FBI and Europol dismantle with partners Qakbot network

Sicherheit (Pexels, allgemeine Nutzung)[German]In an international operation, the U.S. FBI and Europol, together with local partners, dismantled the Qabot network. The action succeeded after law enforcement managed to take over the PC of a Qakbot administrator. The infected devices were instructed to download and run an update to uninstall this malware. This is estimated to have freed over 700,000 devices from this botnet.


The Qakbot malware

Quakbot, also known as QBot or Pinkslipbot, is a malware family that has been known or active since 2007. In the past, Qakbot was known as a banking Trojan that steals financial data from infected systems. In addition, Qakbot acted as a loader (malware dropper) that downloaded malware from C2 servers to victim systems.Malware von C2-Servern auf die Opfersysteme herunterlud.

Qakbot malware infected victims' computers mainly via spam emails that contained malicious attachments or links. After a user downloaded or clicked on the content, Qakbot delivered additional malware – including ransomware – to their computer. The computer also became part of a botnet (a network of compromised computers) and could be controlled remotely by botnet users. All the while, Qakbot victims were usually unaware that their computer had been infected.

The Qakbot malware has been used for ransomware attacks and other cybercrimes, causing hundreds of millions of Euros worth of damage to individuals and businesses in various countries. Qakbot has been used to infect victim systems by many ransomware groups in recent years, including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta.

For example, the Black Basta ransomware group used QBot as its initial entry point to infect victim systems (see Insights from Palo Alto Networks into Black Basta ransomware group). The ransomware actors then extorted their victims by demanding ransom payments in Bitcoin before restoring access to victims' computer networks.

Seceizure by FBI and Europol

On August 29, 2023, the FBI and the Department of Justice provided information about a multinational operation called "Duck Hunt" to disrupt the malware and botnet known as Qakbot. The operation, which took place in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, represents one of the largest U.S.-led cyber operations to disrupt a botnet infrastructure that was used by cybercriminals for ransomware, financial fraud, and other cyber-based criminal activities.


According to this U.S. Department of Justice report, law enforcement agencies gained access to the Qakbot botnet beginning Aug. 25, 2023. The specialists then redirected botnet traffic to servers controlled by law enforcement agencies. Then, they instructed the just over 700,000 computers infected with Qakbot to download a Qakbot uninstaller file, which uninstalled the Qakbot malware from the infected computer.

The Qakbot uninstaller file did not remove any other malware that was already installed on the infected computers. Instead, it was meant to prevent further Qakbot malware from being installed on the infected computer by disconnecting the victim computer from the Qakbot botnet. The authorities also announced the seizure of more than $8.6 million in cryptocurrency in the form of illegal profits in the document.

It has since been revealed that the Qakbot malware infected more than 700,000 victims' computers (200,000 in the U.S. alone) and expanded into a botnet. This facilitated the spread of ransomware and caused hundreds of millions of dollars in damage. Investigators found evidence that Qakbot administrators received about $58 million in ransom from victims between October 2021 and April 2023.

Valuable technical assistance was provided by the company Zscaler. The FBI worked with the Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, the Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, and Have I Been Pwned to help notify victims and remediate the problem.

The FBI Los Angeles Field Office, the U.S. Attorney's Office for the Central District of California, and the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close cooperation with Eurojust. Investigators and prosecutors from several countries provided critical support, including Europol, the French police's Central Cybercrime Bureau and the Paris Prosecutor's Office's Cybercrime Division, the German Federal Criminal Police Office and the Frankfurt General Prosecutor's Office, the Dutch police and prosecutor's office, the United Kingdom's National Crime Agency, the Romanian police, and the Latvian State Police. The Department of Justice's Office of International Affairs and the FBI's Milwaukee Field Office provided important support.

The colleagues from Bleeping Computer have gathered some more information about the investigation in this article and in this post. For example, on one of the computers used by a Qakbot administrator, FBI investigators found many files related to the operation of the Qakbot botnet. These files included communications (e.g., chat) between the Qakbot administrators and others involved, as well as a directory containing several files with information about virtual wallets. Another file named "payments.txt" found on the same computer contained a list of ransomware victims, details about the ransomware group, details about the computer system, dates, and an indication of the amount of BTC paid to the Qakbot administrators in connection with the ransomware attack.

Addresses handed to Have I been Pwned

The FBI and the Dutch police managed to identify numerous victims' credentials (email addresses) captured by the Qakbot actors as part of the operation. The FBI has made these access data available to the website Have I Been Pwned . On this website, anyone can check for free whether access data (email address) has been captured and siphoned off through a hack or other activities. The Dutch police have also set up a website that contains information about other compromised credentials.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *