Top 10 Cybercrime Takedowns From 2014-2024

In my years of experience in cybersecurity and threat intelligence, I’ve seen the ongoing battle between cybercriminals and law enforcement agencies firsthand.

Efforts by organizations like Europol, the FBI, and the NCSC have led to significant disruptions in the operations of various malicious entities.

These interventions haven’t just taken down notorious malware and botnets but have also provided valuable insights into the ever-changing landscape of cyber threats.

Today, we will explore the impact of these disruptions, highlighting notable cases such as Blackcat, Qakbot, The Genesis Market, Hive ransomware, and others that have influenced our cybersecurity approach.

Warzone RAT Disruption (2024)

The Warzone RAT malware disruption occurred as part of an international law enforcement effort, culminating in actions taken on February 7, 2024.

Authorities seized internet domains used to sell the malware, enabling cybercriminals to stealthily access victims’ computers to steal data and conduct other illicit activities.

BlackCat/AlphV ransomware disruption (2023)

The disruption of the BlackCat/Alphv ransomware, also known as Noberus, was announced on December 19, 2023.

This ransomware group had targeted over 1,000 victims worldwide, causing significant harm, including to networks that support U.S. critical infrastructure.

The Justice Department, in coordination with the FBI and international law enforcement agencies, conducted a comprehensive disruption campaign against this group.

This campaign was not only about taking down the ransomware’s operations but also involved the development and distribution of a decryption tool by the FBI. This tool was provided to over 500 victims globally, helping them to recover their systems and avoid paying ransoms that totaled approximately $68 million.

The operation against BlackCat/Alphv included seizing websites operated by the ransomware group and infiltrating their network. Law enforcement obtained private decryption keys, aiding victims in data recovery.

A confidential human source became an affiliate of the ransomware operation. They accessed the backend affiliate panel and obtained private decryption keys. The FBI obtained 946 public/private key pairs for the ransomware operation’s Tor sites, enabling control to disrupt the group’s activities further.

• CVE-2024-38396: A Critical Vulnerability in iTerm2
• What is Malware Analysis?
• Why Cybercriminals Chase Your Personal Information
• Software Supply Chain Attacks: Insights and Defense Strategies
• Types of Data Cybercriminals Sell on the Dark Web

Qakbot Botnet Disruption (2023)

Law enforcement announced the disruption of the Qakbot malware, also known as Qbot or Pinkslipbot, on August 29, 2023.

This multinational operation was led by the U.S. Department of Justice, involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia.

The operation aimed to dismantle the Qakbot botnet infrastructure. It had infected over 700,000 victim computers worldwide, facilitated ransomware deployments, and caused hundreds of millions of dollars in damage.

Law enforcement gained access to the Qakbot botnet, redirected its traffic through servers they controlled, and deployed a Qakbot Uninstall file to infected computers.

This file was designed to uninstall the Qakbot malware, preventing it from causing further harm. Moreover, the operation led to the seizure of over $8.6 million in cryptocurrency derived from illicit profits associated with the botnet’s activities​​​​​​.

The Qakbot malware primarily spread through spam email messages containing malicious attachments or links.

Once a computer became infected, it entered a state where it could be controlled remotely as part of the botnet.

This allowed it to deliver additional malware, including ransomware, to the victim and other computers.

Qakbot has been a significant threat since its creation in 2008, used by various ransomware groups to execute their attacks, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta, resulting in substantial financial losses and operational disruptions across various sectors​​.

The operation, dubbed ‘Duck Hunt,’ marked a significant U.S.-led effort against cybercrime, showcasing the effectiveness of international cooperation in tackling sophisticated cyber threats.

Volt Tycoon Disruption (2023)

In December 2023, the U.S. government targeted a botnet operated by “Volt Typhoon” using the “KV Botnet” malware.

This aimed to disrupt their activities, involving hundreds of U.S.-based small office/home office (SOHO) routers.

The routers, infected with KV Botnet malware, concealed the origins of additional hacking activities by the People’s Republic of China (PRC) targeting critical infrastructure in the U.S. and other countries.

The majority of compromised routers were end-of-life models from Cisco and NetGear.

They were vulnerable due to the lack of ongoing manufacturer support, including security patches or software updates. The court-authorized operation successfully removed the KV Botnet malware from these routers.

They implemented measures to sever their connections to the botnet.

This was achieved by blocking communications with devices used to control the botnet, significantly impeding the ability of Volt Typhoon to conduct their hacking operations under the guise of legitimate internet traffic​​.

Hive Ransomware Disruptions (2023)

The U.S. Department of Justice significantly disrupted the Hive ransomware, known for its ransomware-as-a-service (RaaS) operation. It targeted a wide range of sectors including healthcare, education, financial services, and critical infrastructure in January 2023.

The FBI infiltrated Hive’s network in July 2022, capturing decryption keys and providing them to victims globally, thereby averting over $130 million in ransom payments.

This concerted effort also saw the seizure of Hive’s servers and websites, effectively disrupting their operations. The Hive group had impacted more than 1,500 victims across 80 countries, amassing over $100 million in ransom payments since its inception in June 2021​​​​​​.

• CVE-2024-38396: A Critical Vulnerability in iTerm2
• What is Malware Analysis?
• Why Cybercriminals Chase Your Personal Information
• Software Supply Chain Attacks: Insights and Defense Strategies
• Types of Data Cybercriminals Sell on the Dark Web

Genesis Marketplace Disruption (2023)

U.S. and international law enforcement agencies seized The Genesis Marketplace, a notorious hacker marketplace for stolen logins and digital browser fingerprints. They announced this significant operation on April 5, 2023.

Dubbed “Operation Cookie Monster,” this collaborative effort involved the FBI and law enforcement from the United Kingdom, Europe, Australia, Canada, Germany, Poland, and Sweden, leading to the arrest of about 120 people and the execution of 200 searches worldwide.

Genesis Market was known for selling compromised credentials and digital fingerprints from over 1.5 million infected computers globally, making it a key enabler of cybercrimes including ransomware​​​​​​.

The marketplace had been active since 2017. It provided cybercriminals with access to data from compromised systems, including IP addresses, session cookies, plugins, and operating system details.

Attackers could impersonate victims’ browsers, accessing online accounts without passwords or two-factor authentication. Genesis Market’s takedown is part of law enforcement’s broader effort to combat cybercrime and disrupt cybercriminals’ digital infrastructure.

Ragnar Locker Disruption (2023)

An international law enforcement operation (Operation Mole) between October 16 and 20, 2023, effectively dismantled The Ragnar Locker ransomware operation.

This significant disruption involved agencies from the U.S., European Union, Japan, and others. They targeted the group’s infrastructure, leading to the seizure of its dark web portal used for extorting victims.

Europol spearheaded the coordinated effort, resulting in the arrest of a 35-year-old man in Paris. Authorities identified him as the “main perpetrator” of the operation.

Further actions included searches in the Czech Republic, Spain, and Latvia.

Law enforcement agencies in the Netherlands, Germany, and Sweden conducted additional seizures. They took down nine servers supporting Ragnar Locker’s infrastructure. The operation also resulted in the seizure of various cryptocurrencies, the value of which was undisclosed at the time.

Ragnar Locker, known for targeting critical infrastructure sectors since 2020, has posed a significant threat. The FBI identified at least 52 U.S. entities across 10 critical sectors affected by its operations as of last year. The group demanded ransoms ranging from $5 to $70 million in cryptocurrency.

Emotet Botnet Disruption (2021)

The Emotet botnet, known as one of the most dangerous and widespread forms of malware, underwent successful disruption. This occurred through a coordinated international cyber operation on January 28, 2021.

This significant effort involved law enforcement agencies from various countries. The United States, Canada, France, Germany, the Netherlands, and the United Kingdom were directly involved. Additional assistance came from Lithuania, Sweden, and Ukraine.

The operation aimed to dismantle the infrastructure of Emotet, which had infected more than 1.6 million victim computers worldwide and caused hundreds of millions of dollars in damage across various sectors, including banking, e-commerce, healthcare, academia, government, and technology​​​​​​.

Emotet spread primarily through spam emails. These emails contained malicious attachments or links. They were designed to appear as if they were from a legitimate source.

Once a computer was infected, Emotet could deliver further malware, including ransomware and financial credential stealers. The FBI’s involvement began with an investigation into a North Carolina school district compromised by Emotet in 2017, highlighting the malware’s evolution and its ability to bypass virus detection software to facilitate additional cybercrimes​​.

The global action against Emotet, dubbed “Operation Ladybird,” not only aimed to take down Emotet’s infrastructure but also to prevent the malware from communicating with infected computers, effectively neutering its capability to cause further harm.

The FBI and its partners utilized sophisticated techniques and international cooperation to achieve a significant impact on the operation of the Emotet botnet, demonstrating a united front against cybercrime​​​​.

• CVE-2024-38396: A Critical Vulnerability in iTerm2
• What is Malware Analysis?
• Why Cybercriminals Chase Your Personal Information
• Software Supply Chain Attacks: Insights and Defense Strategies
• Types of Data Cybercriminals Sell on the Dark Web

Avalache Network Disruption (2016)

The Avalanche network gained fame for hosting over two dozen of the world’s most damaging types of malicious software and several money laundering campaigns.

A monumental international cyber operation dismantled it on December 5, 2016.

This network provided cybercriminals with a secure infrastructure to conduct their malware campaigns and money laundering schemes. It affected hundreds of thousands of computers globally, resulting in financial damages estimated in the hundreds of millions of dollars.

The operation involved arrests and searches across four countries. It demonstrated significant collaboration between 40 countries targeting not just individual actors but the entire Avalanche infrastructure.

The U.S. Department of Justice, alongside the FBI’s Cyber Division and international law enforcement agencies like Europol, coordinated efforts leading to this disruption.

The Avalanche network, known for its use of sophisticated techniques like the double fast flux, posed a formidable challenge in the cybercrime landscape.

Key outcomes of the operation included seizing, blocking, and sinkholing over 800,000 malicious domains associated with the Avalanche network. This proactive approach dismantled the network’s infrastructure and redirected traffic from infected computers to servers controlled by law enforcement, cutting off criminals’ access to stolen data.

Blackshades Malware Takedown (2014)

The Blackshades malware disruption, known as the “International Blackshades Malware Takedown,” occurred on May 19, 2014.

This significant global law enforcement effort resulted in the arrest of Swedish national Alex Yucel. Additionally, U.S. citizen Michael Hogue, believed to have co-developed the Blackshades malware, pleaded guilty.

This software reached thousands worldwide, infecting over half a million computers. The takedown involved 40 FBI field offices, about 100 interviews, over 100 search warrants, and the seizure of over 1,900 domains used by Blackshades users.

As part of this operation, over 90 arrests occurred globally, with more than 300 searches across 18 countries. The Blackshades malware, especially the Blackshades Remote Access Tool (RAT), enabled cybercriminals to steal personal information, activate webcams, and launch DDoS attacks.

References

Warzone RAT

• https://www.justice.gov/usao-ndga/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware
• https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled

BlackCat

• https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
• https://www.securityweek.com/us-gov-disrupts-blackcat-ransomware-operation-fbi-releases-decryption-tool/
• https://www.bleepingcomputer.com/news/security/how-the-fbi-seized-blackcat-alphv-ransomwares-servers/

QBot

• https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
• https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown

Volt Tycoon

• https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

Hive Ransomware

• https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant
• https://www.reuters.com/world/us/announcement-posted-hive-ransomware-groups-site-says-it-has-been-seized-by-fbi-2023-01-26/
• https://www.malwarebytes.com/blog/news/2023/01/hive-ransomware-infrastructure-taken-down

Genesis Marketplace

• https://www.justice.gov/opa/pr/criminal-marketplace-disrupted-international-cyber-operation
• https://krebsonsecurity.com/2023/04/fbi-seizes-bot-shop-genesis-market-amid-arrests-targeting-operators-suppliers/

Ragnar Locker Disruption

• https://www.malwarebytes.com/blog/news/2023/10/ragnar-locker-taken-down
• https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop

Emotet disruption

• https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation
• https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
• https://www.fbi.gov/news/stories/emotet-malware-disrupted-020121

Avalanche Network Disruption

• https://www.justice.gov/opa/pr/avalanche-network-dismantled-international-cyber-operation
• https://www.europol.europa.eu/media-press/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
• https://www.europol.europa.eu/publications-events/publications/operation-avalanche-infographic-technical

BlackShades

• https://www.securityweek.com/100-arrests-global-raids-blackshades-hackers/
• https://www.fbi.gov/news/stories/international-blackshades-malware-takedown-1