Operation Tovar Disrupts GameOver Zeus Botnet and CryptoLocker Infrastructure
U.S. and European authorities, working with security companies and researchers, disrupted the GameOver Zeus peer-to-peer botnet and seized infrastructure tied to CryptoLocker in a multinational action known as Operation Tovar. The malware network was estimated to have infected 500,000 to 1 million Windows systems worldwide and was used to steal banking credentials, personal data, and funds through account takeovers, spam campaigns, and DDoS-assisted fraud. U.S. prosecutors said the operation caused more than $100 million in losses, while CryptoLocker had infected more than 234,000 computers and generated over $27 million in ransom payments shortly after its emergence.
The U.S. Justice Department charged Russian national Evgeniy Mikhailovich Bogachev, also known as Slavik and Pollingsoon, as the alleged administrator behind the botnet. Authorities said the takedown created a roughly two-week window for victims and enterprises to clean infected machines before operators could attempt to regain control, and agencies including US-CERT and internet service providers were mobilized to support remediation. Investigators said GameOver Zeus spread largely through phishing emails, malicious spam, and compromised websites exploiting outdated software, prompting officials to urge users to update systems, run security scans, and change passwords.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
U.S. offers $3 million reward for alleged Zeus author Evgeniy Bogachev
On 2015-02-25, U.S. authorities announced a reward of up to $3 million for information leading to the arrest or conviction of Evgeniy Bogachev, the alleged administrator of the GameOver Zeus botnet. The reward marked a significant escalation in efforts to apprehend Bogachev after the 2014 charges and botnet disruption.
GameOver Zeus resurges after takedown via new spam-driven infections
In July 2014, researchers from Arbor Networks and Bitdefender observed new GameOver Zeus activity after Operation Tovar, including two new configurations using DGAs that generated 1,000 and 10,000 domains per day. Arbor said infections rose from 127 on July 14 to 429 on July 21 and then jumped to 8,494 on July 25 following a large spam campaign, with many infections concentrated in the United States.
Authorities warn of two-week cleanup window for infected systems
Following the disruption, authorities said victims had an estimated two-week window to remove infections and secure systems before botnet operators might regain control. US-CERT and internet service providers were expected to help notify affected users and support remediation.
U.S. charges Evgeniy Bogachev as alleged GameOver Zeus administrator
The Justice Department unsealed charges against Russian national Evgeniy Mikhailovich Bogachev, also known as "Slavik" and "Pollingsoon," alleging he created and operated GameOver Zeus. He was charged in a 14-count indictment and separate civil action but was not in custody.
Operation Tovar disrupts GameOver Zeus and CryptoLocker infrastructure
On June 2, 2014, U.S.-led international law enforcement and private-sector partners launched Operation Tovar to seize control of the GameOver Zeus botnet and servers used to administer CryptoLocker. The action involved the FBI, DOJ, Europol, the UK National Crime Agency, security companies, and researchers.
GameOver Zeus linked to over $100 million in thefts
U.S. authorities said the GameOver Zeus criminal enterprise enabled cybercriminals to steal more than $100 million from businesses and consumers since 2011. Prosecutors said the botnet infected roughly 500,000 to 1 million computers worldwide.
CryptoLocker ransomware begins generating major victim impact
Authorities said CryptoLocker, distributed through the GameOver Zeus ecosystem, infected more than 234,000 computers and generated over $27 million in ransom payments in its first two months online. By April 2014, about half of known infections were in the United States.
FBI opens GameOver Zeus investigation after small-business victim case
In June 2012, the FBI's Pittsburgh office began investigating GameOver Zeus after encountering a small-business victim. The case then expanded into a long-running effort with private-sector researchers and security firms that ultimately led to Operation Tovar.
GameOver Zeus operation begins targeting victims worldwide
According to court documents cited in the references, the GameOver Zeus botnet had been operated since October 2011 by a core group of hackers from Russia and Ukraine. The malware infected hundreds of thousands of Windows systems and was used for banking theft, credential theft, spam, and DDoS-assisted fraud.
FBI begins investigating GameOver Zeus
The FBI wanted notice says the bureau began investigating GameOver Zeus in September 2011. This predates the later June 2012 Pittsburgh case expansion already reflected in the timeline.
Sources
14 references tracked. Mallory keeps watching after this page renders.
GameOver Zeus Botnet Disrupted - FBI
fbi.gov
Open sourceHow the FBI Took Down the Botnet Designed to Be ‘Impossible’ to Take Down
vice.com
Open sourceFBI: $3M Bounty for ZeuS Trojan Author - Krebs on Security
krebsonsecurity.com
Open sourceOffice of Public Affairs | Documents and Resources from the Gameover Zeus / Cryptolocker Press Conference
justice.gov
Open sourceUS disrupts $100M GameOver Zeus malware cybercrime ring - CNET
cnet.com
Open sourceGameOver Zeus botnet seized; Two week window to protect yourself, say authorities | ZDNET
zdnet.com
Open sourceEVGENIY MIKHAILOVICH BOGACHEV - FBI
fbi.gov
Open sourceUs Department Of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Endgame Disrupts IcedID, SmokeLoader, Trickbot and Other Malware Botnets
An international law enforcement operation dubbed **Operation Endgame** disrupted major malware delivery and botnet infrastructure tied to **IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot**, and remnants of **Bumblebee**, in what Europol and participating agencies described as the largest action of its kind against botnets. Authorities said the networks had been used to spread malware through hundreds of millions of phishing emails and to enable follow-on ransomware attacks and financial fraud, with investigators identifying several million infected computers worldwide over the past year. The coordinated action, supported by **Europol** and **Eurojust**, took down more than **100 servers**, seized over **2,000 domains**, and disinfected more than **10,000** infected systems, while additional operations across multiple countries led to arrests, interrogations, searches, and server seizures. Investigators also identified a key suspect allegedly linked to **69 million euros** in cryptocurrency proceeds, and separate reporting and research highlighted scrutiny of a **SmokeLoader** actor targeted as part of the crackdown.
May 25, 2026
Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations. Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Apr 11, 2026
International Operation Dismantles QakBot Botnet Used in Ransomware Campaigns
U.S. and European law enforcement agencies disrupted the **QakBot** botnet, seizing infrastructure tied to malware that had infected more than **700,000 computers** worldwide and enabled ransomware, financial fraud, and other criminal activity. Europol and U.S. authorities said the operation cut off command-and-control systems and removed malware from compromised hosts, while CISA published guidance on the botnet’s tactics, indicators, and the broader effort to identify and disrupt the infrastructure behind it. Officials said QakBot operators and affiliates had generated at least **EUR 54 million** in ransom payments over the years. The takedown also produced a large cache of stolen data that the FBI shared for victim notification, allowing affected individuals to check exposed information through **Have I Been Pwned**. Reporting after the operation said the action could serve as a model for future botnet disruptions, with investigators using legal authorities and international coordination to seize servers, redirect traffic, and weaken criminal ecosystems that support follow-on ransomware attacks.
May 25, 2026