The United States Department of Justice (DoJ) issued a series of indictments prior to the weekend of 24-27 May, relating to individuals accused of involvement in the DanaBot and Qakbot malware services that have caused havoc for organisations around the world, facilitating fraud and ransomware attacks and causing millions of dollars of damage to their victims.
The indictments relating to DanaBot – which first emerged in 2018 as a banking trojan – also come amid a major takedown of the service orchestrated with multinational law enforcement and private sector partners. This follows in the wake of the Lumma Stealer takedown earlier in May, and saw US agents seize and dismantle DanaBot’s command and control (C2) infrastructure, including dozens of virtual servers hosted in the US itself.
This formed part of the wider, ongoing Operation Endgame, a major global law enforcement collab targeting cyber criminal gangs, and was supported by the Australians, the Dutch and the Germans. Private sector cyber companies also provided support, including Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru and Zscaler. Other partners, including the Shadowserver Foundation, are now working with the authorities to find, notify and assist DanaBot victims, of which there are thought to be hundreds of thousands.
“Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” said United States attorney Bill Essayli for the Central District of California.
“The charges and actions announced today demonstrate our commitment to eradicating the largest threats to global cyber security and pursuing the most malicious cyber actors, wherever they are located.”
The DoJ has also unsealed indictments against 16 individuals associated with DanaBot, notable among them two Russian individuals named as Aleksandr ‘JimmBee’ Stepanov, 39, and Aleksandrovish ‘Onix’ Kalinkin, 34, both of Novosibirsk, Siberia’s largest city.
Stepanov is being charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorised access to a protected computer to obtain information, unauthorised impairment of a protected computer, wiretapping and use of an intercepted communication. Kalinkin is charged with conspiracy to gain unauthorised access to a computer to obtain information, to gain unauthorised access to a computer to defraud and to commit unauthorised impairment of a protected computer.
As is usual in such indictments, because both individuals are located in Russia, given the current geopolitical fractures between Russia and the West, it is highly unlikely that they will ever face justice unless they travel to a jurisdiction that will extradite to the US.
What did DanaBot do?
Spread by spam emails containing malicious attachments and hyperlinks, the DanaBot malware coopted its victims’ machines into compromised botnets that were used by its controllers to steal data including browsing histories, device information, stored credentials and the contents of virtual crypto wallets. It was also able to hijack online banking sessions, all without its victims’ knowledge.
Additional to this, DanaBot could also provide its users – who bought access to it through a standard malware-as-a-service (MaaS) business model – with full remote access to computers to record keystrokes take videos via webcam, and as an aid in the spread of ransomware.
Notably, its admins run a second version of the DanaBot botnet that targeted diplomatic, government and military bodies in North America and Europe. This botnet used different servers to those used by their common-or-garden fraudster customers.
Proofpoint staff threat researcher Selena Larson, who participated in the takedown, said: “The disruption of DanaBot is a fantastic win for defenders, and will have an impact on the cyber criminal threat landscape. Cyber criminal disruptions and law enforcement actions not only impair malware functionality and use, but also impose cost to threat actors by forcing them to change their tactics, cause mistrust in the criminal ecosystem and potentially make criminals think about finding a different career.
“These successes against cyber criminals only come about when business IT teams and security service providers share much-needed insight into the biggest threats to society, affecting the greatest number of people around the world, which law enforcement can use to track down the servers, infrastructure and criminal organisations behind the attacks.
“Private and public sector collaboration is crucial to knowing how actors operate and taking action against them. When possible and appropriate to do so, Proofpoint leverages its team’s knowledge and technical skillset to help protect a wider audience and the internet community and defend against widespread malware threats,” said Larson.
More trouble for Qakbot
Also last week, a federal indictment unsealed by the DoJ levels charges against one Rustam Rafailevich Gallyamov, 48, of Moscow, accusing him of being the mastermind behind the group that developed, deployed and ran Qakbot, a far older malware but also with origins in the world of banking trojans, which was taken down in a 2023 operation.
In connection with the charges, the DoJ has also filed a civil forfeiture complaint against $24m in crypto assets seized from Gallyamov – including $4m seized during the 2023 takedown – which the US will seek to return to victims if possible.
Qakbot was at one time the bête noire of many a cyber security professional. Sold through a MaaS model like DanaBot, it was frequently used as a staging post by ransomware gangs, including some of the more notorious crews of the past 10 years such as Black Basta, Conti, Doppelpaymer, Egregor and REvil. These gangs allegedly paid Gallyamov a portion of any ransoms they received.
The indictment also alleges that following the takedown of Qakbot, Gallyamov and his co-conspirators continued their work but pivoted to a different set of techniques. Rather than using a botnet, they turned to so-called spam bomb attacks on victims, in which email inboxes at targeted companies are overwhelmed with junk email to trick them into making a mistake.
Gallyamov was supposedly conducting such attacks as recently as January 2025, and he may also have become a Black Basta ransomware affiliate, according to the DoJ.
Support in the Qakbot investigation was provided by agencies in France, Germany and the Netherlands, with the European Union’s Europol also involved.
#fresh #indictments #DanaBot #Qakbot #malwares