{
	"id": "49c56bda-848c-4d4f-b4a8-0b1562e0b534",
	"created_at": "2026-04-10T03:21:12.746826Z",
	"updated_at": "2026-04-10T03:22:16.919274Z",
	"deleted_at": null,
	"sha1_hash": "bde44c696276c682f4848c3a7aefd1f43e757118",
	"title": "Qakbot Malware Disrupted in International Cyber Takedown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44064,
	"plain_text": "Qakbot Malware Disrupted in International Cyber Takedown\r\nPublished: 2023-08-29 · Archived: 2026-04-10 03:09:46 UTC\r\nLOS ANGELES – The Justice Department today announced a multinational operation involving actions in the\r\nUnited States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia to disrupt the botnet\r\nand malware known as Qakbot and take down its infrastructure.\r\nThe Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The\r\nDepartment also announced the seizure of more than $8.6 million in cryptocurrency in illicit profits.\r\nThe action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by\r\ncybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.\r\n“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded\r\ntoday that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland.\r\n“Together with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an\r\naggressive campaign to uninstall the malware from victim computers in the United States and around the world,\r\nand seized $8.6 million in extorted funds.”\r\n“An international partnership led by the Justice Department and the FBI has resulted in the dismantling of Qakbot,\r\none of the most notorious botnets ever, responsible for massive losses to victims around the world,” said United\r\nStates Attorney Martin Estrada. “Qakbot was the botnet of choice for some of the most infamous ransomware\r\ngangs, but we have now taken it out. This operation also has led to the seizure of almost 9 million dollars in\r\ncryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims. My\r\nOffice’s focus is on protecting and vindicating the rights of victims, and this multifaceted attack on computer-enabled crime demonstrates our commitment to safeguarding our nation from harm.”\r\n“The Operation ‘Duck Hunt’ Team utilized their expertise in science and technology, but also relied on their\r\ningenuity and passion to identify and cripple Qakbot, a highly structured and multi-layered bot network that was\r\nliterally feeding the global cybercrime supply chain,” said Donald Alway, the Assistant Director in Charge of the\r\nFBI’s Los Angeles Field Office. “These actions will prevent an untold number of cyberattacks at all levels, from\r\nthe compromised personal computer to a catastrophic attack on our critical infrastructure.\"\r\nAccording to court documents, Qakbot, also known by various other names, including “Qbot” and “Pinkslipbot,”\r\nis controlled by a cybercriminal organization and used to target critical industries worldwide. The Qakbot malware\r\nprimarily infects victim computers through spam email messages containing malicious attachments or hyperlinks.\r\nOnce it has infected a victim computer, Qakbot can deliver additional malware, including ransomware, to the\r\ninfected computer. Qakbot has been used as an initial means of infection by many prolific ransomware groups in\r\nrecent years, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The ransomware actors\r\nthen extort their victims, seeking ransom payments in bitcoin before returning access to the victim computer\r\nnetworks. \r\nhttps://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown\r\nPage 1 of 2\n\nThese ransomware groups caused significant harm to businesses, healthcare providers, and government agencies\r\nall over the world, including to a power engineering firm based in Illinois; financial services organizations based\r\nin Alabama, Kansas, and Maryland; a defense manufacturer based in Maryland; and a food distribution company\r\nin Southern California. Investigators have found evidence that, between October 2021 and April 2023, Qakbot\r\nadministrators received fees corresponding to approximately $58 million in ransoms paid by victims.\r\nThe victim computers infected with Qakbot malware are part of a botnet (a network of compromised computers),\r\nmeaning the perpetrators can remotely control all the infected computers in a coordinated manner. The owners and\r\noperators of the victim computers are typically unaware of the infection.\r\nAs part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000\r\ncomputers worldwide, including more than 200,000 in the United States, that appear to have been infected with\r\nQakbot. To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled\r\nby the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file\r\ncreated by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether\r\nthe victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.\r\nThe scope of this law enforcement action was limited to information installed on the victim computers by the\r\nQakbot actors. It did not extend to remediating other malware already installed on the victim computers and did\r\nnot involve access to or modification of the information of the owners and users of the infected computers.\r\nValuable technical assistance was provided by Zscaler. The FBI has partnered with the Cybersecurity and\r\nInfrastructure Security Agency, Shadowserver, Microsoft Digital Crimes Unit, the National Cyber Forensics and\r\nTraining Alliance, and Have I Been Pwned to aid in victim notification and remediation.\r\nThe FBI Los Angeles Field Office, the U.S. Attorney’s Office for the Central District of California, and the\r\nCriminal Division’s Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close\r\ncooperation with Eurojust. Investigators and prosecutors from several jurisdictions provided crucial assistance,\r\nincluding Europol, French Police Cybercrime Central Bureau and the Cybercrime Section of the Paris Prosecution\r\nOffice, Germany’s Federal Criminal Police and General Public Prosecutor’s Office Frankfurt/Main, Netherlands\r\nNational Police and National Public Prosecution Office, the United Kingdom’s National Crime Agency,\r\nRomania’s National Police, and Latvia’s State Police. The Justice Department’s Office of International Affairs and\r\nthe FBI Milwaukee Field Office provided significant assistance.\r\nAssistant United States Attorneys Khaldoun Shobaki and Lauren Restrepo of the Cyber and Intellectual Property\r\nCrimes Section, along with CCIPS Trial Attorneys Jessica Peck, Ryan K.J. Dickey and Benjamin Proctor.\r\nAdditional information and resources, including for victims, can be found on the following website, which will be\r\nupdated as additional information and resources become available: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\r\nSource: https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown\r\nhttps://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown"
	],
	"report_names": [
		"qakbot-malware-disrupted-international-cyber-takedown"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bde44c696276c682f4848c3a7aefd1f43e757118.pdf",
		"text": "https://archive.orkl.eu/bde44c696276c682f4848c3a7aefd1f43e757118.txt",
		"img": "https://archive.orkl.eu/bde44c696276c682f4848c3a7aefd1f43e757118.jpg"
	}
}