US, European police say they’ve disrupted the notorious Emotet botnet

It's a big blow to a multimillion-dollar botnet.
Emotet botnet takedown video, Ukraine police, Europol
A Ukrainian investigator gathers evidence in an operation against the alleged operators of the Emotet botnet in a video posted Jan. 27, 2020. (Screenshot / YouTube)

U.S. and European law enforcement agencies said Wednesday they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years.

Through the police and the courts, investigators from Ukraine to Germany to the U.S. took aim at the hundreds of computer servers that Emotet has used globally to defraud victims of millions through extortion and data theft.

The investigators “gained control of the infrastructure and took it down from the inside,” Europol, the European Union’s law enforcement agency, said in a statement. “The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure.”  

A video posted by Ukrainian police shows officers raiding an apartment and confiscating computer equipment as part of the Emotet bust.


“Through international cooperation, the FBI’s Charlotte field office and our partners were able to use legal authorities and technical tools to disrupt the Emotet infrastructure,” an FBI official told CyberScoop.  

It’s a big blow to a botnet that has haunted the internet for years. Scammers have used Emotet for everything from a phishing campaign against potential U.S. Democratic Party volunteers, to more potent activity that distributes the notorious Ryuk ransomware to victims.

“What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans,” said Sherrod DeGrippo, senior director of threat research and detection at email security firm Proofpoint. “At this point, any mainstream banking trojan may lead to devastating ransomware attacks.”

The botnet has wreaked havoc on state and local institutions in the U.S. and abroad. The Department of Homeland Security has estimated that Emotet infections have cost U.S. state and local governments $1 million per incident to clean up. In Germany, private investigators told the Berlin high court to completely rebuild its computer systems after a 2019 Emotet attack.

Emotet typifies a “spray and pray” tactic popular with crooks who don’t discriminate in their targets. The malicious emails come in droves, sometimes hundreds  of thousands a day. The dragnet makes it likely that at least some victims click on the malicious emails, offering the criminals a return on the investment.


“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” as Europol put it.

It’s unclear whether the criminals behind Emotet will be able to rebuild their operations. Botnets can be resilient; TrickBot, another big botnet, has survived big efforts to disrupt its operations from Microsoft and U.S. Cyber Command.

“Botnet takedowns are complicated operations, success often lies in not only seizing infrastructure but more so in arresting and detaining the main individuals behind the operation for a longer period of time,” said John Fokker, a former Dutch cybercrime investigator who is now head of cyber investigations for McAfee.

Here is a Ukrainian police video showing a raid on an apartment as part of the Emotet crackdown:


Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts