The notorious DanaBot botnet has been severely disrupted as part of an international law enforcement operation, which also involved charges and arrest warrants targeting over a dozen individuals.
The takedown effort is part of Operation Endgame, which in the past also targeted malware families such as Lumma Stealer, Smokeloader, TrickBot, and Bumblebee.
Europol announced that in the latest phase of Operation Endgame, which targeted DanaBot and other malware families that reemerged after previous takedown efforts, authorities and private sector partners aimed to break the ransomware killchain at the source, taking down roughly 300 servers and 650 domains, with international arrest warrants being issued for 20 individuals.
As part of Operation Endgame, law enforcement seized a total of $24 million worth of cryptocurrency, including $4 million in the latest action.
The US Justice Department said on Thursday that the DanaBot botnet was disrupted after it ensnared more than 300,000 computers worldwide, facilitating fraud and ransomware attacks that caused losses of at least $50 million.
The DoJ has unsealed charges against 16 individuals accused of being involved in the development and deployment of DanaBot. The list includes key players Aleksandr Stepanov, 39, aka JimmBee, and Artem Aleksandrovich Kalinkin, 34, aka Onix, both of Novosibirsk, Russia.
They both remain at large, but if ever prosecuted in the United States, Kalinkin faces up to 72 years in prison for the charges brought against him, while Stepanov faces up to five years in prison.
Cybersecurity blogger Brian Krebs pointed out that Kalinkin is an IT engineer at the Russian state-owned energy giant Gazprom.
Court documents revealed that many of the cybercriminals were identified after they accidentally infected their own computers with the DanaBot malware.
DanaBot has been around since 2018. It initially targeted countries such as Ukraine, Poland, Austria, Italy, Germany and Australia, and quickly expanded to North America.
DanaBot, offered under a malware-as-a-service model, was initially a banking trojan, enabling users to steal sensitive data from infected systems. It later developed into a distribution platform and loader for other malware families, including ransomware.
Several cybersecurity firms assisted the law enforcement action. According to Proofpoint, the malware was used by several major cybercrime groups between 2018 and 2020, being mainly delivered through malicious emails. In mid-2020, it disappeared from the email threat landscape, but a resurgence was seen in mid-2024.
Even while it was no longer being distributed via email campaigns, the malware was still used by cybercriminals, who leveraged malvertising and SEO poisoning for distribution.
CrowdStrike, which tracks the threat actor as Scully Spider, noted that the group’s activities have been tolerated by the Russian government.
That is likely because, in addition to profit-driven cybercrime activities, some DanaBot sub-botnets have been used to support Russia’s military operations, particularly against Ukraine, while other sub-botnets have been used for espionage on behalf of the Russian government.
The Justice Department noted that the botnet version focusing on espionage targeted diplomats, law enforcement personnel, and members of the military in North America and Europe.
Lumen Technologies, whose Black Lotus Labs assisted law enforcement, said DanaBot had, on average, 150 active command and control (C&C) servers per day, which makes it one of the largest malware-as-a-service platforms in terms of C&C count. Black Lotus and Team Cymru have conducted research into the botnet’s infrastructure.
“It remains to be seen whether Danabot can recover from the takedown,” said ESET researcher Tomáš Procházka. “The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware’s operations.”
Related: US Student to Plead Guilty Over PowerSchool Hack
Related: Prison Sentence for Man Involved in SEC X Account Hack
