Skip to content

Search the site

International 'Duck Hunt' dismantles Qakbot network

An international law enforcement campaign has struck a lethal blow to the long-running Qakbot malware and botnet operation

An international group of law enforcement agencies says it has dismantled the infrastructure network of the notorious Qakbot malware.

In a campaign they called "Operation Duck Hunt," police in the US, Netherlands, UK, France, Germany, Latvia and Estonia all coordinated a massive takedown and seizure of both the technical back-end and the cryptocurrency assets of the malware and botnet operation.

In addition to having a botnet of 700,000 infected machines, the Qakbot malware has also been used by groups such as Conti and REvil as part of their targeted attacks on both the private and public-sector. It is believed that the Qakbot group has been active for at least 16 years.

"The FBI neutralized this far reaching criminal supply chain, cutting it off at the knees," said FBI director Christopher Wray in announcing the takedown.

The US Department of Justice said that in one of its searches the FBI was able to seize the uninstall file as well as the command and control system for the malware.

Over the last five days all infected systems on the botnet have been getting orders to dial into a police-controlled server and will automatically run the uninstall script. Accounts whose credentials were stolen by the malware have been provided to the haveibeenpwned service.

The DOJ says that it also seized $8.6m in cryptocurrency from the botnet operators. The department has yet to provide details as to how victims can claim their reimbursements.

"Qakbot was the botnet of choice for some of the most infamous ransomware gangs, but we have now taken it out," said US Attorney Martin Estrada.

"This operation also has led to the seizure of almost 9 million dollars in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims."

For its part, the UK National Crime Agency said that it aided in the campaign by taking down the Qakbot servers that were based in the UK.

"The NCA is focused on disrupting the highest harm cyber criminals by targeting the tools and services that underpin their offending," said NCA head of cyber intelligence Will Lyte.

"This activity demonstrates how, working alongside international partners, we are having an impact on those key enablers and the ransomware business model."