Threat Intelligence, Endpoint/Device Security
Qakbot botnet brought down in major global operation led by US

FBI Director Christopher Wray testifies during a House Judiciary Committee hearing on July 12, 2023. (Photo by Shuran Huang for The Washington Post via Getty Images)
Qakbot, the criminal world’s long-established “botnet of choice,” has been toppled by a multinational law enforcement operation that also uninstalled the malware from 700,000 computers.In an Aug. 29 announcement, the U.S. Justice Department said the operation, led by the FBI, seized and disabled the infrastructure powering the botnet.Authorities took possession of $8.6 million in cryptocurrency, said to be a small portion of the total amount extorted from ransomware victims over several years by the gang behind Qakbot.“Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims,” the Justice Department said. The operation, codenamed “Duck Hunt,” involved law enforcement agencies from France, Germany, the Netherlands, the United Kingdom, Romania and Latvia, as well as the U.S.Qakbot was “one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said Martin Estrada, U.S. attorney for the Central District of California, where the seizure warrant for the cryptocurrency was filed.“Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out,” Estrada said.In an Aug. 25 research post, ReliaQuest said QakBot (also known as "QBot," "QuackBot" and "Pinkslipbot") was the most seen malware loaders, accounting for 30% of all loaders observed in the first seven months of this year.Checkpoint also described Qakbot as the world’s most prevalent malware, and said it impacted 11% of corporate networks worldwide in the first half of 2023.“Qakbot is especially tricky: it is a multipurpose malware, akin to a Swiss Army knife. It allows cybercriminals to directly steal data (credentials to financial accounts, payment cards, etc) from PCs, while also serving as an initial access platform to infect victims’ networks with additional malware and ransomware,” Checkpoint said.The malware has been used as an initial means of infection by a prolific range of ransomware groups such as Conti, REvil and Black Bast, among others, and sought ransom payments in Bitcoin.In a statement announcing the takedown, the FBI said Qakbot had caused hundreds of millions of dollars of losses since its creation in 2008.“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe,” FBI Director Christopher Wray said."The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds