Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Authorities Seize Servers to Disrupt Dridex Botnet

Law enforcement authorities in the United States and Europe have teamed up with private cybersecurity organizations in an effort to disrupt the activities of the Dridex botnet.

Law enforcement authorities in the United States and Europe have teamed up with private cybersecurity organizations in an effort to disrupt the activities of the Dridex botnet.

The Dridex malware, a successor of the Trojan known as Cridex, Feodo and Bugat, uses web injects and other techniques to steal users’ personal and financial information, which malicious actors can use to commit fraud. Recent samples of the malware had mainly been distributed via malicious Microsoft Word documents attached to spam emails.

The threat has been used against individuals from all across the world, but most of the victims appear to be in the United States and the United Kingdom, with losses caused by the botnet estimated by authorities at $10 million in the U.S. and $30 million in the U.K.

The Dridex botnet is partitioned into multiple sub-botnets and uses a peer-to-peer (P2P) network for communications, which would normally make the threat more resistant to takedowns. However, as highlighted by Dell SecureWorks, whose researchers have contributed to the latest law enforcement operation, the Dridex network is a hybrid between a centralized and a decentralized network since peer lists and configuration files are distributed centrally by backend servers.

This allowed cybercrime fighters to poison the P2P network of each Dridex sub-botnet and redirect infected systems to a sinkhole.

“Threat actors created botnets such as Dridex to fill the void left by the takedown of the Gameover Zeus botnet in May 2014 as part of Operation Tovar,” the Dell SecureWorks Counter Threat Unit research team explained. “Despite a significant overlap in tactics, techniques, and procedures (TTPs), Dridex never rivaled the sophistication, size, and success of Gameover Zeus. This operation took advantage of weaknesses in Dridex’s hybrid P2P architecture to take over the botnet.”

The FBI also announced on Tuesday that an administrator of the Dridex botnet, 30-year-old Moldovan national Andrey Ghinkul, aka “Andrei Ghincul” and “Smilex,” was arrested in Cyprus on August 28. Authorities hope to get the suspect extradited to the United States where he has been charged with nine counts of criminal conspiracy, damaging a computer, unauthorized computer access with intent to defraud, wire fraud, and bank fraud.

Ghinkul is said to have been part of a criminal conspiracy that leveraged Dridex to steal banking credentials that were later used to transfer money from victims’ accounts to the accounts of money mules. According to the FBI, the cybercrooks attempted to steal nearly $1 million from a Pennsylvania School District, and managed to transfer roughly $3.5 million from the accounts of Delmont, PA-based oil and gas exploration company Penneco Oil.

The United States Computer Emergency Readiness Team (US-CERT) has published an advisory containing information on how to remove Dridex infections.

The operation aimed at the Dridex botnet was conducted by the FBI in collaboration with Europol’s European Cybercrime Centre (EC3) and authorities in the UK, Germany and Moldova. The list of private sector organizations that contributed to the disruption of the threat includes Fox-IT, S21sec,, Spamhaus, the Shadowserver Foundation, and Trend Micro.

Related Reading: Cisco Disrupts Major Ransomware Operation Powered by Angler EK

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...