Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
Following the Operation Endgame investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, were shut down last year.
According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as ‘Superstar’.
The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’.
"Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities," Europol said.
"Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame."
The malware had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and a command-and-control servers.
Meanwhile, Bumblebee was distributed mainly via phishing campaigns or compromised websites, and was designed to enable the delivery and execution of further payloads on compromised systems.
SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID - also known as BokBot - had been further developed to carry out a range of crimes as well as the theft of financial data.
Europol hails success of largest botnet takedown
As part of last year's operation - the largest ever against a botnet - more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized.
But while last May's activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.
Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals.
"When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices," Europol said.
"Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation."
Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- Cobalt Strike abusers have been dealt a hammer blow
- The Zservers takedown is another big win for law enforcement
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprisesNews The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
