‘Cybercrime as a Service’ is a rapidly growing illicit business model in which perpetrators rent or sell malware to other criminal groups to launch attacks and encrypt computers.

In January 2021, one of the world’s most dangerous criminal infrastructures – created by the malware EMOTET – was disrupted through global action with the support of Eurojust, Europol and judicial authorities and law enforcement officers worldwide. EMOTET was one of the most professional and long-lasting cybercrime services offered for hire, involving a type of malware functioning as a dropper/downloader; in other words, a ‘door opener’ for other types of malware. Once unauthorised access was obtained, it was sold to other criminal groups that could further exploit the data breach by, for example, operating a botnet, stealing sensitive data or practising extortion with the use of ransomware.

In an international coordinated action, law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. During its takedown, particular attention was paid to ensuring a strategy for effective victim remediation. How to offer support to a large number of victims of malware in different jurisdictions was a key topic addressed by judicial practitioners in EJCN’s meetings in 2021, with the EMOTET case used as an example.

Given the international nature of the problem, effective judicial cooperation across borders means not only exchanging information, but, most importantly, ensuring that it translates into admissible evidence in jurisdictions outside the location where it was collected. As a single gateway to jurisdictions across Europe and far beyond, Eurojust has a key role to play here – in cooperation with its partners – in the fight against all types of cybercrime.

World’s most dangerous malware, EMOTET, disrupted

Crime: EMOTET, a dangerous and resilient malware, created a large botnet that was offered for hire to cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto victims’ computers. The malware was able to infect networks by spreading the threat laterally after gaining access to just a few devices.

Action: Investigators took control of EMOTET’s infrastructure in an international coordinated action in January 2021.

Result: The infected machines of victims were redirected towards a law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.

Eurojust's Role: Eurojust coordinated the international action together with Europol.