What just happened? In close cooperation with Eurojust, the FBI has dismantled the infrastructure of a widely recognized botnet operation. Qbot, which facilitated ransomware deployments and caused hundreds of millions of dollars in damages, has now been neutralized.
The US Department of Justice has announced the outcome of "Operation Duck Hunt," an international action against the Qbot botnet and its operators. Also known as Qakbot, this malicious network was dismantled through what US Attorney Martin Estrada described as the "most significant technological and financial operation ever" conducted by the DoJ against a botnet.
Qakbot, Estrada said, was one of the most notorious botnets ever uncovered, inflicting massive losses on victims globally. The botnet was initially discovered in 2008 and has been continuously evolving since then. The Qbot malware primarily served as a distribution network for additional payloads from third-party actors, making it the preferred botnet for spreading some of the most infamous ransomware strains identified in recent years.
The team engaged in Operation Duck Hunt successfully identified and incapacitated the highly organized, multi-layered Qbot infrastructure. According to the FBI, this infrastructure was fundamentally fueling the global cybercrime supply chain. The bureau's agents managed to identify over 700,000 computers infected by the Qbot malware, with more than 200,000 machines located in the US.
The FBI successfully redirected traffic from Qakbot through its own servers, issuing instructions to infected computers to download a file created by the agency. This file would uninstall the malware, freeing the "zombie" PC from the botnet's control and preventing further infections by the same malicious software. The FBI also gathered information "installed" on the infected PC by the botnet, as stated by the DoJ. No additional access or modification was made to other parts of the system.
The agency also seized cryptocurrencies valued at $8.6 million, which were part of the illicit profits obtained by the Qakbot operators. Investigators further discovered evidence of $58 million in "fees" paid by ransomware victims between October 2021 and April 2023. Given the botnet's years-long operation, the overall profits for its operators are likely significantly higher.
In addition to removing the malware from infected computers, the FBI, in collaboration with Eurojust and cloud security company Zscaler, successfully conducted investigations on computers linked to specific IP addresses and operated by particular providers. The executed warrant compelled the provider to surrender data associated with those IP addresses, which included images of the PCs' file systems, relevant customer information, and logs.
Currently, the DoJ has not provided any information about individuals potentially connected to the Qakbot botnet or Operation Duck Hunt itself. The investigation is still in progress, and arrests are likely to occur at a later date.