Operation ‘Duck Hunt’: How the FBI and European partners seized notorious cybercrime hacking network


The FBI and its European partners have removed a malicious software agent from thousands of infected computers after seizing control of a global malware network, US officials have said.

The agent – known as Qakbot – was used as part of online crimes, including ransomware attacks, for more than 15 years.

The criminal network made around $58m (£45.8m) from victims, between October 2021 and April 2023, officials said.

Victims included an Illinois-based engineering firm, financial services organisations in Alabama and Kansas, along with a Maryland defence manufacturer and a southern California food distribution company, Martin Estrada, the US attorney in Los Angeles said.

“Nearly every sector of the economy has been victimised by Qakbot,” Mr Estrada said.

U.S. Attorney Martin Estrada. Pic: AP
US Attorney Martin Estrada said Qakbot malware had infected more than 700,000 victim computers. Pic: AP

In an operation dubbed “Duck Hunt”, the FBI along with Europol and law enforcement and justice partners in France, the UK, Germany, the Netherlands, Romania and Latvia, seized more than 50 Qakbot servers and identified more than 700,000 infected computers, more than 200,000 of which were in the US.

By doing this, criminals were effectively cut off from their source.

The FBI then used the seized Qakbot infrastructure to remotely dispatch updates that deleted the malware from thousands of infected computers.

Read more:
Electoral Commission targeted by cyber attack
University of Manchester says its data ‘likely copied’
Growth of ‘hackers for hire’

Researchers said they believed the cybercriminals to be in Russia or other former Soviet states, but Mr Estrada did not say where individuals were located.

What is Qakbot?

First appearing in 2008, Qakbot gives criminal hackers initial access to violated computers.

Usually delivered via phishing email infections, criminals could then install additional ransomware, steal sensitive information or gather intelligence on victims to facilitate financial fraud and crimes such as tech support and romance scams.

FBI Asst. Director in Charge Don Alway. Pic: AP
FBI assistant director in charge, Don Alway. Pic: AP

Once infected, the computers become part of a botnet – a network of computers infected by malware and under the control of a single attacking party.

Qakbot impacted one in 10 corporate networks and accounted for about 30% of global attacks, a pair of cybersecurity firms found.

The operation was the biggest success for the FBI against cybercriminals, but experts warned that any setback to cybercrime would likely be temporary.

Chester Wisniewski, a cybersecurity expert at Sophos – a British-based security software and hardware company – said that while there could be a temporary drop in ransomware attacks, the criminals can be expected to either revive infrastructure elsewhere or move to other botnets.

“This will cause a lot of disruption to some gangs in the short term, but it will do nothing [to stop it] from being rebooted,” he said.

“Albeit it takes a long time to recruit 700,000 PCs.”