Police take down Qakbot malware infrastructure
The Qakbot malware infrastructure has been taken down by an international Police operation, supported by Europol. The operation led to the seizure of nearly €8 million in cryptocurrencies and the investigation was also supported by Eurojust and judicial and law enforcement authorities from France, Germany, Latvia, the Netherlands, Romania, the United Kingdom, and the United States. Over 700,000 computers were infected worldwide and law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa.
Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes. The below image shows how the criminals worked.
Background
Qakbot has been active since 2007 (also known as QBot or Pinkslipbot). The malware has evolved over time using different techniques to infect users and compromise systems. Victims’ computers were infiltrated through spam emails containing malicious attachments or hyperlinks. Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware. Additionally, the infected computer became part of a botnet (a network of compromised computers) simultaneously controlled by the cybercriminals, usually without the knowledge of the victims.
However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers. A number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses. The administrators of the botnet provided these groups with access to the infected networks for a fee. The investigation suggests that between October 2021 and April 2023, the administrators received ransom fees from victims of nearly €54 million.
International Police Liaison and Coordination
Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.
Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.
EAST response to Cybercrime
EAST focusses on tackling cybercrime through two of its Expert Groups – the EAST Expert Group on Payment and Transaction Fraud (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).
