The U.S. Department of Justice (DoJ) announced a series of indictments right before the weekend of May 24-27. These indictments target individuals linked to the DanaBot and Qakbot malware, which have wreaked havoc globally, enabling fraud and ransomware attacks while racking up millions in damages.
DanaBot emerged in 2018 as a banking trojan, but authorities recently intensified efforts to dismantle its operation. This coordinated takedown included agencies from multiple countries and followed a similar crackdown on the Lumma Stealer earlier in May. U.S. agents seized numerous virtual servers, crucial for DanaBot’s command and control. This effort is part of Operation Endgame, which aims to tackle cyber crime globally, with support from countries like Australia, the Netherlands, and Germany, as well as private sector firms like Amazon, Google, and PayPal. Organizations like the Shadowserver Foundation are now working to assist DanaBot victims, estimated in the hundreds of thousands.
U.S. Attorney Bill Essayli pointed out the widespread impact of DanaBot, stressing its harm to military, governmental, and other sensitive entities. He highlighted the DoJ’s commitment to combatting significant threats to global cybersecurity. Among the 16 indicted individuals linked to DanaBot, two notable Russian suspects, Aleksandr ‘JimmBee’ Stepanov and Aleksandrovish ‘Onix’ Kalinkin, face multiple charges. However, given the current tensions between Russia and the West, prosecution of these individuals may be unlikely.
DanaBot spread through spam emails with harmful attachments and links, turning victims’ devices into compromised botnets. It stole sensitive data like browsing histories and online banking session details unnoticed. Users who accessed DanaBot paid for a full suite of malicious services, including remote access to computers for keystroke logging and video recording. There was even a separate version aimed specifically at targeting diplomatic and military entities.
Selena Larson, a threat researcher at Proofpoint who took part in the takedown, expressed optimism about the impact of these actions on the cyber crime landscape. She emphasized the importance of collaboration between public and private sectors in tracking these threats effectively and protecting the broader internet community.
Switching gears, the DoJ also unsealed an indictment against Rustam Gallyamov from Moscow, accused of masterminding the Qakbot malware. Once a major concern for cybersecurity experts, Qakbot was also sold through a malware-as-a-service model and served as a launchpad for numerous ransomware gangs. A civil forfeiture complaint has been filed against $24 million in crypto assets linked to Gallyamov, with efforts underway to return these assets to victims.
Even after the Qakbot takedown, Gallyamov reportedly shifted tactics, moving away from botnets to spam bomb attacks, inundating targeted companies with junk emails to trick them. He might have also linked up with the Black Basta ransomware crew, according to the DoJ. Investigations into Qakbot involved agencies from several countries, showcasing the ongoing international effort against cyber crime.