Qakbot: How the FBI, NCA and other European officials broke notorious cybercrime hacking network

The FBI, NCA and other European crime officials have removed a network of malicious software from thousands of infected computers, US officials have said.

The Qakbot software - a piece of code that lurked unseen in the majority of the computers it had secretly installed itself on - was used as part of online crimes, including ransomware attacks, for more than 15 years.

The criminal network behind it made around $58m (£45.8m) from victims, between October 2021 and April 2023, officials said.

Victims included an Illinois-based engineering firm, financial services organisations in Alabama and Kansas, a Maryland defence manufacturer and a southern California food distribution company, Los Angeles US attorney Martin Estrada said.

"Nearly every sector of the economy has been victimised by Qakbot," Mr Estrada said.

In an operation dubbed "Duck Hunt", the FBI along with Europol and crime and justice officials in France, Germany, the Netherlands, Romania and Latvia, seized more than 50 Qakbot servers and identified more than 700,000 infected computers worldwide.

By doing this, criminals were effectively cut off from their source.

The FBI then used the seized Qakbot infrastructure to remotely dispatch updates that deleted the malware from thousands of infected computers.

In the UK, the National Crime Agency ensured the criminal network's UK servers were taken offline on Saturday, at the same time as Qakbot's other infrastructure elsewhere.

Will Lyne, Head of Cyber Intelligence at the NCA, said: "This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world.

"Qakbot was a key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats."

Read more:
Electoral Commission targeted by cyber attack
University of Manchester says its data 'likely copied'
Growth of 'hackers for hire'

Researchers said they believed the cybercriminals were in Russia or other former Soviet states, but Mr Estrada did not say exactly where.

What is Qakbot?

First appearing in 2008, Qakbot gives criminal hackers initial access to violated computers.

Usually delivered via phishing email infections, criminals could then install additional ransomware, steal sensitive information or gather intelligence on victims to enable financial fraud and crimes such as tech support and romance scams.

Once infected, the computers became part of a botnet - a network of computers infected by malware and under the control of a single attacking party.

Qakbot affected one in 10 corporate networks and accounted for about 30% of global attacks, a pair of cybersecurity firms found.

The operation has been the biggest success for the FBI against cybercriminals, but experts warned that any setback to cybercrime would likely be temporary.

Chester Wisniewski, a cybersecurity expert at Sophos - a UK-based security software and hardware company - said that while there could be a temporary drop in ransomware attacks, the criminals are expected to either revive infrastructure elsewhere or move to other botnets.

"This will cause a lot of disruption to some gangs in the short term, but it will do nothing [to stop it] from being rebooted," he said.

"Albeit it takes a long time to recruit 700,000 PCs."