Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

National Crime Agency part of international operation against malware network

Qakbot malware had infected more than 700,000 computers globally via spam emails.

Rob Freeman
Wednesday 30 August 2023 02:49 BST
FBI assistant director in charge Don Alway announces the results of the operation in Los Angeles on Tuesday (Sarah Reingewirtz/The Orange County Register/AP)
FBI assistant director in charge Don Alway announces the results of the operation in Los Angeles on Tuesday (Sarah Reingewirtz/The Orange County Register/AP) (AP)

Your support helps us to tell the story

This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.

The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.

Help us keep bring these critical stories to light. Your support makes all the difference.

An international operation involving the National Crime Agency has seen malware which caused millions of pounds of damage worldwide taken down.

Qakbot malware – also known as Qboty and Pinkslipbot – infected more than 700,000 computers globally via spam emails.

The NCA ensured UK servers were taken offline as the operation, led by the FBI and US Department of Justice, seized Qakbot’s infrastructure in the US and across Europe on Saturday.

US authorities seized or froze around 8.6 million dollars (£6.8 million) of illicit cryptocurrency profits.

NCA head of cyber intelligence Will Lyne said: “This investigation has taken out a prolific malware that caused significant damage to victims in the UK and around the world.

“Qakbot was a key enabler within the cyber-crime ecosystem, facilitating ransomware attacks and other serious threats.”

He continued: “The NCA is focused on disrupting the highest harm cyber criminals by targeting the tools and services that underpin their offending.

“This activity demonstrates how, working alongside international partners, we are having an impact on those key enablers and the ransomware business model.”

The administrators behind Qakbot offered access for a fee and it was a go-to service for cyber criminals for at least 16 years.

Typically delivered by phishing emails, Qakbot gave hackers access to computers which could be used to deploy ransomware, steal sensitive information or gather intelligence on victims to use in frauds or scams.

Nearly every sector of the economy has been victimised by Qakbot

US attorney Martin Estrada

It was used by the criminal groups behind the Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta ransomware strains to steal personal data, including banking credentials, from victims.

It is believed it impacted one in 10 corporate networks and accounted for about 30% of attacks globally.

Announcing the results of the operation on Tuesday, US attorney Martin Estrada said: “Nearly every sector of the economy has been victimised by Qakbot”.

No arrests were made and investigators have not revealed where the malware administrators were based.

Cybersecurity researchers believe they are in Russia or other former Soviet states.

FBI assistant director Donald Alway described Qakbot as “one of the most devastating cybercriminal tools in history” and said the network was “feeding the global cybercrime supply chain”.

More than 50 Qakbot servers were seized by the operation, which also included Europol and police in France, Germany, the Netherlands, Romania and Latvia.

The seized infrastructure was used to remotely dispatch updates which deleted the malware from thousands of infected computers.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in