DOJ, international law enforcement disrupt massive RSOCKS botnet

The search warrant targeted a Florida hosting company alleged to have facilitated the botnet activity.
Department of Justice building. (Getty Images)

An international operation involving the U.S. Department of Justice alongside law enforcement officials in Germany, the Netherlands and the United Kingdom took down a Russian botnet made up of millions of hacked internet-connected devices, the DOJ said in a statement Thursday.

Federal prosecutors in the Southern District of California said operators of a botnet botnet known as “RSOCKS” leased access to tens of thousands of compromised internet-connected devices at at time to carry out a variety of malicious actions.

A botnet — a group of compromised internet-connected devices that can be controlled as a group — can be used toward a variety of malicious ends such as to flood targets with traffic, send spam email or engage in credential stuffing at scale, where attackers use stolen username/password combinations to gain access to user accounts with automated login attempts.

It’s the second known international operation to take down a botnet this month alone. Botnets, however, can prove difficult to put down for good, and sometimes bounce back from such operations.


According to the unsealed search warrant in the case, the FBI have been investigating RSOCKS dating back to late 2016. The agency’s investigators used undercover purchases to obtain access to the botnet to identify backend infrastructure and victims.

FBI investigators learned that RSOCKS customers were routed through a Florida-based hosting company — The Constant Company, or “Vultr” — to access the botnet’s services. Agents also identified multiple victims in San Diego whose devices had been compromised and used as part of the botnet, including an unnamed university, hotel, television studio, an electronics manufacturer, home businesses and individuals, according to the warrant.

FBI investigators were able to replace compromised devices with government-controlled computers “and all three were subsequently compromised by known RSOCKS [command and control] server IP addresses,” the warrant reads.

The warrant seeks additional information about Vultr’s customers associated with specific IP addresses including names, session logs, event logs and billing information, among other materials.

“In September 2020, FBI Director Christopher Wray announced the FBI’s new strategy for countering cyber threats,” the DOJ statement read. “The strategy focuses on imposing risk and consequences on cyber adversaries through the FBI’s unique authorities, world-class capabilities, and enduring partnerships.”

Latest Podcasts