Big Blow Struck to Major Botnets by International Law Enforcement Operation

by | Jun 4, 2024

Some of the world’s most notorious botnets have taken a major blow thanks to a Europol-led law enforcement operation, a development that will strongly impact the “dropper” services that many ransomware groups and other cyber criminals make use of as part of their initial penetration of victim systems.

The law enforcement operation, called “Operation Endgame,” is apparently only in its first stages in spite of the moniker. The initial operation spanned 10 countries and led to the seizure or disruption of 100 servers and 2,000 domains in total. Europol has promised that investigations are continuing and that suspects are being tracked, and that arrests have been made and even more are forthcoming.

TrickBot, other major botnets seriously impacted

Some of the biggest names in the botnet game, including 911 S5 and TrickBot, have been seriously impacted. In some cases, arrests of central figures have been made. In other cases it is not clear if infected devices have been proactively cleaned by the law enforcement operation, raising questions about their prospects of making a comeback.

911 S5 has become the world’s largest criminal botnet, but is also among the most likely to be permanently crippled by the law enforcement operation. That’s because operator YunHe Wang was arrested, amidst a raid of 20 properties he purchased using some estimated $99 million USD in personal lifetime earnings from the business. 911 S5 has been active since at least 2014 and is frequently used to support ransomware attacks, and it is thought to have compromised 19 million devices across the world. Wang faces the prospect of spending the rest of his natural life in prison if he is hit with the maximum penalties for the charges he faces.

The progress on some of the other botnets is more questionable, as suspects have been named but arrests have yet to be made. This includes the notorious TrickBot, another of the world’s leading threats in this category of cyber crime. TrickBot was similarly hit by the US Department of Defense in 2020, an operation that Microsoft estimated destroyed over 90% of its capacity, but it managed to come back in relatively short order. Other major botnets impacted in the law enforcement operation include IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee.

Location searches were conducted in several countries, with three arrests made in Ukraine and one in Armenia. Eight additional suspects have been named, and following up with actual arrests will likely be the key factor in the law enforcement operation’s success. Europol has called the initial actions “Season 1” of the campaign, raising big hopes for the future.

EU, US, UK and Ukraine involved in world-spanning law enforcement operation

Numerous EU countries participated in the law enforcement operation along with agencies from the UK, US and Ukraine. International cooperation and coordination is key to permanently disrupting botnet services, given that they spread over millions of devices across the world.

As to the potential impacts on cyber crime, dropper botnets are often used as the initial point of access for attackers. The development will cut down on options for less skilled attackers, and also potentially take a “convenience feature” out of the hands of the more skilled and slow them down somewhat. The droppers achieve initial penetration, often by leveraging the botnet to stuff credentials or get around automated email filters, and open the door for their criminal clients to place their own malware on target systems. These botnets are also often rented out by those looking to do DDoS attacks.

Recent Posts

How can we help?

4 + 13 =

× How can I help you?