International team takes down major Qakbot malware system

30 Aug 2023

Image: © vladgrin/

Qakbot malware is believed to have infected more than 700,000 computers and caused the loss of millions of dollars from victims globally.

A major botnet and malware infrastructure has been disrupted by a multinational operation led by the US Department of Justice and the FBI.

As well as the US, the move to take down the malware system known as Qakbot involved France, Germany, the Netherlands, the United Kingdom, Romania and Latvia.

According to US officials, Qakbot was created in 2008 and its malware is believed to have infected more than 700,000 computers and caused the loss of millions of dollars from victims globally.

The malware was deployed primarily through spam emails that contained malicious attachments or links. Once this content was clicked or downloaded, Qakbot delivered additional malware to the computer, which could then be controlled remotely by botnet users without the victim’s knowledge.

As part of the takedown operation, the FBI gained lawful access to Qakbot’s infrastructure and redirected its traffic to FBI-controlled servers that instructed infected computers to download an uninstaller file to neutralise the malware and prevent it from doing more harm. The US Justice Department also announced the seizure of more than $8.6m in illicit cryptocurrency profits.

‘More dangerous and complex every day’

US attorney Martin Estrada said Qakbot is “one of the most notorious botnets ever” and the botnet of choice for some of the most infamous ransomware gangs. “My office’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”

FBI director Christopher Wray said the victims of Qakbot ranged from financial institutions and a critical infrastructure government contractor to a medical device manufacturer.

Qakbot is believed to have been used as an initial means of infection by notable ransomware groups, including Conti, which was at the centre of the 2021 cyberattack on Ireland’s HSE, and REvil, the group behind the Kaseya attack that spread to thousands of businesses worldwide.

“This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe,” said Wray.

“The cyberthreat facing our nation is growing more dangerous and complex every day. But our success proves that our own network and our own capabilities are more powerful.”

While the FBI have claimed the action against Qakbot marks one of the largest-ever US-led enforcement actions against a botnet, it has had other successful takedowns earlier this year.

In January, the agency hacked ransomware gang Hive, releasing its decryption keys to victims. And in April, it shut down notorious cybercrime forum Genesis Market.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Jenny Darmody is the editor of Silicon Republic