FBI, DOJ disrupt massive Qakbot botnet connected to millions of dollars in ransomware losses

“Operation Duck Hunt” also included authorities in France, Germany, the Netherlands, Romania, Latvia and the U.K.
FBI Director Christopher Wray testifies before the Senate Commerce, Justice, Science, and Related Agencies Subcommittee during a hearing on the 2024 budgets for the FBI and DEA, on Capitol Hill in Washington, DC, on May 10, 2023. (Photo by OLIVIER DOULIERY / AFP) (Photo by OLIVIER DOULIERY/AFP via Getty Images)

An international law enforcement operation disrupted the Qakbot botnet and associated malware that has been connected with countless cyberattacks and nearly $60 million in losses from victims around the world, the U.S. Department of Justice announced Tuesday.

The operation that included the FBI, DOJ and authorities in France, Germany, the Netherlands, Romania, Latvia and the United Kingdom — is “one of the largest U.S.-led disruptions of a botnet infrastructure” used by criminals to facilitate ransomware, financial fraud and other cyber-enabled criminal activity, the FBI said in a statement.

There were no arrests in connection with the operation but the investigation remains ongoing, a senior FBI official told reporters Tuesday.

Qakbot, also known as Qbot or Pinksipbot, is malware first detected in 2008 that has been associated with hundreds of millions of dollars in losses to individuals and businesses in the U.S. and around the world, according to the FBI. The malware has been an initial entry mechanism for a variety of ransomware groups over the years. Groups such as Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta have been known to use it. Between October 2021 and April 2023, the FBI said, Qakbot administrators have received fees corresponding to approximately $58 million in ransoms paid by victims.


As part of “Operation Duck Hunt” the FBI said it gained access to 700,000 computers worldwide — including 200,000 in the U.S. — infected with Qakbot and redirected botnet traffic “to and through servers controlled by the FBI” on Aug. 25. Those servers “in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot,” the FBI said in its statement.

The operation was “limited to information installed on the victim computers by the Qakbot actors” and “did not extend to remediating other malware already installed on the victim computers and did not involve access to or modification of the information of the owners and users of the infected computers,” the agency said.

The operation is just the latest in a string of proactive law enforcement actions to combat cybercrime where the DOJ prioritizes disruption over arrests. The Department also announced on Tuesday the seizure of more than $8.6 million in cryptocurrency in illicit profits related to the botnet and malware operation.

“The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees,” FBI Director Christopher Wray said in a prepared statement. “The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast.”


“Qakbot was a significant adversary that represented a serious threat to businesses around the world. Engineered for eCrime, Qakbot infections led to the deployment of some of the most sophisticated and damaging ransomware,” said Don Smith, the vice president of the Secureworks Counter Threat Unit. “Qakbot has evolved over the years to become a flexible part of the criminal’s arsenal. Its removal is to be welcomed.”

Secureworks researchers observed the takedown operation at about 7:30 am ET in the U.S. Aug. 25, the company said in a blog posted after the FBI’s announcement.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts