Qakbot Botnet Infrastructure Shattered After An International Operation Led By FBI/Europol

By Europol, U.S. Department of Justice and SCARS Editorial Team – Society of Citizens Against Relationship Scams Inc.

Qakbot Malware Victimized 700 000+ Computers, With At Least EUR 54 Million Paid In Ransoms Since 2007

The Qakbot action represents the largest U.S./Europol-led financial and technical disruption of a botnet infrastructure

What is Qakbot Malware?

Qakbot is a ‘banking trojan’ type of virus or malware that has been around since 2007

It is a modular malware, which means that it can be customized to target specific victims or organizations. Qakbot is known for its ability to steal banking information, passwords, and other sensitive data. It can also be used to spread other malware, such as ransomware.

Qakbot is a dangerous malware because it can cause significant financial and reputational damage to victims. It can also be used to steal sensitive data, which can be used for identity theft or other crimes.

Qakbot is spread through a variety of ways, including:

  • Phishing emails: Qakbot often spreads through phishing emails, which are emails that appear to be from a legitimate source, such as a bank or credit card company. The emails often contain a malicious attachment or link that, when clicked, installs Qakbot on the victim’s computer.
  • Drive-by downloads: Qakbot can also be spread through drive-by downloads, which are downloads that occur automatically when a victim visits a malicious website.
  • Exploit kits: Qakbot can also be spread through exploit kits, which are malicious software that exploits vulnerabilities in software to install Qakbot on a victim’s computer.

Cybercriminals used Qakbot to target critical infrastructure and businesses across multiple countries, stealing financial data & login credentials. Servers infected with Qakbot were detected by law enforcement in nearly 30 countries worldwide, enabling the malware’s activity on a global scale.

Qakbot Botnet Infrastructure Shattered After An International Operation Led By FBI/Europol Takes It Down

How does Qakbot work?

  1. The victim receives an email with an attachment or hyperlink and clicks on it;
  2. Qakbot deceives the victim into downloading malicious files by imitating a legitimate process;
  3. Qakbot executes and then installs other malware, such as banking Trojans;
  4. The attacker then steals financial data, browser information/hooks, keystrokes, and/or credentials;
  5. Other malware, such as ransomware, is placed on the victim’s computer.

The Qakbot Operation

The investigation, supported by Europol and Eurojust, involved judicial & law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, the United Kingdom, and the United States.

According to Europol:

Left Open Quote - on ScamsNOW.comEuropol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the Qakbot malware and led to the seizure of nearly EUR 8 million in cryptocurrencies. The international investigation, also supported by Eurojust, involved judicial and law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, the United Kingdom, and the United States. Qakbot, operated by a group of organized cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.

Active since 2007, this prolific malware (also known as QBot or Pinkslipbot) evolved over time using different techniques to infect users and compromise systems. Qakbot infiltrated victims’ computers through spam emails containing malicious attachments or hyperlinks. Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware. Additionally, the infected computer became part of a botnet (a network of compromised computers) controlled simultaneously by the cybercriminals, usually without the knowledge of the victims. However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers.

Over 700 000 infected computers worldwide

According to Europol:

Left Open Quote - on ScamsNOW.comA number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses. The administrators of the botnet provided these groups with access to the infected networks for a fee. The investigation suggests that between October 2021 and April 2023, the administrators received fees corresponding to nearly EUR 54 million in ransoms paid by the victims. The lawful examination of the seized infrastructure uncovered that the malware had infected over 700,000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia, and Africa, enabling the malware’s activity on a global scale.

Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.

The U.S. Department of Justice’s Role

According to the U.S. Department of Justice

Left Open Quote - on ScamsNOW.comQakbot Malware Disrupted in International Cyber Takedown

Qakbot Malware Infected More Than 700,000 Victim Computers, Facilitated Ransomware Deployments, and Caused Hundreds of Millions of Dollars in Damage

LOS ANGELES – The Justice Department today announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia to disrupt the botnet and malware known as Qakbot and take down its infrastructure.

The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.

The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland. “Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds.”

“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot, one of the most notorious botnets ever, responsible for massive losses to victims around the world,” said United States Attorney Martin Estrada. “Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My Office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”

“The Operation ‘Duck Hunt’ Team utilized their expertise in science and technology, but also relied on their ingenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was literally feeding the global cybercrime supply chain,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “These actions will prevent an untold number of cyberattacks at all levels, from the compromised personal computer to a catastrophic attack on our critical infrastructure.”

According to court documents, Qakbot, also known by various other names, including “Qbot” and “Pinkslipbot,” is controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware primarily infects victim computers through spam email messages containing malicious attachments or hyperlinks. Once it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the infected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors then extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer networks.

These ransomware groups caused significant harm to businesses, healthcare providers, and government agencies all over the world, including to a power engineering firm based in Illinois; financial services organizations based in Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company in Southern California. Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims.

The victim computers infected with Qakbot malware are part of a botnet (a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.

As part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.

The scope of this law enforcement action was limited to information installed on the victim computers by the Qakbot actors. It did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers.

Valuable technical assistance was provided by Zscaler. The FBI has partnered with the Cybersecurity and Infrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to aid in victim notification and remediation.

The FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close cooperation with Eurojust. Investigators and prosecutors from several jurisdictions provided crucial assistance, including Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution Office, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands National Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency, Romania’s National Police, and Latvia’s State Police. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office provided significant assistance.

Significance of the Qakbot Takedown!

The importance of the Europol takedown of the Qakbot malware takedown this week for cybersecurity and the public is significant.

Qakbot is a modular banking trojan virus/malware that has been around since 2007 and is known for its ability to steal banking information, passwords, and other sensitive data. It can also be used to spread other malware, such as ransomware.

The takedown of Qakbot is a major victory for cybersecurity, as it will make it more difficult for criminals to use this malware to steal from victims. It is also a positive development for the public, as it will help to protect people from becoming victims of financial fraud and identity theft.

The takedown of Qakbot was a coordinated effort by Europol and FBI, and other law enforcement agencies from the United Kingdom, France, Germany, the Netherlands, Romania, and Latvia. The agencies worked together to identify and disrupt the infrastructure that was being used to distribute Qakbot.

The takedown of Qakbot is a reminder that law enforcement agencies are working to combat cybercrime and that they are making progress. However, it is important to remember that cybercrime is a constantly evolving threat and that criminals will always be looking for new ways to exploit vulnerabilities.

Law enforcement authorities involved:

  • France: National Police (Police Nationale) and National Gendarmerie (Gendarmerie Nationale)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt)
  • Latvia: State Police (Valsts policija)
  • The Netherlands: National Police (Politie)
  • Romania: Romanian Police (Poliția Română)
  • United Kingdom: National Crime Agency
  • United States: Federal Bureau of Investigation (US FBI)

Judicial authorities involved:

  • France: National Jurisdiction against Organised Crime (JUNALCO), Public Prosecutor’s Office Cybercrime Unit;
  • Germany: Prosecutor General’s Office Frankfurt am Main – Cyber Crime Centre;
  • The Netherlands: National Public Prosecutor’s Office Rotterdam
  • United States: US Attorney’s Office for the Central District of California and the Department of Justice’s Computer Crime and Intellectual Property Section

SCARS Resources:

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

Opinions

The opinions of the author are not necessarily those of the Society of Citizens Against Relationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.

Disclaimer:

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX-RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org