Cops in several countries bust Avalanche, biggest ever botnet business

The operation culminated a four-year long investigation of the cybercrime network known as Avalanche.

Police and prosecutors from more than 30 countries swooped in on a massive multinational cybercrime operation Thursday, searching dozens of premises across Europe, arresting five people and seizing nearly 40 computer servers.

The bust is the culmination a four-year long investigation of the so-called Avalanche network, a “bullet-proof” hosting and management system for botnets, malware and ransomware.

The operation took more than 221 of the gang’s crime-servers offline through the cooperation of internet service providers. The ISPs have started to warn as many as half-a-million victims in more than 180 countries that their computer is infected with one of the 20-plus families of malicious software managed by Avalanche, according to a statement from Europol and Eurojust — multinational agencies for European police and prosecutors respectively.

“Today marks a significant moment in the fight against serious organized cybercrime,” said Eurojust President Michèle Coninsx, adding that the operation underlined “the practical and strategic importance” of multinational agencies. “Together with the German and U.S. authorities, our EU and international partners, and with support from Eurojust and EC3, Avalanche, one of the world’s largest and most malicious botnet infrastructures, has been decisively neutralized in one of the biggest takedowns to date.”


The statement says German authorities estimated that in their country alone, financial losses — in the form of drained bank accounts and fraudulent credit card transactions — were more than $6 million. Globally, Europol says the losses were probably in the hundreds of millions, although “although exact calculations are difficult due to the high number of malware families managed through the platform.”

The statement adds that, with over 800,000 web domain addresses seized, blocked or sinkholed, the operation was the largest-ever use of URL sinkholing to combat malware infrastructure.

A web address is sinkholed when ISPs essentially discard internet traffic addressed there. The technique prevents the malware installed on infected computers from getting instructions from the cybercriminals who designed and installed it.

The sinkholing was done with assistance from the Shadowserver Foundation, a volunteer group of security professionals who coordinated the list of web addresses to be taken down with more than 60 domain name registrars. The registrars maintain the internet’s “phone directory” — a complete listing of web domains and their corresponding numeric IP addresses.

Europol/Shadowserver infographic showing the operation of the Avalanche cybercrime hosting system

Europol/Shadowserver infographic showing the operation of the Avalanche cybercrime hosting system




















Avalanche was designed to evade sinkholing and other techniques aimed at blocking malware and shutting down botnets.

The gang used a mathematical technique called “double fast flux.” In fast flux, the domain called up by the malicious software to check in — to get targeting instructions for instance for DDoS or spam attacks — changes every five minutes. Because the changes are made according to a special mathematical formula called domain generation algorithm (DGA), the gang (and the malicious software they wrote) could duplicate those changes at the other end of the communications link and stay in touch.

Without access to the DGA, authorities cannot anticipate those changes and are left chasing a ghost — an ever-receding quarry that effectively disappears every five minutes.

And double fast flux adds a further twist. The IP addresses for each of those web domains is also changed every five minutes, again using a special algorithm. The gang were able to update DNS servers automatically with the new addresses, ensuring traffic from the networks or botnets of infected computers they’d built was able to reach the Avalanche servers.

In addition to recruiting infected computers to a botnet used to send vast quantities of spam and malicious email and bombard victim websites with fake internet traffic — a distributed denial of service or DDoS attack — the malware hosted by Avalanche stole banking passwords and credit card data entered on infected PCs through keylogger software. According to the Department of Homeland Security, several varieties of ransomware — including TeslaCrypt and Ransomlock.p — were managed by Avalanche. Other malware families hosted by the network include the notorious GameOverZeuS, Citadel and PandaBanker.


“This operation has been a mammoth effort involving complex international coordination,” said the Shadowserver Foundation in a statement, adding that its final stages were controlled from a special command center at Europol headquarters.

Europol did not say in which countries the five arrests or any of the searches took place. In a brief statement, the U.S. Justice Department promised more details next week.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts