Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Qakbot Botnet Disrupted in Operation ‘Duck Hunt’

U.S. law enforcement announce the disruption of the notorious Qakbot cybercrime operation and the release of an auto-disinfection tool to 700,000 infected machines.

Ransomware Decryption

Law enforcement authorities on Tuesday announced the cross-border dismantling of the notorious Qakbot cybercrime operation that hit more than 700,000 computers globally with ransomware and financial fraud attacks.

The takedown, dubbed Operation Duck Hunt, includes the takeover of the Qakbot infrastructure and the distribution of a software utility to automatically uninstall the Qakbot malware from infected machines.

The Qakbot disruption is being hailed as “the largest U.S.-led financial and technical disruption of a botnet” where the FBI was able to gain access to Qakbot infrastructure and identify more than 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot. 

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Justice Department said in a note announcing the takedown.

The Department also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.

The multinational operation, which involved actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, essentially cripples one of the most highly structured and multi-layered botnets used for cybercrime activities.

According to court documents, Qakbot is controlled by an unnamed cybercriminal organization and used to target critical industries worldwide through spam email messages containing malicious attachments or hyperlinks. 

Advertisement. Scroll to continue reading.

Qakbot has been used as an initial means of infection by many prolific ransomware groups that extort victims, seeking ransom payments in bitcoin before returning access to the victim’s computer networks. 

“Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims,” the Justice Department said.

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray.  He noted that Qakbot  victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. 

Related: QBot Infects Over 800 Corporate Users in New Campaign

Related: Qakbot, Emotet Increasingly Targeting Business Users: Microsoft

Related:Latest Online Fraud Report Says Qakbot is No Laughing Matter

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.