{
	"id": "b87da796-7afa-4cda-8648-34c1c630b42f",
	"created_at": "2026-04-06T00:16:16.210045Z",
	"updated_at": "2026-04-10T03:21:35.005728Z",
	"deleted_at": null,
	"sha1_hash": "b55acd417d640ac97cfc2a707fa7ad508d64139f",
	"title": "RESOURCES FOR VICTIMS OF THE QAKBOT MALWARE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74241,
	"plain_text": "RESOURCES FOR VICTIMS OF THE QAKBOT MALWARE\r\nPublished: 2023-08-28 · Archived: 2026-04-05 16:26:25 UTC\r\n2025 Press Releases\r\nMay 22, 2025: Russian National and Leader of Qakbot Malware Conspiracy Indicted in Long-Running Global\r\nRansomware Scheme (U.S. Attorney’s Office Press Release)\r\nMay 22, 2025: Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme\r\n(DOJ National Press Release)\r\nIndictment\r\nMay 2, 2025: Indictment, 2:25-CR-00340-SB\r\n2025 Qakbot Asset Forfeiture: Information for Victims\r\nOn May 22, 2025, the U.S. Attorney’s Office (“USAO”) for the Central District of California filed a Complaint for\r\nForfeiture (2:25-CV-04631) against virtual currency and currency (“defendant assets”) seized from the operators\r\nof the Qakbot botnet. According to the allegations in the Complaint, the defendant assets are traceable proceeds of\r\nand were involved in money laundering offenses pertaining to the payment of ransoms for ransomware attacks\r\nresulting from computer intrusions by members of the Qakbot conspiracy.\r\nThe USAO will be contacting victims who may have an interest in the defendant assets to provide information\r\nabout your rights. Details on these procedures will be provided in a later communication to you from the USAO.\r\nAre you a Victim?\r\nIf you are a victim of the Qakbot malware and associated ransomware, you may have a legal interest in the\r\ndefendant assets. If you wish to be contacted and provided with information about the legal process involving the\r\ndefendant assets as it moves forward, please send the following information to Qakbot_Victims@fbi.gov:\r\nOrganization Name (if any)\r\nAddress\r\nName of Contact Person\r\nContact phone number and/or email address\r\nLocation\r\nDate of suspected Qakbot infection (if known)\r\nWhether you were the victim of ransomware\r\nIf yes, what ransomware variant\r\nWas a ransom paid?\r\nIf yes, provide payment address, amount, and date\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 1 of 6\n\nHave you reported to law enforcement?\r\nWhen did you report the incident?\r\nTo what law enforcement agency?\r\nPlease provide any report or incident number for your report\r\n2023 Press Releases\r\nAugust 29, 2023: Qakbot Malware Disrupted in International Cyber Takedown (US Attorney’s Office Press\r\nRelease)\r\nAugust 29, 2023: Qakbot Malware Disrupted in International Cyber Takedown (DOJ National Press Release)\r\n2023 Botnet Takedown: Information for Victims\r\nBeginning on August 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to\r\nand through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a\r\nQakbot Uninstall file that uninstalled Qakbot malware from the infected computer. The Qakbot Uninstall file did\r\nnot remediate other malware that was already installed on infected computers; instead, it was designed to prevent\r\nadditional Qakbot malware from being installed on the infected computer by untethering the victim computer\r\nfrom the Qakbot botnet.\r\nHash value for the Qakbot Uninstall file (SHA-256):\r\n7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117\r\nAs a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials\r\nthat were compromised by the Qakbot actors. The FBI has provided those credentials to the website Have I Been\r\nPwned, which is a free resource for people to quickly assess whether their access credentials have been\r\ncompromised in a data breach or other activity. The Dutch National Police have also set up a website that contains\r\ninformation about additional compromised credentials. You can check to see if your credentials were\r\ncompromised at the following websites:\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 2 of 6\n\nHave I Been Pwned (https://haveibeenpwned.com/)\r\nDutch National Police (https://politie.nl/checkyourhack)\r\nThis webpage will be updated as more resources become available. Victims are encouraged to report the\r\ncybercrimes with their local FBI field office or the Internet Crime Complaint Center (IC3) at ic3.gov.\r\nShadowserver has disseminated data about historical Qakbot infections to 201 National Computer Security\r\nIncident Response Teams and to affected network owners around the world.\r\nQakbot Historical Bot Infections Special Report (September 8, 2023),\r\nhttps://www.shadowserver.org/news/qakbot-historical-bot-infections-special-report/\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 3 of 6\n\nThe following documents contain additional information for victims and network defenders:\r\nCISA Cybersecurity Advisory: Identification and Disruption of QakBot Infrastructure\r\n(August 30, 2023)\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 4 of 6\n\nThe Shadowserver Foundation: Qakbot Botnet Disruption\r\n(August 29, 2023)\r\nSpamhaus: Qakbot Breached Email Accounts\r\n(August 29, 2023)\r\nSearch Warrant Related to Qakbot Uninstall File\r\nApplication, Search Warrant (2:23-MJ-4244), signed August 21, 2023\r\nSearch Warrant Related to Qakbot U.S. Server Infrastructure\r\nApplication, Search Warrant (2:23-MJ-4248), signed August 23, 2023\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 5 of 6\n\nSeizure Warrant Related to Virtual Currency Seizure\r\nApplication, Seizure Warrant (2:23-MJ-4251), signed August 23, 2023\r\nSource: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nPage 6 of 6\n\n https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources  \nSeizure Warrant Related to Virtual Currency Seizure\nApplication, Seizure Warrant (2:23-MJ-4251), signed August 23, 2023\nSource: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources   \n   Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources"
	],
	"report_names": [
		"qakbot-resources"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b55acd417d640ac97cfc2a707fa7ad508d64139f.pdf",
		"text": "https://archive.orkl.eu/b55acd417d640ac97cfc2a707fa7ad508d64139f.txt",
		"img": "https://archive.orkl.eu/b55acd417d640ac97cfc2a707fa7ad508d64139f.jpg"
	}
}