Largest U.S.-Led Operation Takes Down Qakbot Botnet and Malware

An international operation has disrupted a major botnet and malware that had caused millions of dollars in damage.

Law enforcement agencies from the United States, France, Germany, the Netherlands, the United Kingdom, Romania and Latvia have  disrupted the botnet and malware known as Qakbot, the U.S. Justice Department said in a Tuesday (Aug. 29) press release. This operation represents the largest U.S.-led financial and technical disruption of a botnet infrastructure used by cybercriminals for various criminal activities, including ransomware attacks and financial fraud.

Qakbot, also known as “Qbot” and “Pinkslipbot,” is a malicious code controlled by a cybercriminal organization, according to the press release. It primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once a computer is infected, Qakbot can deliver additional malware, including ransomware, damaging businesses, healthcare providers, government agencies, and critical industries worldwide.

The takedown operation involved the deletion of the Qakbot malware from victim computers, preventing further harm, the release said. Additionally, law enforcement agencies seized over $8.6 million in cryptocurrency, which represents illicit profits obtained by the cybercriminal organization behind Qakbot.

Attorney General Merrick B. Garland said in the release that cybercriminals who rely on malware like Qakbot to steal private data “do not operate outside the bounds of the law.” 

U.S. Attorney Martin Estrada highlighted the significance of this operation, stating that Qakbot was “the botnet of choice” for some of the most notorious ransomware gangs. Estrada said in the release that the dismantling of Qakbot and the seizure of cryptocurrency will prevent future cyberattacks and provide restitution to victims.

The FBI’s Los Angeles Field Office played a crucial role in this operation. Donald Alway, the assistant director in charge of the office, praised the expertise, ingenuity and passion of the Operation “Duck Hunt” team in identifying and crippling Qakbot. By disrupting this botnet, law enforcement agencies have disrupted the “global cybercrime supply chain,” preventing untold numbers of cyberattacks.

Investigators found that Qakbot administrators received fees amounting to about $58 million in ransoms paid by victims between October 2021 and April 2023, according to the press release.

As part of the takedown, the FBI gained access to Qakbot infrastructure and identified over 700,000 infected computers worldwide, including more than 200,000 in the United States, the release said. By redirecting Qakbot botnet traffic through servers controlled by the FBI, infected computers were instructed to download an uninstaller file created by law enforcement. This file untethered the victim computers from the Qakbot botnet, preventing further malware installations.

In an earlier takedown of a global ransomware group, American, German and Dutch authorities seized control of Hive’s servers and websites in January, dismantling that network that was responsible for extorting and attempting to extort hundreds of millions of dollars.