The infrastructure of the malware and botnet known as ’Qakbot’ has been taken down in an international operation led by the United States involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia. The Qakbot malware infected more than 700.000 victim computers, facilitated the delivery of ransomware and caused hundreds of millions of dollars in damage worldwide. This is one of the largest financial and technical disruptions of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activity.
The US authorities seized approximately USD 8.6 million (nearly EUR 8 million) in cryptocurrency during the operation. Eurojust and Europol supported the investigation and played a key role in facilitating cross-border cooperation during the action day.
According to the investigation, Qakbot (also known as ‘Qbot’ and ‘Pinkslipbot’, among other names) was controlled by a criminal network and was used by other criminals to target critical industries worldwide. The Qakbot malware infects victim computers primarily through spam email messages containing malicious attachments or hyperlinks.
Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware. The victim computers infected with Qakbot malware are part of a botnet – a network of compromised computers – that allows infected computers to be controlled remotely in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.
The administrators of Qakbot offered cybercriminals access to the botnet for a fee. Qakbot was used as an initial means of infection by many well-known and prolific ransomware groups in recent years. It has caused significant harm to businesses, healthcare providers and government agencies all over the world.
Eurojust plays a critical role in international cooperation in combatting cybercriminal organisations. In relation to the Qakbot takedown, Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. For example, the Agency hosted a coordination meeting to facilitate evidence sharing and to prepare for this joint operation.
Europol facilitated the information exchange, supported the coordination of operational activities and funded operational meetings. Europol also provided analytical support by linking available data to various criminal cases within and outside the EU.
As a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials compromised by the Qakbot organisation. The FBI has provided these credentials to the Have I Been Pwned? website, which is a free resource for people to quickly assess whether their access credentials have been compromised in a data breach or other activity. The Dutch National Police has also created a portal to help potential victims check whether their digital identity has been stolen.
Visit politie.nl/checkyourhack and enter your email address to check whether your credentials have been compromised.
The following authorities took part in this investigation:
- France: National Jurisdiction against Organised Crime (JUNALCO), Public Prosecutor’s Office Cybercrime Unit; National Police Cybercrime Unit (DCPJ – OCLCTIC); National Cybersecurity Agency of France (ANSSI)
- Germany: Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center; Federal Criminal Police Office (Bundeskriminalamt)
- Latvia: State Police of Latvia
- The Netherlands: National Public Prosecutors’ Office; National Police, Team High Tech Crime
- Romania: Directorate for Investigating Organised Crime and Terrorism and the Romanian National Police – Directorate for Combatting Organised Crime
- United Kingdom: National Crime Agency
- United States: United States Attorney’s Office for the Central District of California; U.S. Department of Justice Computer Crime and Intellectual Property Section (CCIPS); and the FBI’s Los Angeles Field Office
