affected by the infections.
The FBI received substantial technical support from scaler, while other entities like the Cybersecurity and Infrastructure Security Agency, Shadow server, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pawned played key roles in victim notification and remediation.
This operation was executed through close collaboration between the FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), in partnership with Eurojust. Various jurisdictions, including Europol, French Police Cybercrime Central Bureau, the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police, provided vital assistance. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office also offered significant support.
Assistant United States Attorneys Khaldun Shobaki and Lauren Restrepo of the Cyber and Intellectual Property Crimes Section, along with CCIPS Trial Attorneys Jessica Peck, Ryan K.J. Dickey, and Benjamin Proctor played integral roles in the operation.
