The FBI and Justice Department spearheaded an international law enforcement effort to dismantle the Qakbot botnet. The operation, codenamed “Operation Duck Hunt”, involved agencies from the United States, France, Germany, Latvia, the Netherlands, Romania, and the United Kingdom. Hailed as “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals,” the operation led to the seizure of $8.6 million in illicit cryptocurrency profits.
During the operation, the FBI gained access to the Qakbot network by redirecting botnet traffic through servers controlled by the FBI. The servers instructed the infected computers to download and execute a file that uninstalled the QakBot malware, effectively removing the computers from the botnet.
Qakbot malware has infected over 700,000 Microsoft Windows computers (including 200,000 in the U.S.) and caused hundreds of millions of dollars in damage. The malware, also known as QBot and Pinkslipbot, emerged in 2007 as a banking trojan. Qakbot is a favorite avenue of attack for high-profile ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. According to Reliaquest, QakBot is the most prevalent malware loader.
Qakbot typically infects victim computers through malicious attachments and hyperlinks in spam email messages and then delivers additional malware and ransomware to the infected computers.
Law enforcement officials do not yet know the number of computers successfully removed from the Qakbot botnet. No arrests have been made, but 52 servers were siezed.