In a joint operation, international law enforcement agencies have succeeded in neutralising the DanaBot malware and arresting 16 people behind it.

We usually report here on security vulnerabilities and the increasingly sophisticated methods hackers use to exploit their victims. But from time to time, there is also good news, such as when law enforcement agencies deal a massive blow to cybercrime, as was the case last week. In a large-scale international operation coordinated by Europol and Eurojust, law enforcement agencies and partners from the private sector successfully dismantled the DanaBot malware network.

The results of this action, which is part of the ongoing Operation Endgame, are impressive: 16 masterminds were arrested and international arrest warrants were issued for another 20 suspects. Around 300 servers were neutralised, 650 websites were shut down between 19 and 22 May, and more than €21.2 million in cryptocurrencies were seized. The DanaBot malware is operated by a criminal group based in Russia and had infected more than 300,000 computers before it was dismantled. The damage caused by fraud and ransomware is estimated at at least 50 million US dollars. DanaBot was first discovered in 2018. At that time, it was operated as malware-as-a-service (MaaS) and rented to other criminals for their own purposes. The malware was extremely versatile, for example, it could be used to steal bank details or information about cryptocurrencies, or to monitor browser history. DanaBot enabled remote access, keylogging and screen recording. The first infections often occurred via spam emails, as reported by security researchers at Proofpoint in 2019. DanaBot is now also being used to transfer other malware, including ransomware, to systems that have already been compromised. Security researchers at ESET have also been keeping an eye on DanaBot since its early days and have tracked its development into a top banking malware. They found that countries such as Poland, Italy, Spain and Turkey were among the most frequent targets of attacks in the past. But DanaBot is dangerous in two ways, because in addition to ‘normal’ cybercriminal activities, an investigation showed that a variant of the malware, identified by CrowdStrike as SCULLY SPIDER, specifically targeted military, diplomatic and government institutions in North America and Europe and was used for espionage purposes. For example, security researchers at ESET observed it launching DDoS attacks against targets such as the Ukrainian Ministry of Defence after the Russian invasion. According to Europol’s press release, this large-scale raid is proof of the effectiveness of comprehensive international cooperation between law enforcement agencies. The investigation was led by the FBI’s Anchorage field office and the Defence Criminal Investigative Service (DCIS), with significant support from the German Federal Criminal Police Office (BKA), the Dutch National Police and the Australian Federal Police. Numerous private cybersecurity companies also provided important technical support. In addition, German authorities added 18 more suspects to the EU’s most wanted list last week. This coordinated action against DanaBot is a significant blow to cybercriminal networks and demonstrates the strength of global partnerships in the fight against growing cybersecurity threats. But as long as cybercriminals continue to come up with new tricks, Operation Endgame is far from over.