The FBI recently led a multinational law enforcement operation that successfully dismantled QakBot, a notorious malware loader used by cybercriminals to deploy ransomware. Known as Operation Duck Hunt, this operation saw the FBI gaining access to QakBot’s admin computers, allowing law enforcement to map out the server infrastructure used in the botnet’s operation. Subsequently, 52 servers were seized, effectively dismantling the botnet, and QakBot’s traffic was redirected to servers controlled by the Bureau, where victims were prompted to download an uninstaller.
According to the US Department of Justice (DoJ), over 700,000 computers worldwide, including more than 200,000 in the US, were identified as infected by QakBot. Additionally, the DoJ announced the seizure of over $8.6 million in cryptocurrency from the QakBot cybercriminal organization, which will be returned to the victims.
This operation was a collaborative effort involving law enforcement agencies from France, Germany, the Netherlands, Romania, Latvia, and the UK, as well as technical partners such as the US Cybersecurity and Infrastructure Security Agency (CISA), Shadowserver, Microsoft Digital Crimes Unit, and the National Cyber Forensics and Training Alliance (NCFTA). Have I Been Pwned and Zscaler also played a role in victim notification and remediation.
Described as “the largest US-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals,” this operation marks a significant milestone in the fight against cybercrime. Donald Alway, Assistant Director in Charge of the FBI’s Los Angeles Field Office, emphasized the importance of the operation in preventing cyberattacks at various levels, from individual computers to critical infrastructure.
QakBot, also known as Quackbot, QBot, and Pinkslipbot, initially functioned as a banking trojan in 2008, targeting financial fraud. Over time, it evolved into a malware delivery service used by threat actors to facilitate ransomware attacks and other malicious activities. The malware primarily spreads through spam email messages containing malicious attachments or hyperlinks and can deliver additional malware, including ransomware, to infected computers.
Notably, QakBot has been identified as the top malware loader in 2023 by HP Wolf and ReliaQuest. Operation Duck Hunt investigators found evidence that QakBot administrators received approximately $58 million in ransom payments from victims between October 2021 and April 2023.
Cybersecurity professionals worldwide have praised the operation for its impact on combating cybercrime. Don Smith, VP of threat intelligence at Secureworks Counter Threat Unit (CTU), commended the removal of QakBot’s infrastructure, while Roger Grimes, data-driven defense evangelist at KnowBe4, highlighted the FBI’s successful removal of the malware from infected computers.
Jess Parnell, VP of security operations at Centripetal, emphasized the importance of addressing even seemingly minor cyber threats, noting that the dismantling of the QakBot infrastructure serves as a reminder of the persistent and evolving nature of cyber threats. This successful operation showcases the effectiveness of collaborative efforts in combating cybercrime and protecting individuals and organizations from malicious attacks.