what just happened Working closely with Eurojust, the FBI has dismantled the infrastructure of a well-known botnet operation. Qbot, which enabled ransomware to deploy and caused hundreds of millions of dollars in damage, has now been neutralized.
The US Department of Justice has announced the outcome of “Operation Duck Hunt”, an international action against the Qbot botnet and its operators. This malicious network, also known as Qakbot, was taken down by US Attorney Martin Estrada described as the “most significant technological and financial operation the Department of Justice has ever conducted against a botnet.”
QakbotEstrada said, was one of the most notorious botnets ever uncovered, causing huge losses to victims worldwide. The botnet was first discovered in 2008 and has continued to evolve ever since. The Qbot malware primarily served as a distribution network for additional payloads from third parties, making it the botnet of choice for proliferating some of the most notorious ransomware strains identified in recent years.
The team involved in Operation Duck Hunt successfully identified and disabled the highly organized, multi-layered Qbot infrastructure. According to the FBI, this infrastructure fundamentally fueled the global cybercrime supply chain. The bureau’s agents managed to identify over 700,000 computers infected with the Qbot malware, with more than 200,000 computers located in the United States.
The FBI successfully redirected Qakbot’s traffic through its own servers and instructed infected computers to download a file created by the agency. This file would uninstall the malware, freeing the “zombie” PC from the botnet’s control and preventing further infections by the same malware. The FBI also collected information, which the botnet “installed” on the infected PC, the Justice Department said. No additional access or changes were made to other parts of the system.
The agency also seized $8.6 million worth of cryptocurrencies that were part of Qakbot operators’ illicit profits. Investigators also uncovered evidence that ransomware victims paid $58 million in “fees” between October 2021 and April 2023. Given the botnet’s years of activity, the overall profits for its operators are likely to be significantly higher.
In addition to removing the malware from infected computers, the FBI, in cooperation with Eurojust and cloud security company Zscaler, successfully conducted investigations on computers associated with specific IP addresses and operated by specific providers. The executed arrest warrant obliged the provider to hand over the data associated with these IP addresses, including images of the PC’s file systems, relevant customer information and logs.
At this time, the Justice Department has not provided any information about anyone who may be connected to the Qakbot botnet or Operation Duck Hunt itself. The investigation is still ongoing, arrests are likely to be made at a later date.