In an unprecedented operation against aggressive and dangerous computer malware, authorities in the European Union and beyond have taken actions against droppers including IcedID, Pikabot, Smokeloader, Bumblebee and Trickbot, which infiltrated computers via emails. The measures focused on disrupting criminal services through arresting suspects, the freezing of illegal proceeds, and taking down botnets, coordinated by Eurojust. The operation, which was carried out this week with support of Europol, is a follow up to the successful takedown of the Emotet malware system in 2021.
During actions carried out simultaneously in Germany, the Netherlands, France, Denmark, Ukraine, the United States and United Kingdom, 4 suspects were arrested, who offered the malware as a professional blackmail service to other criminal actors. Some of the suspects were involved in operating Emotet in the past.
Via so called ‘sinkholing’ techniques or the use of tools to access the systems of operators behind the malware, investigators managed to block and take down the botnets. Malware droppers are types of malicious software which downloads viruses, ransomware or spyware on computers. They are generally installed via mails with infected links or Word and PDF attachments, such as shipping invoices or order forms, to get access to personal data and or bank accounts of computer users.
Mainly enterprises and national authorities and institutions were made victims of the series of malware systems which now have been taken down. Users are warned to be careful when opening links and attachments to mails and check the origin of mails.
The investigations, which have been ongoing since the takedown of Emotet, also focused on the running of that malware itself as their operators did create the new botnets mentioned. During the coordinated actions 16 places were searched.
In total over 100 servers were taken down or disrupted and over 2 000 domains are under control of law enforcement authorities.
Furthermore, investigations showed that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure for the deployment of ransomware. The transactions are constantly being monitored and legal permission to seize these assets instantly through future actions has already been obtained.
Eurojust set up a coordination centre on its premises to manage simultaneous actions in all countries concerned. The Agency also assisted national authorities in the preparation and execution of European Arrest Warrants, European Investigation Orders and requests for Mutual Legal Assistance, and organized five coordination meetings.
The following national authorities were involved in the operations on the ground:
- Germany: Prosecutor General's Office Frankfurt am Main – Cyber Crime Center; Federal Criminal Police Office (Bundeskriminalamt)
- The Netherlands: National Prosecution Service; National Police
- Austria: Public Prosecutor’s Office of Salzburg; Criminal Intelligence Service Austria (Bundeskriminalamt)
- Denmark: National Special Crime Unit (NSK)
- France: Prosecutor's Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit; Gendarmerie Nationale C3N
- Ukraine: Prosecutor General’s Office; Main Investigation Department of National Police of Ukraine; Cyber Department of the Security Service of Ukraine
- United Kingdom: National Crime Agency
- United States: United States Department of Justice, Federal Bureau of Investigation, The Defense Criminal Investigative Service
Eurojust is an agency of the European Union