International Operation Dismantles QakBot Botnet Used in Ransomware Campaigns
U.S. and European law enforcement agencies disrupted the QakBot botnet, seizing infrastructure tied to malware that had infected more than 700,000 computers worldwide and enabled ransomware, financial fraud, and other criminal activity. Europol and U.S. authorities said the operation cut off command-and-control systems and removed malware from compromised hosts, while CISA published guidance on the botnet’s tactics, indicators, and the broader effort to identify and disrupt the infrastructure behind it. Officials said QakBot operators and affiliates had generated at least EUR 54 million in ransom payments over the years.
The takedown also produced a large cache of stolen data that the FBI shared for victim notification, allowing affected individuals to check exposed information through Have I Been Pwned. Reporting after the operation said the action could serve as a model for future botnet disruptions, with investigators using legal authorities and international coordination to seize servers, redirect traffic, and weaken criminal ecosystems that support follow-on ransomware attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Officials say QakBot takedown could enable further botnet actions
In early September 2023, reporting on the operation highlighted that the FBI viewed the QakBot disruption as a model that could support additional botnet takedowns in the future.
FBI shares QakBot victim data with Have I Been Pwned
After the disruption, the FBI provided Troy Hunt with QakBot-related victim data so affected individuals could search for exposed information through Have I Been Pwned.
CISA, FBI and partners publish QakBot disruption advisory
Following the takedown, CISA and partner agencies released a joint advisory detailing the identification and disruption of QakBot infrastructure and providing technical information related to the operation.
Authorities seize and disrupt QakBot infrastructure
In late August 2023, U.S. and European law enforcement agencies carried out an international operation to dismantle QakBot infrastructure, seize servers, and disrupt the botnet's operations.
QakBot begins infecting computers worldwide
Authorities said the QakBot malware operation had been active since 2007, ultimately compromising more than 700,000 computers worldwide and facilitating ransomware, fraud, and other criminal activity.
Sources
5 references tracked. Mallory keeps watching after this page renders.
FBI’s Qakbot operation opens door for more botnet takedowns | The Record from Recorded Future News
therecord.media
Open sourceQakbot botnet infrastructure shattered after international operation - The malware victimised more than 700 000 computers, with at least EUR 54 million paid in ransoms since 2007 | Europol
europol.europa.eu
Open sourceTroy Hunt: Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI
troyhunt.com
Open sourceIdentification and Disruption of QakBot Infrastructure | CISA
cisa.gov
Open sourceUS, European agencies dismantle Qakbot network used for ransomware and scams | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Endgame Disrupts IcedID, SmokeLoader, Trickbot and Other Malware Botnets
An international law enforcement operation dubbed **Operation Endgame** disrupted major malware delivery and botnet infrastructure tied to **IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot**, and remnants of **Bumblebee**, in what Europol and participating agencies described as the largest action of its kind against botnets. Authorities said the networks had been used to spread malware through hundreds of millions of phishing emails and to enable follow-on ransomware attacks and financial fraud, with investigators identifying several million infected computers worldwide over the past year. The coordinated action, supported by **Europol** and **Eurojust**, took down more than **100 servers**, seized over **2,000 domains**, and disinfected more than **10,000** infected systems, while additional operations across multiple countries led to arrests, interrogations, searches, and server seizures. Investigators also identified a key suspect allegedly linked to **69 million euros** in cryptocurrency proceeds, and separate reporting and research highlighted scrutiny of a **SmokeLoader** actor targeted as part of the crackdown.
May 25, 2026
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Apr 12, 2026
Authorities Disrupt Four IoT Botnets Behind 30 Tbps DDoS Attacks
U.S., Canadian, and German authorities disrupted the command-and-control infrastructure of four major IoT botnets — **Aisuru, KimWolf, JackSkid, and Mossad** — that collectively compromised more than **three million** internet-connected devices worldwide. Investigators said the botnets, built largely from vulnerable **DVRs, IP cameras, web cameras, and enterprise Wi‑Fi routers**, were used in hundreds of thousands of distributed denial-of-service attacks, including operations targeting **U.S. Department of Defense** systems, other high-value networks, and critical infrastructure. Officials said the malware networks were capable of generating traffic above **30 Tbps**, with one attack reaching roughly **31.4 Tbps**, placing them among the largest DDoS threats recorded. The operators allegedly ran the infrastructure as a **DDoS-for-hire** service and also used it for extortion, threatening victims with sustained attacks unless they paid. The U.S. action, led by the Defense Criminal Investigative Service with support from the FBI Anchorage Field Office, included seizure warrants for domains and virtual servers, while Germany’s **BKA** and Canada’s **RCMP** carried out parallel enforcement steps. Private-sector partners including **Akamai, AWS, Cloudflare, Team Cymru, and The Shadowserver Foundation** supported the disruption. Authorities said the takedown degraded the botnets’ ability to operate, but warned that the underlying risk remains because millions of infected or insecure devices are still online with weak credentials or outdated firmware.
Mar 25, 2026