{ "id": "7acb5327-cec0-4e5f-adf1-6f950e544962", "created_at": "2026-04-06T00:15:01.046473Z", "updated_at": "2026-04-10T03:24:29.962392Z", "deleted_at": null, "sha1_hash": "db304e7c34064ff756af775492c7b3f135e9d096", "title": "Continuing our work to hold cybercriminal ecosystems accountable", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38209, "plain_text": "Continuing our work to hold cybercriminal ecosystems\r\naccountable\r\nBy Mike Trinh\r\nPublished: 2023-04-26 · Archived: 2026-04-05 18:57:25 UTC\r\nGoogle takes steps to not only hold criminal operators of malware accountable, but also those who profit from its\r\ndistribution.\r\nP\r\nPierre-Marc Bureau\r\nThreat Analysis Group\r\nLast year, we shared details about our success in holding operators of the Glupteba botnet responsible for their\r\ntargeting of online users. We noted that our work was not done and that we would continue raising awareness\r\naround issues and working to disrupt groups looking to take advantage of users. Today, we’re sharing another\r\nmilestone in that work.\r\nYesterday, a federal judge in the Southern District of New York unsealed our civil action against the malware\r\ndistributors of Cryptbot, which we estimate infected approximately 670,000 computers this past year and targeted\r\nusers of Google Chrome to steal their data. We’re targeting the distributors who are paid to spread malware\r\nbroadly for users to download and install, which subsequently infects machines and steals user data.\r\nCybercriminals often operate like businesses, specializing in a particular function, and partner with other criminal\r\nspecialists to profit off harm to innocent users. This lawsuit targeting Cryptbot’s malware distributors shows our\r\ncommitment to protecting users from each level of the cybercriminal ecosystem.\r\nAbout CryptBot\r\nCryptBot is a type of malware often referred to as an “infostealer” because it is designed to identify and steal\r\nsensitive information from victims’ computers such as authentication credentials, social media account logins,\r\ncryptocurrency wallets, and more. CryptBot then sends the stolen data to be harvested and eventually sold to bad\r\nactors to use in data breach campaigns. CryptBot distributors offer maliciously modified versions of many\r\nsoftware packages, including Google Earth Pro and Google Chrome. Users download and install these packages,\r\nwithout realizing that doing so infects their machines with malware. Recent CryptBot versions have been designed\r\nto specifically target users of Google Chrome, which is where Google’s CyberCrimes Investigations Group\r\n(CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action.\r\nLegal strategy and disruption\r\nhttps://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/\r\nPage 1 of 2\n\nOur litigation was filed against several of CryptBot’s major distributors who we believe are based in Pakistan and\r\noperate a worldwide criminal enterprise. The legal complaint is based on a variety of claims, including computer\r\nfraud and abuse and trademark infringement. To hamper the spread of CryptBot, the court has granted a temporary\r\nrestraining order to bolster our ongoing technical disruption efforts against the distributors and their infrastructure.\r\nThe court order allows us to take down current and future domains that are tied to the distribution of CryptBot.\r\nThis will slow new infections from occurring and decelerate the growth of CryptBot. Lawsuits have the effect of\r\nestablishing both legal precedent and putting those profiting, and others who are in the same criminal ecosystem,\r\nunder scrutiny.\r\nDangers of unknown software\r\nTo further combat security risks, Cybercrime Support Network recommends additional steps users should take to\r\nprotect themselves against malware like CryptBot:\r\nDownload from well-known and trusted sources: Only download software from the official website or\r\napp store and take Chrome Safe Browsing warnings seriously.\r\nRead reviews and do your research: Before downloading any software, do research on the product, and\r\nread reviews from others who have already downloaded and used the software.\r\nKeep your operating system and software up-to-date: Make sure to regularly update your device's\r\noperating system and software to the latest version. Updates often include security patches and bug fixes\r\nthat can help protect from threats.\r\nLooking ahead\r\nThis litigation is another step forward in holding cybercriminals accountable, by not just targeting those that\r\noperate botnets, but also those that profit from malware distribution. With these, and future actions, we look\r\nforward to continuing our ongoing commitment to help protect the safety of online users.\r\nRelated stories\r\nSource: https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/\r\nhttps://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/" ], "report_names": [ "continuing-our-work-to-hold-cybercriminal-ecosystems-accountable" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db304e7c34064ff756af775492c7b3f135e9d096.pdf", "text": "https://archive.orkl.eu/db304e7c34064ff756af775492c7b3f135e9d096.txt", "img": "https://archive.orkl.eu/db304e7c34064ff756af775492c7b3f135e9d096.jpg" } }