Qakbot Botnet Disrupted in Operation ‘Duck Hunt’

Law enforcement authorities on Tuesday announced the cross-border dismantling of the notorious Qakbot cybercrime operation that hit more than 700,000 computers globally with ransomware and financial fraud attacks.

The takedown, dubbed Operation Duck Hunt, includes the takeover of the Qakbot infrastructure and the distribution of a software utility to automatically uninstall the Qakbot malware from infected machines.

The Qakbot disruption is being hailed as “the largest U.S.-led financial and technical disruption of a botnet” where the FBI was able to gain access to Qakbot infrastructure and identify more than 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot. 

“To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware,” the Justice Department said in a note announcing the takedown.

The Department also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.

The multinational operation, which involved actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, essentially cripples one of the most highly structured and multi-layered botnets used for cybercrime activities.

According to court documents, Qakbot is controlled by an unnamed cybercriminal organization and used to target critical industries worldwide through spam email messages containing malicious attachments or hyperlinks. 

Qakbot has been used as an initial means of infection by many prolific ransomware groups that extort victims, seeking ransom payments in bitcoin before returning access to the victim’s computer networks. 

“Investigators have found evidence that, between October 2021 and April 2023, Qakbot administrators received fees corresponding to approximately $58 million in ransoms paid by victims,” the Justice Department said.

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” said FBI Director Christopher Wray.  He noted that Qakbot  victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. 

Related: QBot Infects Over 800 Corporate Users in New Campaign

Related: Qakbot, Emotet Increasingly Targeting Business Users: Microsoft

Related:Latest Online Fraud Report Says Qakbot is No Laughing Matter