{
	"id": "b087608e-77a6-4ac6-a3ca-e09baead0a7f",
	"created_at": "2026-04-06T00:11:23.89959Z",
	"updated_at": "2026-04-10T03:35:59.572949Z",
	"deleted_at": null,
	"sha1_hash": "eb17298ae23a1d9cc792b4a7f20efdd517427ce3",
	"title": "‘Avalanche’ network dismantled in international cyber operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57660,
	"plain_text": "‘Avalanche’ network dismantled in international cyber operation\r\nBy Europol\r\nPublished: 2016-12-01 · Archived: 2026-04-05 21:46:47 UTC\r\nOn 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the\r\nLüneburg Police (Germany) in close cooperation with the United States Attorney’s Office for the Western District\r\nof Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners, dismantled an\r\ninternational criminal infrastructure platform known as ‘Avalanche’.\r\nThe Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and\r\nmoney mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated\r\ncyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with\r\nmalware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros\r\nworldwide, although exact calculations are difficult due to the high number of malware families managed through\r\nthe platform.\r\nThe global effort to take down this network involved the crucial support of prosecutors and investigators from 30\r\ncountries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims\r\nof malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse\r\nnotifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing[1] to combat\r\nbotnet[2] infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or\r\nblocked.\r\nOn the action day, Europol hosted a command post at its headquarters in The Hague. From there, representatives\r\nof the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust\r\nofficials to ensure the success of such a large-scale operation.\r\nIn addition Europol supported the German authorities throughout the entire investigation by assisting with the\r\nidentification of the suspects and the exchange of information with other law enforcement authorities. Europol’s\r\ncybercrime experts produced and delivered analytical products.\r\nEurojust’s Seconded National Expert for Cybercrime assisted by clarifying difficult legal issues that arose during\r\nthe course of the investigation. Several operational and coordination meetings were also held at both Europol and\r\nEurojust.\r\nJulian King, European Commissioner for the Security Union, said: \"Avalanche shows that we can only be\r\nsuccessful in combating cybercrime when we work closely together, across sectors and across borders.\r\nCybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle\r\ncontinuously evolving criminal methods.  The EU helps by ensuring that the right legal frameworks are in place to\r\nenable such cooperation on a daily basis\".\r\nhttps://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation\r\nPage 1 of 4\n\nRob Wainwright, Europol Director, said: “Avalanche has been a highly significant operation involving\r\ninternational law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The\r\ncomplex trans-national nature of cyber investigations requires international cooperation between public and\r\nprivate organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has\r\nshown that through this cooperation we can collectively make the internet a safer place for our businesses and\r\ncitizens”.\r\nMichèle Coninsx, President of Eurojust, said: “Today marks a significant moment in the fight against serious\r\norganised cybercrime, and exemplifies the practical and strategic importance of Eurojust in fostering international\r\ncooperation. Together with the German and US authorities, our EU and international partners, and with support\r\nfrom Eurojust and EC3, Avalanche, one of the world’s largest and most malicious botnet infrastructures, has been\r\ndecisively neutralised in one of the biggest takedowns to date.”\r\nThe criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing\r\nand spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to\r\nunsuspecting victims.\r\nThe investigations commenced in 2012 in Germany, after an encryption ransomware[3] (the so-called Windows\r\nEncryption Trojan), infected a substantial number of computer systems, blocking users’ access. Millions of private\r\nand business computer systems were also infected with malware, enabling the criminals operating the network to\r\nharvest bank and e-mail passwords.\r\nWith this information, the criminals were able to perform bank transfers from the victims’ accounts. The proceeds\r\nwere then redirected to the criminals through a similar double fast flux[4]infrastructure, which was specifically\r\ncreated to secure the proceeds of the criminal activity.\r\nThe loss of some of the network’s components was avoided with the help of its sophisticated infrastructure, by\r\nredistributing the tasks of disrupted components to still-active computer servers. The Avalanche network was\r\nestimated to involve as many as 500,000 infected computers worldwide on a daily basis.\r\nWhat made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The\r\ncomplex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux\r\ntechnique offering enhanced resilience to takedowns and law enforcement action.\r\nMalware campaigns that were distributed through this network include around 20 different malware families such\r\nas goznym, marcher, matsnu, urlzone, xswkit, and pandabanker. The money mule schemes operating over\r\nAvalanche involved highly organised networks of “mules” that purchased goods with stolen funds, enabling\r\ncyber-criminals to launder the money they acquired through the malware attacks or other illegal means.\r\nIn preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured\r\ndata and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and,\r\neffectively, the collapse of the entire criminal network.\r\nhttps://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation\r\nPage 2 of 4\n\nThe successful takedown of this server infrastructure was supported by INTERPOL, the Shadowserver\r\nFoundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. INTERPOL\r\nhas also facilitated the cooperation with domain registries. Several antivirus partners provided support concerning\r\nvictim remediation.\r\nFigures at a glance\r\nCountries involved: Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia,\r\nFinland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro,\r\nNetherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, United Kingdom and United States\r\nof America.\r\nArrests: 5\r\nSearches conducted: 37\r\nServers seized: 39\r\nServers taken offline through abuse notifications: 221\r\nComputer users should note that this law enforcement action will NOT clean malware off any infected\r\ncomputers – it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers.\r\nAvalanche victims’ computers will still be infected, but shielded from criminal control.\r\nVictims of malware operating over the Avalanche network may use the following webpages created for assistance\r\nin removing the malware:\r\nwww.bsi-fuer-buerger.de/botnetz and www.bsi-fuer-buerger.de/avalanche, in German;\r\nwww.bsi-fuer-buerger.de/EN/botnetz and www.bsi-fuer-buerger.de/EN/avalanche, in English;\r\nhttps://us-cert.gov/avalanche;\r\nwww.nationalcrimeagency.gov.uk/news/962-avalanche-takedown;\r\nwww.getsafeonline.org/news/avalanche;\r\nwww.actionfraud.police.uk/news-police-takedown-computer-network-used-to-infect-millions-of-devices-dec16;\r\nwww.cyberaware.gov.uk/blog\r\nThe Shadowserver Foundation have supported this operation and will be making the sinkhole data available\r\nglobally to responsible bodies via their free daily remediation feeds. More information can be found in their blog\r\narticle.\r\n[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected\r\nto servers controlled by law enforcement authorities and/or an IT security company. This may be done by\r\nassuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected\r\ncomputers can no longer reach the criminal command and control computer systems and so criminals can no\r\nlonger control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can\r\nsubsequently be used for notification and follow-up through dissemination to National CERTs and Network\r\nOwners.\r\nhttps://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation\r\nPage 3 of 4\n\n[2] Botnets are networks of computers infected with malware, which are under the control of a cybercriminal.\r\nBotnets allow criminals to harvest sensitive information from infected computers, such as online banking\r\ncredentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other\r\ncomputer systems, such as denial-of-service attacks.\r\n[3] Ransomware is a type of malware that infects the victim’s PC and encrypts the victim’s files, so that the\r\nvictim is unable to access them. The criminal behind the ransomware then uses intimidation and misinformation to\r\nforce the victim to pay a sum of money in exchange for the password that unlocks the encrypted files. Even if a\r\npassword is eventually provided, it does not always work.\r\n[4] Fast flux technique is an evasion technique used by botnet operators to quickly move a fully qualified domain\r\nname (a domain that points to one specific Internet resource such as www. domain .com) from one or more\r\ncomputers connected to the Internet to a different set of computers. Its aim is to delay or evade the detection of\r\ncriminal infrastructure. In the double fast flux setup, both the domain location and the name server queried for this\r\nlocation are changed.\r\nSource: https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-oper\r\nation\r\nhttps://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation"
	],
	"report_names": [
		"%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation"
	],
	"threat_actors": [
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434283,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb17298ae23a1d9cc792b4a7f20efdd517427ce3.pdf",
		"text": "https://archive.orkl.eu/eb17298ae23a1d9cc792b4a7f20efdd517427ce3.txt",
		"img": "https://archive.orkl.eu/eb17298ae23a1d9cc792b4a7f20efdd517427ce3.jpg"
	}
}