A major digital sting operation, involving seven countries, resulted in the downing of a malware infrastructure that criminals have used to steal millions of dollars from their victims. The malware, Qakbot (also known as Qbot or Pinkslipbot) had been active since 2007 and had infected over 700,000 computers across 30 countries. And the administrators of the botnet had received more than €50m in fees from those who used the infrastructure to demand ransoms. 

What is Qakbot and how does it work? 

Qakbot is a prolific malware that infiltrates people’s computers through spam emails which contain malicious attachments or hyperlinks. When someone clicks on the link, Qakbot executes and installs other malware (e.g., banking trojans, ransomware) onto the computer that can then be used to steal financial data, browser information, keystrokes and/ or credentials. 

In addition to this, the infected computer becomes part of a network with other compromised computers – a botnet – which the cybercriminals control and allow others to access for a fee. The combined computing power of the network enables criminals to carry out large scale cyber attacks, breach corporate networks and harvest large amounts of data. 

Many high-profile ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, have used Qakbot as an initial means of infection

How was Qakbot stopped?

Following 18 months of planning, law enforcement from the US, the UK, France, Germany, the Netherlands, Latvia and Romania were able to redirect Qakbot botnet traffic through servers controlled by the FBI and trick infected computers into downloading and distributing a file that forced them to uninstall the malware and remove themselves from the network. This meant authorities could destroy the malware on private computers without accessing any personal information. They were also able to seize around €8m ($9m) in cryptocurrency from those behind it. 

According to the U.S. attorney’s office in Los Angeles, this was “the most significant technological and financial operation ever led by the DOJ against a botnet.”