“International Cyber Operation Successfully Disrupts Qakbot Malware”
International Law Enforcement Successfully Disrupts Qakbot Malware, Salvaging Over 700,000 Compromised Computers and Seizing Illicit Cryptocurrency Profits
LOS ANGELES – The U.S. Department of Justice today proudly announces a groundbreaking multinational operation, executed in collaboration with key allies in France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, which has effectively dismantled the notorious Qakbot botnet and associated malware infrastructure.
Qakbot, a malicious code with a devastating reach, had infected more than 700,000 computers worldwide, causing extensive damage and facilitating ransomware deployments that incurred hundreds of millions of dollars in losses. The operation, codenamed “Duck Hunt,” marks a significant achievement in the ongoing battle against cybercrime.
The coordinated effort involves the removal of Qakbot malware from victim computers, preventing further harm, and the seizure of over $8.6 million in cryptocurrency, representing ill-gotten gains.
This operation stands as the most extensive U.S.-led financial and technical disruption of a cybercriminal botnet infrastructure, a tool commonly employed by hackers to perpetrate ransomware attacks, financial fraud, and other cyber-enabled criminal activities.
Attorney General Merrick B. Garland affirmed, “Today’s operation serves as a stern reminder to cybercriminals who exploit malware like Qakbot to steal private data from innocent victims that they are not beyond the reach of the law. Working alongside our international partners, the Department of Justice has successfully dismantled Qakbot’s infrastructure, launched an aggressive campaign to rid victim computers in the United States and worldwide of the malware, and recovered $8.6 million in extorted funds.”
United States Attorney Martin Estrada emphasized the significance of this effort, stating, “Qakbot, a favorite tool of infamous ransomware gangs, has now been eliminated. This operation also resulted in the seizure of nearly $9 million in cryptocurrency from the Qakbot cybercriminal organization, which will be returned to the victims. Our commitment is to protect and uphold the rights of victims, and this multifaceted operation against computer-enabled crime underscores our dedication to safeguarding our nation.”
Donald Alway, Assistant Director in Charge of the FBI’s Los Angeles Field Office, added, “The ‘Operation Duck Hunt’ team utilized their expertise in science and technology, coupled with ingenuity and determination, to identify and cripple Qakbot, a highly structured and multi-layered bot network that significantly contributed to global cybercrime. These actions will thwart countless cyberattacks, ranging from individual personal computers to potential catastrophic assaults on critical infrastructure.”
According to court documents, Qakbot, also known by aliases such as “Qbot” and “Pinkslipbot,” was controlled by a cybercriminal organization and employed to target critical industries across the globe. Qakbot predominantly infiltrated victim computers through malicious attachments or hyperlinks in spam email messages. Once inside, it had the capability to deliver additional malware, including ransomware, exacerbating the damage. In recent years, Qakbot served as the initial point of entry for several prominent ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. These groups extorted their victims for bitcoin ransom payments before restoring access to their computer networks, causing significant harm to businesses, healthcare providers, and government agencies worldwide.
Between October 2021 and April 2023, evidence suggests that Qakbot administrators received approximately $58 million in ransom payments from victims. The computers infected with Qakbot malware operated as a botnet, enabling the cybercriminals to remotely control all compromised computers without the owners’ knowledge.
As part of the takedown, the FBI gained access to Qakbot’s infrastructure, identifying more than 700,000 infected computers worldwide, including over 200,000 in the United States. The FBI successfully rerouted Qakbot botnet traffic through servers under their control, instructing infected computers in the United States and elsewhere to download a law enforcement-created file designed to uninstall the Qakbot malware. This action severed the connection between the victim computer and the Qakbot botnet, preventing further malware installations.
It’s important to note that this law enforcement action specifically targeted information installed on victim computers by the Qakbot operators. It did not extend to remedying other pre-existing malware on these computers, nor did it involve access to or alteration of the information belonging to the owners and users of the compromised systems.
The operation received invaluable technical support from Zscaler. The FBI collaborated with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to facilitate victim notification and remediation.
The FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) executed this operation in close partnership with Eurojust. Numerous jurisdictions contributed crucial assistance, including Europol, French Police Cybercrime Central Bureau, the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police. Significant support was provided by the Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office.
Assistant United States Attorneys Khaldoun Shobaki and Lauren Restrepo of the Cyber and Intellectual Property Crimes Section, along with CCIPS Trial Attorneys Jessica Peck, Ryan K.J. Dickey, and Benjamin Proctor, played pivotal roles in this operation.